If you receive a subpoena, discovery request, or even a court order demanding the release or production of documents or files that may contain protected health information (PHI), are you obligated to comply? The surprising answer, in many cases, is “no”. Even more surprising may be the fact that, in attempting to comply with what appears to be a valid legal document, you may actually be violating federal law.
HIPAA regulations require, first and foremost, that covered entities, business associates, and their subcontractors protect the privacy and security of PHI they create, receive, maintain, or transmit. HIPAA regulations permit disclosure of PHI only under very specific circumstances, one of which includes disclosures for judicial and administrative procedures. Yet even this specific “judicial and administrative procedures” circumstance contains limits and, notably, permits, but does not require the disclosure. While other HIPAA regulations require disclosure under specific circumstances, the regulations specific to “judicial and administrative procedures” allow, but do not mandate, the disclosure. Recent inquiries about litigation matters that involve subpoenas, court orders, and PHI prompted me to list a few reasons to step back and carefully consider your HIPAA obligations before responding.
- Does the demand or request require you to redact PHI from your response? If so, be sure not only to remove all obvious individual identifiers, but review 45 C.F.R. 164.514 to make certain you have completely de-identified the information (beware, for example, of failing to remove geographic identifiers, such as the city in which the individual resides).
- If the demand or request is contained in a court order, can you limit the disclosure to only the information authorized in the order? Do not produce documents or files in response to an order of a court or administrative tribunal if the production might result in the release of PHI that is not specifically identified in the order.
- Evaluate the demand or request to ascertain if the PHI demanded or requested is the “minimum necessary” to meet the purpose. Do not produce documents or files in response to an order of a court or administrative tribunal if the production might result in the release of PHI that is in excess of what may be deemed to be “minimally necessary” under HIPAA to achieve the purposes of the subpoena, discovery request, or court order.
- If the demand or request is contained in a subpoena or discovery request, you cannot disclose PHI until you receive required assurances. Bear in mind that you “may” disclose PHI in response to a subpoena or discovery request, but only after receiving satisfactory assurances that the individuals affected have been contacted or that qualified protective order has been sought.
Don’t be intimidated by an official-looking legal document or assume that because it demands information in connection with litigation (whether you are a party to the litigation or not), you can ignore your responsibility to protect and secure PHI under HIPAA. Remember that the lawyer who drafted (or sent you) that subpoena, discovery request or court order is not responsible for your HIPAA compliance.