Insights & News

White-Collar Defense and Health Care Alert, December 2018
The Pitfalls of Responding to Health Record Subpoenas

December 13, 2018
Client Alert
Responding to a subpoena duces tecum (i.e., a request for documents) from the government or from a civil litigant can be challenging for health care providers. Responsive records could expose the health care provider to civil liability or criminal charges, a cause for great concern. That anxiety is amplified by numerous regulations governing how a health care provider may respond to a subpoena; failure to properly respond to such subpoenas could expose the entity to fines and other significant sanctions.

In light of these risks, health care providers should exercise caution in releasing records and identifying which records should be released. Health care providers should also be mindful of the following four common pitfalls when responding to a subpoena:

Pitfall 1: Failing to evaluate the validity of the subpoena

The government and civil litigants must adhere to administrative and procedural requirements when issuing subpoenas in order for the subpoenas to be valid. For example, state or federal law may specify how to serve the subpoena or impose a notice requirement, which obligates the issuing party to notify other parties that they intend to issue a subpoena and wait for objections. Further, subpoenas are generally subject to jurisdictional limitations and are not enforceable across state lines without clearing additional procedural hurdles. Failure to comply with these administrative and procedural requirements can invalidate subpoenas, even if they appear facially valid. A health care provider’s ability to challenge a subpoena varies significantly depending on whether the subpoena is criminal or civil in nature, with criminal subpoenas typically being more difficult to quash.

Federal administrative requirements established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) vary depending on whether the subpoena was issued by a judge, a court clerk or an attorney. For instance, criminal subpoenas are generally issued by the court, and, because they are consequently court orders, HIPAA permits the production of documents. On the other hand, civil subpoenas are generally issued by the clerk or an attorney, so HIPAA incorporates various precautionary steps before a provider may produce protected health information.

Nonetheless, health care providers should not ignore a subpoena even if it fails to comply with applicable requirements. If the subpoena is accompanied by an authorization issued pursuant to HIPAA, health care providers may have an obligation to produce records in accordance with the authorization, regardless of whether the subpoena itself is valid.

Pitfall 2: Producing too many documents

After confirming the subpoena is valid, the health care provider should think strategically about its response to the subpoena. The records custodian’s instinct may be to produce any and every record potentially sought in a criminal subpoena. However, this instinct could prove detrimental, as nonresponsive documents could subject the health care provider to additional exposure and expand the scope of the government’s inquiry. With criminal subpoenas, the provider should evaluate whether the request for documents can be reduced on grounds of privilege, ambiguity, being overly broad in scope, being unduly burdensome or being based upon constitutional protections (especially under the First, Fourth, and Fifth Amendments). In the federal system and even in many state systems of criminal justice, prosecutors will convene a grand jury to investigate whether there is sufficient evidence to bring charges. The investigative power of a grand jury is extremely broad and may be based on the mere suspicion that the law is being violated. With these broad powers, mounting effective legal challenges to grand jury subpoenas can be a daunting, yet critically important, task, to be undertaken only by experienced defense counsel. Therefore, when responding to a criminal subpoena, health care providers should exercise extra caution or risk additional exposure.

For civil subpoenas, the provider should evaluate whether the request for documents is overly broad and object accordingly. For example, perhaps the subpoena seeks records of individuals not involved in the litigation or imposes a significant burden on a nonparty witness (including the health care provider itself, if not a party to the litigation). The provider may also object if the subpoena does not allow sufficient time to reply, seeks irrelevant evidence, requires the disclosure of trade secrets or confidential business information, or contains vague or ambiguous document requests. Objections may also be based on privilege, including the peer review privilege, Quality Assessment and Assurance Committee privilege, and privileges established by the Patient Safety and Quality Improvement Act. When deciding what documents are responsive to a civil subpoena, health care providers should be vigilant in preserving their privileges and asserting their objections.

For both criminal and civil subpoenas, HIPAA’s minimum necessary rule further limits the scope of documents that can be provided in response to a subpoena. The minimum necessary rule requires that health care providers take reasonable steps to limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose. The rule accordingly requires health care providers to tailor their subpoena response to the minimum necessary to accomplish the intended purpose, unless the disclosure is made pursuant to the individual’s own authorization or another limited exception. So, when responding to both criminal and civil subpoenas, health care providers should still ensure that their proposed production complies with HIPAA.

Pitfall 3: Forgetting about state health information privacy laws

Health care providers should know and understand state privacy laws and ensure that their proposed production is compliant. Savvy records custodians may be familiar with HIPAA’s guidance for subpoenas, from its authorization standards to its requirement to obtain satisfactory assurances from the party seeking information under a subpoena to its additional protections for psychotherapy notes. All too often, however, state health information privacy laws are neglected. Many states have “super-confidentiality” laws that provide additional protections for certain categories of information, such as information about alcohol or substance abuse, cancer, genetic testing, sexually transmitted diseases and mental health.

The Pennsylvania Mental Health Procedures Act, for example, prohibits the release of mental health records in response to a subpoena or other discovery request. The Act requires an additional court order before records may be released. So, health care providers must be familiar with their state privacy laws and ensure that their proposed production is compliant.

Pitfall 4: Failing to distribute the subpoena to risk management and others who need to know

A subpoena is often a warning of oncoming litigation against a health care provider, so it must be reviewed by the appropriate persons. A record request – whether made through the health care provider’s standard records processes or through a subpoena – is often the provider’s initial notice that it may be sued or charged with a criminal offense. If the circumstances suggest that the records may be used in a criminal inquiry or civil litigation, the subpoena and proposed response should be reviewed by risk management, the general counsel and other appropriate teams. This is particularly important for government-issued subpoenas that may lead to criminal charges. Therefore, subpoenas must be distributed to the appropriate persons, who can analyze the risk of potential litigation.

Although subpoenas are always associated with litigation or an investigation and should be sent to the relevant team leaders, it may be more difficult to know whether a routine record request should be circulated to other teams. To assess whether other requests may lead to litigation, the recipient should consider whether a lawyer or a government representative submitted the request or is the intended recipient, whether the patient experienced a negative treatment outcome, and whether the disclosed purpose of the request on the paperwork is related to litigation. When in doubt, routine record requests should be escalated to the relevant team leaders.

While subpoenas can appear to be routine document requests, health care providers must remain vigilant and work diligently to avoid these four common pitfalls. If a health care provider carelessly answers a subpoena, it could subject itself to criminal and/or civil liability. Therefore, health care providers must be strategic when responding to these inquiries and engage legal counsel if necessary.

Information contained in this publication should not be construed as legal advice or opinion or as a substitute for the advice of counsel. The articles by these authors may have first appeared in other publications. The content provided is for educational and informational purposes for the use of clients and others who may be interested in the subject matter. We recommend that readers seek specific advice from counsel about particular matters of interest. 

Copyright © 2018 Stradley Ronon Stevens & Young, LLP. All rights reserved.

back to top