You've Been Served: Key Considerations for Healthcare Providers When Responding to a Subpoena

For healthcare providers, receiving a subpoena can raise immediate concerns about patient privacy and legal risk. A subpoena is a formal legal demand for information, testimony, or documents, which often involves requests for protected health information (PHI) in the healthcare context. Healthcare providers who respond to a subpoena without a full understanding of their obligations under the Health Insurance Portability and Accountability Act ("HIPAA") and related state and federal privacy laws may face serious consequences, including civil penalties and reputational harm. Notably, Connecticut case law recognizes a common law duty to safeguard patient confidentiality and holds that healthcare providers may be liable under state law for negligence or breach of confidentiality if they do not comply with HIPAA’s safeguards when responding to subpoenas.¹ This article provides a checklist of the key legal and practical considerations healthcare providers must evaluate when served with a subpoena.

• Don’t Ignore It. The most important things to do if served with a subpoena are to not ignore it and to act promptly. Alert all need-to-know employees of the subpoena, and consider engaging legal counsel to evaluate applicable legal considerations and walk you through the available options for responding.
• Determine the Validity of the Subpoena. Consult with legal counsel to determine the authority of the subpoena and consider whether there are grounds for objection based on service or jurisdictional issues (e.g., out-of-state subpoenas for records). 
• Understand What the Subpoena Is Requesting. The two types of subpoenas make different requests: (1) a request that a person testify before a court or other legal authority ("subpoena ad testificandum") and (2) a request that a person or entity produce documents or records ("subpoena duces tecum"). Understanding what is being requested of you and the deadline for compliance is crucial. 
• Preserve Potentially Responsive Materials. With respect to a subpoena requesting the production of documents or records, all potentially responsive documents must be identified, collected, and preserved. Consider issuing a written litigation hold to ensure that employees preserve all potentially responsive documents.
• Consider Applicable Confidentiality and Privacy Requirements. 
  • HIPAA. Even when a subpoena appears to be facially valid, healthcare providers must consider whether the disclosure requirements under HIPAA have been satisfied under the circumstances. 
    • Subpoenas vs. Court Orders. 
      • Court Orders. Healthcare providers may disclose patient PHI in accordance with a court order (including the order of an administrative tribunal, like a state department of health). However, the disclosure must be limited to the information specifically described in the court order.
      • Subpoenas. Importantly, HIPAA treats a subpoena (or other discovery request) issued by someone other than a judge (e.g., an attorney) that is not accompanied by a court order differently. Specifically, healthcare providers may disclose PHI in response to such a subpoena only if the provider receives written evidence that reasonable efforts were made to:
        • notify the person who is the subject of the PHI requested, allowing the individual an opportunity to object to the disclosure before the deadline for raising objections, and no such objections were filed, or any objections filed have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution; or
        • secure a qualified protective order for the PHI sought from the court. A qualified protective order is an order of the court or administrative tribunal that prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such PHI was requested and requires the return or destruction of the PHI at the end of the litigation or proceeding.
    • Patient Authorizations. Typically, given the above complexities, the most efficient process for handling subpoenas requesting PHI is to obtain a valid, signed HIPAA authorization from the patient whose information is the subject of the request.
    • Law Enforcement Requests. Note that HIPAA permits the disclosure of PHI to law enforcement officials if specific requirements, as set forth in the HIPAA Privacy Rule, are satisfied. Consult with counsel if you receive an administrative request from law enforcement to determine whether disclosure is permissible under HIPAA.
    • Minimum Necessary. Even when the disclosure of PHI is permitted pursuant to a subpoena, healthcare providers must still comply with HIPAA’s "minimum necessary" rule, ensuring that only the information reasonably required to fulfill the request is disclosed—not the entire patient record.
  • Specific Authorization Required for Sensitive Records. Even if disclosure is permitted under HIPAA, consider whether another state or federal law prohibits disclosure or requires specific patient authorization or a specific court order. For example, do the records requested contain any of the following sensitive information, which may require specific patient authorization or a specific court order?
    • Mental health records
    • Substance use disorder records
    • HIV/AIDS information
    • Genetic information
    • Reproductive health information
    • Child abuse records and reports

Day Pitney’s Healthcare practice guides healthcare providers through the complex process of responding to subpoenas. Our team understands the various federal and state privacy laws that govern the disclosure of PHI, and we work closely with clients to assess the validity of subpoenas and ensure compliance with applicable laws. If you are seeking strategic and practical counsel to assist with responding to subpoenas, please contact one of our Healthcare practice team members.

¹ See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433 (2014).