Hospitals and health care facilities, medical and other group practices, and individual clinicians regularly receive requests for patient records and information. It is often confusing for providers to determine when and under what circumstances they are permitted to disclose such records. Discovering parties can use the legal process to compel a response but cannot necessarily override applicable state privacy, confidentiality and privilege laws, as well as privacy rights under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), with a subpoena alone. HIPAA establishes minimum standards for the protection of protected health information (“PHI”) that do not preempt more protective state privacy laws and privileges. The following provides a brief overview on the differences between a court order, a subpoena, and an authorization for Massachusetts providers.
Mass. R. Civ. P. 45 allows parties in civil lawsuits to subpoena records from non-parties. These subpoenas are often called keeper of records, or KOR, subpoenas. They are also sometimes referred to as a subpoena duces tecum.
Parties receiving a subpoena must respond to the subpoena within a certain referenced time frame. However, as a general rule, medical records should not be automatically produced in response to a subpoena, without first confirming if there is sufficient authority to release the PHI under both Massachusetts law and HIPAA. Such authority could be (i) under statutory authority on the subpoena alone if certain conditions are met, or (ii) with an executed HIPAA compliant patient authorization, or (ii) upon the issuance of a proper court order.
Subpoenas are not court orders. Subpoenas are issued by attorneys to obtain documents. Attorneys do not need a court’s permission to issue a subpoena. Medical providers can mistake subpoenas for court orders given that subpoenas are often served by a sheriff or constable, are notarized and look like an official court document. Thus, while a timely response must be sent back by the provider to the discovering party, that response may have to be in the form of an objection letter seeking the additional needed authority to disclose the PHI.
Massachusetts licensed hospitals and clinics (but not unlicensed practices) may produce medical records in response to a subpoena alone pursuant to G. L. c 111, § 70, but only if the patient is a named party in the case.
Similarly, under HIPAA’s privacy rule, 45 CFR 164.512(e)(1)(ii), a covered entity that is not a party to the litigation may disclose protected health information in response to a subpoena, discovery request, or other lawful process if the covered entity receives certain satisfactory assurances from the party seeking the information. Specifically, the covered entity must receive a written statement and accompanying documentation that the requesting party has made reasonable efforts either (1) to ensure that the individual who is the subject of the information has been given sufficient notice of the request, or (2) to secure a qualified protective order.
Thus, when viewing G. L. 111, § 70 in combination with 45 CFR 164.512(e)(1)(ii), a hospital or clinic may release confidential medical records in response to a subpoena alone if the patient is named in the caption and the provider receives assurance that the patient has been given notice that the records have been requested and has not objected. However, G. L. 111, § 70 only applies to hospitals or clinics licensed by the Massachusetts Department of Public Health. Therefore, medical practices and other groups may not release PHI in response to a subpoena without first securing a HIPAA compliant authorization from the patient, or a proper judicial order.
Additionally Protected Information
HIPAA provides a minimum level of protection for the disclosure and protection of an individual’s PHI. However, HIPAA expressly permits states to enact laws and regulations that provide more safeguards for the protection of patient information and records
Massachusetts has several statutes that provide additional protections for certain health information. For example:
- General Laws c. 112, § 135B provides for the confidentiality of patient/social worker communications. Pursuant to G. L. c. 112, § 135B, social worker communications and records are privileged and may only be disclosed under certain circumstances.
- General Laws c. 233, § 20B provides for the confidentiality of patient/psychotherapist communications. Pursuant to G. L. c. 233, § 20B, psychotherapist communications and records are privileged and may only be disclosed under certain circumstances.
- General Laws c. 111, § 70F provides for the confidentiality of a patient’s HIV testing records. Pursuant to G. L. c. 111, § 70F, HIV testing records may only be disclosed with a patient’s express consent.
- General Laws c. 233, § 20J provides for the confidentiality of sexual assault counselor communications. Pursuant to G. L. c. 233, § 20J, sexual assault counselor communications are privileged and may only be disclosed under certain circumstances.
These are only some examples of Massachusetts statutes that provide additional protection to certain medical records. There are other additionally protected categories of information under both federal and state law for substance treatment records, alcohol blood test results and minor records, to name others.
If a patient signs a HIPAA-compliant written authorization, a medical provider may release protected health information, as well as additionally protected areas that are explicitly referenced and designated by the patient for release. A HIPAA-compliant authorization form must include the following elements:
- A description of the information to be disclosed;
- The name of the individual or the name of the person authorized to make the requested disclosure;
- The name or other identification of the recipient of the information;
- A description of each purpose of the disclosure;
- An expiration date or an expiration event that relates to the individual;
- A signature of the individual or their personal representative (someone authorized to make health care decisions on behalf of the individual) and the date.
A disclosure for the release of additionally protected information should specifically state which additionally protected records are to be released.
A court order is a mandate issued by a court, a judge, magistrate or a clerk of the court requiring or forbidding someone to do something pursuant to the order. If privileged, additionally protected information is contained in the medical record, in lieu of an authorization, the court order is to be reviewed carefully and only that information which it orders produced is to be produced. It is not necessary to explain that other documents are not being produced in response to a court order if you are following the terms of the order. The judicial order must specify the type of record that is ordered to be released.
Medical providers should adopt health information policies and protocols to follow when a subpoena is served seeking production of a patient’s medical records. Navigating the requirements for the protection of PHI and the authorized release of PHI is difficult and complex. Pierce & Mandell’s health law attorneys have extensive experiencing advising medical providers on HIPAA compliance issues and medical record issues.