News & Resources What do you mean I can’t get the records with a subpoena?: Responding to Demands for Protected Health Information

March 25, 2014

Healthcare providers frequently receive requests from attorneys, government agencies or law enforcement officers demanding the production of protected health information (PHI) about the providers’ patients.   Since few people outside of the healthcare industry appreciate the complexity of HIPAA and the other laws protecting patient information, an attorney or government official seeking information may not be familiar with these laws and may unintentionally mislead or pressure a provider with inaccurate representations about what the law requires.  For instance, an attorney may not understand that since the implementation of HIPAA in 2003, a subpoena alone is generally not sufficient to compel the release of PHI.  Healthcare providers must be vigilant in protecting their patients’ information and should not yield to uninformed demands without first satisfying themselves that disclosure of the information is appropriate.

As a general rule of thumb, HIPAA provides in part that healthcare providers may not release PHI upon a demand by a government agency or an attorney (even the patient’s attorney) without obtaining either (1) a HIPAA-compliant authorization signed by the patient or the patient’s representative, or (2) a court order.   However, there are many exceptions to this rule, such as disclosures for treatment, payment and healthcare operations, reporting certain types of injuries to law enforcement, disclosing information pursuant to a subpoena issued by a “judicial officer,” and reporting abuse and neglect to an appropriate government agency.  See 45 CFR § 164.512(d) and (f).  Even if HIPAA allows disclosure of the information, there may be other federal laws that would prevent it, such as 42 C.F.R. Part 2, which affords additional protections to certain patients’ drug and alcohol abuse records.   State laws also give legal protection to privileged information obtained through a provider-patient relationship (e.g. the traditional physician-patient privilege, N.C.G.S. § 8-53; counselor-client privilege, N.C.G.S. § 8-53.8; etc.) and to confidential information obtained by providers whose primary purpose is to provide services for the care, treatment, and rehabilitation of the mentally ill, developmentally disabled or substance abusers.  See N.C.G.S. § 122C-52.

A healthcare provider risks contempt of court if it simply ignores a subpoena, even if the law does not allow for the disclosure of the documents.  Thus, the provider must work out an agreement with the applicant for the subpoena to obtain a court order or patient authorization, or it should file a formal objection to the subpoena.  Legal counsel can help providers develop general procedures for the disclosure of PHI, provide guidance concerning the various state and federal laws when unusual situations arise, and file court documents when necessary to protect the provider’s rights.   Not only is it a provider’s legal and ethical obligation to protect its patient’s information, but it is also good business sense and public policy to ensure protected information is only disclosed as allowed by law.

For more information regarding HIPAA, please contact Marshall Gallop at

Disclaimer:  This article is provided for informational purposes only and does not create an attorney-client relationship between you and BWSW.  The content does not and is not intended to constitute specific legal advice as the facts relating to every situation are different, and you should not act or refrain from acting based upon information provided in this material without first consulting your legal counsel.