Responding to Subpoenas for Confidential Medical Records or

Moore/May 2013 Page 1

Responding to Subpoenas for Confidential Medical Records or Information:

Guidelines for North Carolina Local Health Departments

Jill Moore

UNC School of Government

Part 1. Introduction: Subpoenas for confidential medical information

A subpoena is a form of court order that directs the person named in the subpoena to appear

at a designated time and place to testify, to produce documents, or both.

A health department that receives a subpoena for confidential medical information or records

must not ignore the subpoena—a response is usually required.

However, the appropriate

response is not to immediately release records or otherwise disclose confidential information.

The HIPAA Privacy Rule imposes conditions that must be met before protected health

information (PHI) may be disclosed in response to a subpoena. In addition, the information may

be privileged under state law, in which case it may not be disclosed without either the patient’s

permission or a court order.

Part 2 of this document outlines the provisions of HIPAA and North Carolina law that restrict

the disclosure of health information in response to a subpoena. Part 3 puts HIPAA and state law

together to explain how a health department may respond to a subpoena for confidential

health information in a manner that complies with both HIPAA and state law. Part 4 provides a

link to a document that examines all of these issues in greater detail.

Part 2. Summary of relevant laws

HIPAA Privacy Rule

The HIPAA Privacy Rule governs when a local health department may disclose PHI. It allows

disclosure of PHI in response to a subpoena in the following circumstances:

• The information may be disclosed if the subpoena is accompanied by a proper written

authorization. The authorization form must include all of the elements described in

Sometimes a response is not required because the subpoena was improperly served or was issued by a court that

does not have jurisdiction over the health department. However, health department staff should assume a

response is required unless they are advised otherwise by the department’s attorney.

Moore/May 2013 Page 2

HIPAA’s authorization rule.

The form must be signed by the appropriate person, which

may be the patient himself, or may be the patient’s personal representative (if, for

example, the patient is a child or an incapacitated adult).

o Practice tip: If a subpoena is accompanied by an authorization or other

document labeled “release” or “waiver” or something similar, the document

should be examined carefully by a staff member who is familiar with HIPAA’s

authorization requirements before any PHI is disclosed. Some of the elements of

an authorization form that is valid under HIPAA are not intuitive and may be left

out of a form prepared by a person (even an attorney) who is unaccustomed to

working with HIPAA.

• The information may be disclosed without the individual’s authorization if it is

accompanied by a court order for the information.

• The information may be disclosed without the individual’s authorization or a court order

if either of the following two conditions is satisfied:

o Written notice that the information has been subpoenaed is given to the

individual who is the subject of the PHI. The covered entity may give notice to the

individual itself, but it need not do so if it receives satisfactory assurance from

the party requesting the PHI that notice has been given.

o A qualified protective order is obtained from a court.

The health department

may obtain a qualified protective order itself, but it need not do so if it receives

satisfactory assurance from the party requesting the PHI that it has made

reasonable efforts to obtain a qualified protective order.

45 CFR 164.508.

45 CFR 164.512(e)(1)(i).

45 CFR 164.512(e)(1)(ii)(A). To constitute “satisfactory assurance,” the party requesting the information should

give the health department a written statement and supporting documentation demonstrating: (1) that the party

requesting the information has made a good faith effort to provide written notice to the individual; (2) that the

notice included sufficient information about the litigation or proceeding to permit the individual to raise an

objection with the court; and (3) that the time for the individual to raise objections has elapsed and either no

objections were filed, or all objections that were filed have been resolved by the court and the disclosures sought

are consistent with such resolution. 45 CFR 164.512(e)(iii).

45 CFR 164.512(e)(1)(ii)(B). A “qualified protective order” is either a court order or a stipulation by the parties to

the proceeding that: (1) prohibits the parties from using or disclosing the PHI for any purpose other than the

proceeding for which it was requested, and (2) requires that the information and any copies made of it be returned

to the covered entity that disclosed it or be destroyed at the end of the proceeding.

In this case, to constitute “satisfactory assurance,” the party requesting the PHI must provide the health

department with a written statement and supporting documentation demonstrating either of the following: (1)

that the parties to the dispute have agreed to a qualified protective order and have presented it to the court, or (2)

that the party seeking the PHI has requested a qualified protective order from the court. 45 CFR 164.512(e)(iv).

Moore/May 2013 Page 3

North Carolina law

Privilege laws. Information acquired by health care providers in the course of treating patients

is usually privileged, which means that in most cases the health care provider may not testify in

court proceedings or provide patient records for court proceedings, unless the patient

authorizes the disclosure or a judge orders the disclosure. Privilege laws that may apply to

health department information include:

• GS 8-53, the physician-patient privilege. This privilege applies not only to physicians, but

also to others who work under their direction.

• G.S. 8-53.13, the nurse-patient privilege. A nurse working under the direction of a

physician likely is covered by the physician-patient privilege. This law provides that

nurses also have a privileged relationship with patients when they are working within

their scope of practice but not under the direction of a physician.

• North Carolina also has privilege laws for psychologists, counselors, and certain other

parties. See GS 8-53.2 through 8-53.12.

Health department confidentiality law. G.S. 130A-12 provides that health department records

are confidential if they contain privileged medical information, information protected by the

HIPAA Privacy Rule, or information collected pursuant to the childhood lead program. This law

does not specifically address subpoenas but it allows disclosures of information that are

authorized or required by other federal or state laws, which includes disclosures pursuant to

subpoenas.

Communicable disease confidentiality law. A North Carolina law (G.S. 130A-143) provides

heightened protection for information and records that identify an individual who has or may

have a reportable communicable disease or condition. The law allows this information to be

released pursuant to a subpoena or court order, but also requires that the individual who is the

subject of the information be given the opportunity to request in camera review of the

information (that is, private review of the information by the judge before it is released).

Part 3. Responding to subpoenas, taking HIPAA and state law into account

Summary of response options

When a health department receives a subpoena for confidential health information, it has three

basic options for how to respond:

• Ask the department’s attorney to formally challenge the subpoena. The attorney may

file a motion to quash the subpoena, or to modify the subpoena.

Moore/May 2013 Page 4

• Ask the department’s attorney to informally request that the party who issued the

subpoena excuse the department from the subpoena’s requirements.

• Comply with the subpoena by appearing at the place and time designated in the

subpoena along with any records requested by the subpoena. However, the person who

appears should not testify about confidential health information or release confidential

records until the provisions of both HIPAA and state law have been satisfied. Both

HIPAA and state law are satisfied by either of the following:

o An order from a judge, directing the person to testify or release the records.

o A written, HIPAA-compliant authorization for disclosure of the information.

Practice tips for complying with a subpoena

• Know what a subpoena is. A subpoena is a document that directs a person to appear at

a particular place and time to testify, produce records, or both.

• Know what it means to comply. A person named in a subpoena complies by appearing at

the designated place and time. If the subpoena was for testimony, the person should be

prepared to testify. If the subpoena was for documents, the person should have the

documents and be prepared to produce them.

• Do not release confidential health information on the basis of the subpoena alone.

Because health information that is subpoenaed usually is both PHI under HIPAA and

privileged under state law, a person should not give testimony about the information or

release the records unless the judge orders disclosure or a proper written authorization

for disclosure is provided.

• Know what to say if the information requested identifies a person who has or may have

a reportable communicable disease. The individual who is the subject of this type of

information should be given the opportunity to ask the judge to review the information

in camera before it is released (GS 130A-143(6)). Do not assume the attorney who

requests the information or the judge presiding in the proceeding knows this. Tell them.

• Inform the attorney who issued the subpoena about the constraints on release of the

information. Although no law requires it, it is always a good idea to notify a party who

subpoenas confidential health information that is protected by confidentiality laws that

prohibit its release without a court order or the patient’s authorization. No one likes to

be surprised by this information during a proceeding. If the attorney is informed in

advance, he or she can decide whether to seek a court order in advance, seek the

individual’s authorization for disclosure, withdraw the subpoena, or take other

appropriate action.

• If you use the “mail-in” procedure for records that are subpoenaed, follow the HIPAA

procedures for notifying the individual, obtaining a qualified protective order for the

information, or obtaining satisfactory assurance that the requesting party has taken one

Moore/May 2013 Page 5

of those actions. Some courts permit health departments to respond to a subpoena that

is for records only by submitting certified copies of the records to the clerk of court at

any time before the date specified in the subpoena. The usual practice is to seal the

documents in an envelope and attach a letter identifying the case for which the

documents have been requested and noting that the documents are privileged and

must not be disclosed without a court order. If the court permits this procedure and the

health department wishes to use it, the department must comply with HIPAA’s

requirements for giving notice, obtaining a qualified protective order, or obtaining

satisfactory assurance that the requesting party has taken one of those actions. See

the summary of these requirements in Section II of this document.

• Have a written policy for responding to subpoenas. A health department should

anticipate that it will receive subpoenas for confidential health department from time to

time and should have a policy for responding to them in a manner that ensures

compliance with both HIPAA and state law. Ideally, the department’s attorney should

review and approve the policy.

Part 4. Resource for additional information

The following document is available for free on the Internet and is highly recommended for

health department employees who are responsible for responding to subpoenas (or simply

want to know more about them):

John Rubin & Aimee Wall, Responding to Subpoenas for Health Department Records,

SOG Health Law Bulletin No. 82 (September 2005), available at

http://www.sog.unc.edu/pubs/electronicversions/pdfs/hlb82.pdf.