Corporate Compliance

Patient privacy rights

Compliance Monitor, July 20, 2007

Q: A patient is suing us for violating her privacy rights because her husband's attorney subpoenaed her records. Is it a privacy violation to release her records pursuant to a subpoena?

A: Under HIPAA, you must obtain assurance from the attorney issuing the subpoena that he or she gave notice of the request to the person whose records were subpoenaed. In other words, the attorney needs to notify the patient. Some cases come with "automatic" proof of assurance. For example, the individual knows his or her records have been subpoenaed if:

  • His or her signed authorization accompanies the subpoena
  • He or she is a party to the suit (Smith vs. Jones)

If the subpoena did not come with an authorization and the patient is not a party to the suit, you need to obtain assurance from the party seeking the information. An acceptable assurance will show that the party has made reasonable efforts to:

  1. Secure a qualified protective order
  2. Give notice to the person whose records are being subpoenaed

If the attorney gave notice, the attorney must state this in writing and provide documentation showing all of the following:

  1. He or she made a good faith attempt to provide written notice to the individual. If the individual's location is unknown, the attorney should mail a notice to her last known address.
  2. The notice included enough information about the lawsuit to allow the individual to raise an objection with the court.
  3. The time for the individual to raise an objection has passed and there either weren't any objections or they were all resolved.

If you met these requirements, you did not violate the patient's privacy rights under HIPAA.

Editor's note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Most Popular