When You're Served a Subpoena, ISMIE Wants to Know
The Law According to HIPAA

Consider this scenario:

You've been served a subpoena requesting a patient's medical records. Of course you want to comply, but what exactly is your obligation under the Health Insurance Portability and Accountability Act (HIPAA)?

Answer:

You can either comply with the subpoena or file objections. If you choose to comply, you must have written patient authorization or a court order to provide the information pursuant to the subpoena. Be sure the authorization is documented on a HIPAA-compliant "Patient Disclo-sure of Information" form.

Another instance when you will need patient authorization is when insurance companies request patient medical records for underwriting purposes. Again, this should be provided on a HIPAA-compliant form.

On the other hand …

Cases when you do not need patients' written authorization to release medical records include:

• If you need to share patient records with another physician for treatment purposes.
• If the request is from a health plan with which you contract, and they need the information to process a claim.
• If you are served with a court order for medical records.
• If a state regulatory agency (such as the Illinois Department of Professional Regulation) requests patient medical records in the course of an investigation.
• If you've been contacted by a patient's insurance company or employer for patient medical records in association with a workers' compensation claim (in this case, only information related to the case may be disclosed).

Learn more about all areas of HIPAA compliance at www.ismie.com.

Need "Patient Disclosure of Information" forms?

You can access these, other HIPAA-compliant forms, and model policies and procedures documents at www.ismie.com/site/members/hipaa/hipaa-pp.html.