OCR Citation for Improper Disclosure of PHI in Response to a Subpoena
A health care provider or other covered entity under HIPAA is permitted to disclose protected health information if it receives a lawful order from a court or administrative tribunal. this does not mean that a provider can simply release everything it has in a patient record when it receives a court order. Some records, such as mental health or substance abuse records might have special protections or limitations that apply. Additionally a provider should closely review the relevant order and only disclose the information that is specifically required by the order.
The ability to release information in response to a subpoena, as opposed to an order of a court, is subject to different rules. Patient information can only be provided under subpoena if certain notification requirements of the Privacy Rule are met. The notification requirements require the provider who received the subpoena to obtain evidence that there were reasonable efforts to notify the person who is the subject of the information about the request. This is intended to give the individual an opportunity to object to the disclosure, or obtain a protective order from the court.
The application of these rules are illustrated by a relatively recent OCR settlement involving a hospital that was accused of improperly disclosing PHI in response to a subpoena. The hospital apparently failed to determine that reasonable efforts had been made to notify that individual whose PHI was being sought under the subpoena. This had the effect of denying the individual the right to object or seek a protective order.
As part of the settlement with the Hospital, OCR required the hospital to revise its subpoena processing procedures. The new policies adopted by the offending hospital hold a lesson for all covered entities. If a subpoena does not meet the requirements of the Privacy Rule, policy should require the covered entity to reach out to the party who issued the subpoena to explain the notification requirements. Until those requirements are complied with, the information cannot be released.
Court Orders and Subpoenas – Release of Protected Health Information
Source: Health Law Blog