If you are subpoenaed, can you release protected health information under the HIPAA act?
Pharmacy records containing protected health information (PHI) often play a crucial role in a wide range of legal proceedings, from child custody and divorce to medical malpractice. Those in need of obtaining these records may seek them through a subpoena, other lawful process such as a notice of deposition, or an order of the court or administrative tribunal with jurisdiction over the proceeding.
The Health Insurance Portability & Accountability Act's privacy standards contain a number of requirements related to the disclosing of records containing PHI for purposes of legal proceedings. Before discussing these HIPAA requirements, it is important to note that they do not apply where the pharmacy is requested to produce records pursuant to a written authorization for release of the records that is signed by the patient.
HIPAA permits a covered entity to disclose PHI in the course of any judicial or administrative proceeding in response to an order of the court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by the order. HIPAA also permits a covered entity to disclose PHI in response to a subpoena or other lawful process that is not accompanied by an order of a court or administrative tribunalif the covered entity receives satisfactory assurance from the party seeking the PHI that reasonable efforts have been made to ensure that the patient has been given notice that the PHI is being requested or, in the alternative, that the party has made reasonable efforts to obtain a qualified protective order to protect the privacy of the PHI. Satisfactory assurance can be provided to a covered entity by a party seeking PHI through one of the following three options:
1. A written statement and accompanying documentation demonstrating that the requesting party has made a good-faith attempt to provide written notice to the patient or, if the patient's location is unknown, to mail the notice to the patient's last known address. The notice must include sufficient information about the legal proceeding to allow the patient to raise an objection before the court or administrative tribunal to the disclosure of the PHI. Further, the written statement must show that the time for the patient to object to the disclosure has passed and no objection was made or, if an objection was made, that the court or administrative tribunal has resolved the objection and the PHI being sought is consistent with such resolution.
2. A written statement and accompanying documentation that the parties to the legal proceeding have agreed to a qualified protective order and have presented it to the court or administrative tribunal.
3. A written statement and accompanying documentation that the party seeking the PHI has requested the court or other tribunal to issue a qualified protective order.
With the last two options, a qualified protective order means an order of a court or administrative tribunal, or a stipulation by the parties, that prohibits the parties from using or disclosing the records for any purpose other than the legal proceeding. Further, the qualified protective order must require that the records and all copies of the records be returned to the covered entity or be destroyed at the conclusion of the proceeding.
But a covered entity does not always have to receive satisfactory assurance before responding to a subpoena or other legal process. HIPAA permits a covered entity to disclose PHI without receiving satisfactory assurance if the covered entity itself makes reasonable efforts to provide notice to the patient (as described in option 1 above) or seeks a qualified protective order (as described in options 2 and 3 above).
Pharmacy records containing PHI also may be requested for law enforcement purposes and activities. HIPAA permits a covered entity to disclose records to a law enforcement official in compliance with, and as limited by, the relevant requirements of any of the following:
1. A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer.
2. A grand jury subpoena.
3. An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that the PHI sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope to the extent practicable in light of the purpose for which the PHI is sought, and de-identified PHI could not reasonably be used.
Before disclosing PHI pursuant to a subpoena or other lawful process, a pharmacy must ensure that the HIPAA requirements described above are fulfilled. If ever uncertain about disclosing PHI for a legal proceeding, seek counsel before you proceed.
Walter Fitzgerald. HIPAA Today: Responding to a subpoena.
Drug Topics
Jul. 21, 2003;147:41.
FDA’s Recent Exemptions: What Do They Mean as We Finalize DSCSA Implementation?
October 31st 2024Kala Shankle, Vice President of Regulatory Affairs with the Healthcare Distribution Alliance, and Ilisa Bernstein, President of Bernstein Rx Solutions, LLC, discussed recent developments regarding the Drug Supply Chain Security Act.