What Providers are Supposed to Do When Subpoenaed
Posted in Subpoenas
What Providers are Supposed to Do When Subpoenaed

Having worked imbedded within the medical field for more than a decade before joining the health group at Bowles Rice, I can tell you that most medical practices do not know what to do when they receive a subpoena from a lawyer’s office.  Most of the time, the initial reaction will be to quickly comply in order to avoid initiating a confrontational situation with the lawyer.  However, there are many occasions in which simply answering the subpoena is the wrong answer, and it can get the health care provider in a lot of trouble.  As such, it is important that the health care provider, when served with a subpoena, seek the assistance of an experienced legal professional who can help them conduct the appropriate analysis of the subpoena and determine the appropriate course of action that will not run afoul of the Health Insurance Portability and Accountability Act (HIPAA) and other statutes and regulations designed to ensure patient privacy and the confidentiality of Protected Health Information (PHI).

I recently assisted a client which had received a subpoena duces tecum (or subpoena for production of evidence) seeking to compel the appearance of a treating physician and the production of “[a]ny and all treatment records, use of suboxone, substance abuse treatment, reports, notes, information, etc.” relevant to the patient.  The subpoena was not accompanied by an authorization signed by the patient or a court order compelling the production of the records.  While this request may not seem inappropriate to a lay person, hopefully it has already sent red flags skyward for anybody working within the medical field.  For the reasons discussed below, and in accordance with Rule 45(d)(2)(B) of the West Virginia Rules of Civil Procedure, we respectfully objected to the requests contained in the subpoena and refused to produce the records.

Any time a health care provider receives a subpoena for records pertaining to mental health and/or substance abuse treatment, it needs to remember that those records (or testimony regarding those records) need to be afforded a heightened level of confidentiality.  West Virginia Code Chapter 27 addresses “Mentally Ill Persons,” and, more specifically, West Virginia Code § 27-3-1(a) states:

Communications and information obtained in the course of treatment or evaluation of any client or patient are confidential information. Such confidential information includes the fact that a person is or has been a client or patient, information transmitted by a patient or client or family thereof for purposes relating to diagnosis or treatment, information transmitted by persons participating in the accomplishment of the objectives of diagnosis or treatment, all diagnoses or opinions formed regarding a client’s or patient’s physical, mental, or emotional condition, any advice, instructions, or prescriptions issued in the course of diagnosis or treatment, and any record or characterization of the matters hereinbefore described.

Section 27-3-1(b) then dictates that such confidential information shall not be disclosed except in very specific circumstances, including a written patient authorization or a court order.  Generally, either the signed authorization or the court order should be provided to the health care provider before it, in turn, discloses the kind of confidential information sought by this subpoena.

In the aftermath of our Supreme Court’s recent decision in Barber v. Camden Clark Memorial Hospital Corp., wherein the Court ruled that health care providers could be found to have breached the statutory and common law duties to restrict access to a patient’s mental health medical records under West Virginia Code § 27-3-1, even if the provider otherwise complied with the West Virginia Medical Records Act and HIPAA, our legislature took multiple cracks at amending § 27-3-1.  The most current version allows for the disclosure of otherwise confidential information “[p]ursuant to and as provided for under the federal privacy rule of the Health Insurance Portability and Accountability Act of 1996 in 45 CFR §164, as amended under the Health Information Technology for Economic and Clinical Health Act of the American and the Omnibus Final Rule, 78 FR 5566.”

Notably, HIPAA permits the disclosure of protected health information for judicial and administrative proceedings in response to a subpoena. See 45 C.F.R. § 164.512(e).  However, HIPAA also contains additional conditions that must be met prior to any disclosure.  Where the subpoena is not accompanied by an order of the court, such information may only be disclosed if certain, precise criteria are met.  In other words, it is still not okay to simply turn over mental health records in response to an otherwise bare subpoena, even considering the amended West Virginia Code § 27-3-1.

Not only would disclosing the records constitute a potential breach of HIPAA itself, doing so also could open the health care provider to potential liability under West Virginia Code § 27-3-1, which (based on the Court’s finding in Barber v. Camden Clark Memorial Hospital Corp.) still constitutes a distinct cause of action, separate and apart from the West Virginia Medical Records Act.

Accordingly, health care providers need to remain on guard and be proactive in their responses to subpoenas.  Many of these subpoenas are served by attorneys who have had absolutely no training in HIPAA or other medical privacy laws, and some are served by attorneys who just do not care about the potential ramifications to the health care provider.  In my experience, however, most attorneys are happy to work with medical practices to obtain the necessary documentation, such as a court order compelling the production of the patient records, once they are informed of the HIPAA issues involved.  In the case discussed above, opposing counsel obtained a court order for the records, and my client was able to comply without violating HIPAA or West Virginia Code § 27-3-1.

The moral of the story is that the duty to know and comply with HIPAA and other patient privacy laws rests with the “covered entity” – i.e., the health care provider.  As such, when questions (or subpoenas) arise, health care providers should never hesitate to reach out to an experienced health care attorney who can help them navigate the issues and resolve the matter without incurring an otherwise avoidable HIPAA violation. 

When health care providers find themselves in need of these and other consultative services, Bowles Rice's team of health care lawyers is always here to help.