Hospitals and health systems should have a formal policy on responding to subpoenas. Staff must be educated on how to properly respond when presented with a legal demand for material or a court appearance.

• There is a difference between a subpoena issued by a court and one issued by an attorney.

• Policies and procedures should ensure that you comply only with what the subpoena requires.

• Specific laws regarding some records and state laws may affect subpoena compliance.

Hospitals and health systems receive many subpoenas demanding information or the appearance of individuals in a legal matter, and it is easy to lose sight of how important it is to respond appropriately. Improperly responding to a subpoena can result in legal difficulties and damage the outcome of the related litigation.

The key to properly managing subpoenas is to create a formal policy that outlines how staff respond to this legal demand, says Robert H. Iseman, JD, partner with the Rivkin Radler law firm in Albany, NY. There must be a procedure in place for accepting any kind of legal process, including a summons that initiates a lawsuit, a subpoena from a party in litigation or perhaps from a public agency, he says.

“Any kind of compulsory legal process ought to be presented to a particular office within a healthcare organization, such as the legal counsel’s office, to accept process. The first benefit is making sure that it does not get lost, that you don’t find yourself in default of a lawsuit or failing to produce the documents or person required by the subpoena simply because you never properly received it and had a chance to respond,” Iseman says. “Many organizations don’t have that.”

These types of requests include civil and criminal subpoenas, administrative/regulatory subpoenas, and Civil Investigative Demands under the False Claims Act, explains Matthew S. Arend, JD, partner with the Dinsmore law firm in Cincinnati. Different types of requests — and different senders — carry with them different compliance obligations and privacy considerations, he says.

For example, regulatory requirements under HIPAA differ significantly if the request is made via a subpoena issued in a civil case versus one issued by a grand jury in a criminal proceeding or an administrative request by the Centers for Medicare & Medicaid Services (CMS) or Department of Justice (DOJ), Arend says. There may also be state law considerations, such as physician-patient privilege or the peer review privilege (and any exceptions to privilege), depending on what information has been requested.

Some subpoenas require the production of both a live witness and documents, Iseman notes. A healthcare organization’s policy should be tailored to account for the various types of subpoenas that might be received and how they require different types of compliance, he says.

Substance Abuse Laws Are Strict

Of particular concern are subpoenas that may involve substance abuse records, which are protected in ways other medical records are not.

“There is a longstanding series of federal statutes and regulations that protect substance abuse records, prohibiting a hospital that may have a drug rehabilitation program from producing any of those records unless there is a consent form in the file that has been signed by the patient and which meets very specific and rigorous requirements,” Iseman says. “Many organizations don’t have a consent form on file that meets the requirements of the law. One of the reasons is that the consent form must specifically designate the person to whom the information can be released, rather than a blanket consent form.”

Without such a consent form, the hospital is required to inform the party issuing the subpoena that federal law precludes responding to the subpoena, Iseman explains. In such a situation, the law prohibits even acknowledging that the person is a patient at the facility, he says.

Iseman says the appropriate response would be something like this: “Without conceding that Joe Smith is now or ever has been a patient at the facility, the information sought by the subpoena refers to protected substance abuse information, and we do not have a consent which permits us to disclose any records.” The issuing authority would then have to seek a court order for the records, which would be granted only in extreme cases such as when it is required to prevent child abuse or serious crimes, he explains.

“The court order is not going to be issued for a garden-variety divorce proceeding, for instance, in which a spouse is alleging substance abuse by the other party,” he says. “The grounds for the court to issue the order are so narrow that it is a very high bar.”

Subpoena compliance also can be governed by HIPAA requirements, Iseman says. While they are not as restrictive as the substance abuse rules, they can preclude turning over as much information as requested in a subpoena. There also can be additional restrictions from laws related to HIV and mental healthcare, he notes. Many of these vary from state to state.

State Laws Can Allow Private Action

One factor working in favor of healthcare organizations is that the federal rule on substance abuse confidentiality does not provide a private right of action, Iseman explains. The rules are enforced by the DOJ, so there is the risk of federal fines, but private litigants cannot sue for compensation. Likewise, people cannot sue civilly under HIPAA.

However, there can be a private right of action under parallel state laws, Iseman explains. That can pose significant liability under a common law claim, he says.

“There must be adequate training of any staff who might be involved in receiving or responding to a subpoena, and one of the first steps is to determine if what the subpoena is demanding can be released,” Iseman says. “You can’t assume that the attorney issuing the subpoena knows the law and so it must be OK to release the records. We have cases in which the healthcare organization shows up in court and says they can’t release the records because of this law, and the judge doesn’t even know about the law.”

Iseman says he suspects most healthcare risk managers and legal counsel have heard of the additional restrictions that govern some subpoena compliance, but merely being familiar with those laws may not be enough.

“Whether they are organized enough to have a process and procedure to address them is another matter entirely,” Iseman says. “Whether that process works is also another matter that is uncertain.”

Designate Individuals for Subpoenas

Many healthcare organizations designate one or two people in the legal counsel’s office to receive and respond to subpoenas, Iseman says. That person should be familiar with the basic requirements of the law, as well as the hospital’s policies and procedures, and know when to seek additional legal counsel before responding.

Depending on the size of the organization and the type of request, Arend says the responsible party also can be in the records department, risk management, or legal staff. All hospital staff should be trained to immediately direct any requests for records to the designated person(s) for handling.

“Those handling the responses should be further trained on how to differentiate run-of-the-mill requests from those requesting more sensitive information or those which may require special handling, such as psychiatric or psychotherapy records or substance abuse treatment information covered under 42 CFR Part 2,” Arend says. “Responses should be logged, not only to track receipt and response dates but also to document when and to whom records were provided as required by certain regulations, including HIPAA, which requires organizations to keep an accounting of all disclosures.”

Rely on Counsel When Necessary

When in doubt, contact legal counsel, Arend says. Whether the organization relies on inside counsel or an outside attorney, having an expert with significant knowledge and experience in this area can be a lifesaver, he says.

“Penalties for unauthorized disclosures can be severe and, unfortunately, good intentions or misunderstanding of the law won’t necessarily save you from enforcement. I serve as outside privacy counsel for a number of healthcare clients, and I often work hand-in-hand with them in solving the more thorny dilemmas that can arise,” Arend says.

“Often, disclosure involving law enforcement can be the most tricky for healthcare organizations to address. They want to cooperate and foster a good relationship with law enforcement, yet they are also bound by various privacy regulations that law enforcement may not be well-versed in or particularly care about.”

In those situations, having counsel to serve as a buffer and a sort of translator regarding the law can help to resolve disputes and prevent misunderstandings, he says.

“For example, I represent a local behavioral health practice that regularly receives subpoenas for information and testimony from the local prosecutor’s office for various child welfare proceedings. Obviously, this is an area rife with risk: mental health, substance abuse, information relating to minors, etc.,” he says. “However, in order to avoid having to take an unnecessarily adversarial stance, I was able to reach out to the prosecutor’s office and get them to agree to implement a procedure where they would reach out to my office to discuss the matter prior to issuing a subpoena in order to discuss the requests and to make sure they had all of the proper documentation and authorizations we would need to comply with their requests.”

Utah Case Still Worries Some

The greatest risk related to subpoenas comes when law enforcement officers demand immediate response, Arend says.

“The various overlapping regulations, exceptions, and public policy goals can sometimes make for a murky environment where the requirements for proper compliance aren’t always immediately clear. In those situations, I recommend engaging outside counsel to help work through the issue,” he says.

Recently, a hospital client reached out to Arend with concerns that police were bringing in DUI suspects with signed search warrants and demanding that hospital personnel draw blood samples and provide them with the results, Arend notes. This was reminiscent of a highly publicized incident in Utah in 2017 in which a nurse was arrested for following hospital policy and refusing police orders to draw blood samples.

That case illustrated what some healthcare professionals said was a common dilemma. The images of the Utah nurse being forcibly arrested as she begged for help still linger with many in the industry. (For more information on the Utah incident, see the story in this issue.)

The hospital Arend worked with was uncomfortable participating in the process and especially with frontline emergency nursing staff being asked to parse whether their participation was appropriate.

“I was able to reach out to the city’s law director to discuss the issue and to establish a set of procedures that would be used in order to remove the decision from healthcare personnel and elevate it to risk management to ensure uniformity in the hospital’s response to these sorts of requests,” Arend says. “In both of these cases, being proactive and spending time and resources on the front end of the issue likely avoided more significant legal and financial headaches down the road.”

Arend says policies and procedures should address each of the types of requests the hospital is likely to see, include guidance on how such requests should be routed for a response, include a list of requirements to determine whether the request is valid, and address any exceptions to regulatory restrictions and any sensitive or highly protected categories of information that may require special handling under state or federal law. The policy should also outline procedures for production, including time frames (allowing time for objections, if necessary), any review protocols, format of production, and how to log the disclosure.

“Another difficult area can be the overly aggressive attorney who thinks they understand the law and is convinced that your objections and concerns are simply obstinacy on your part,” Arend says. “Having a clear policy on which to rely, proper training, and a clear understanding of how the regulations work together and where the friction points exist between them can help risk managers and/or their legal counsel educate the requester and hopefully negotiate an acceptable resolution that also allows the hospital to remain compliant with its obligations to patient privacy.”

Be Conservative With Subpoenas

Be conservative when responding to a subpoena for medical information, says Lucie F. Huger, JD, an officer, attorney, and member of the healthcare practice group at Greensfelder, Hemker & Gale in St. Louis.

“My first piece of advice is to review the subpoena to see whether the healthcare organization is named as a party — a plaintiff or a defendant — in the subpoena received by the risk manager,” Huger says. “If the healthcare organization is named as a party, the risk manager will want to notify legal counsel for the healthcare organization that the subpoena has been received and then take direction from the organization’s legal counsel before responding.”

Before responding to a subpoena, it also is necessary to determine whether the subpoena is enforceable in the jurisdiction where the healthcare entity is located, Huger says. Generally, if the subpoena is issued from a court that is out of state, it may not be enforceable.

“If the risk manager has concerns as to whether the subpoena is enforceable, then my advice is for the risk manager to share the subpoena and the concerns with the organization’s legal counsel and then take advice from counsel as to an appropriate response,” she says.

Assuming the subpoena is valid, the healthcare organization’s response will depend on how the subpoena has been issued and who is seeking the information, she says. Generally, if the subpoena is signed by a judge, the healthcare organization will need to comply with the terms of the subpoena because it would likely hold the weight of a court order.

Failure to comply with a validly issued court order could result in fines or penalties against the healthcare organization.

“If the subpoena is not signed by a judge, which is more common, then the risk manager will need to determine whether it is a subpoena issued by a lawyer who is representing the former patient or whether the subpoena is coming from someone who is representing a person who is not the former patient,” Huger says. “If the subpoena is issued by a lawyer representing the former patient seeking the medical records of the former patient, then a HIPAA-compliant authorization generally accompanies the subpoena.”

In this scenario, it will be important to review the authorization to ensure that the former patient authorized the release of the subpoenaed information. If there is any question about the authenticity of the authorization or the scope of what is being requested, the risk manager should contact the former patient to ensure he or she authorized the information to be shared with his or her attorney through the subpoena.

“If the former patient confirms this, depending upon the level of concern, the healthcare organization may prefer to have the former patient sign the authorization form used by the healthcare organization and then produce the information to the attorney representing the former client,” she says. “If there is not an authorization accompanying the subpoena from the attorney representing the former patient, my advice is to follow the same procedure — that is, have the former patient sign the appropriate authorization and then produce the records to the attorney representing the former patient.”

On the other hand, if the subpoena is issued by a person who is not representing the former patient, Huger advises determining whether the former patient, through his or her attorney, has authorized the release of this information. Again, if the former patient agrees to the release of this information, then the risk manager will want to receive a signed authorization from the patient.

If there is any question as to whether the former patient has authorized the release of his or her information, the hospital should seek a court order, she adds.

Huger says she has seen hospitals respond well to complex subpoena situations, and others have performed poorly.

“Generally, those who appropriately respond take the steps necessary to ensure that only responsive information is provided to people who have demonstrated a legal right to having the information and have taken the correct steps to ensure this,” she says. “On the other hand, I have seen poor responses because a risk manager did not understand the difference between a subpoena and a court order. Unfortunately, once information is wrongfully disclosed, this can be very difficult for the person whose information was disclosed.”


• Matthew S. Arend, JD, Partner, Dinsmore, Cincinnati. Phone: (513) 977-8388. Email: matthew.arend@dinsmore.com.

• Lucie F. Huger, JD, Officer, Greensfelder, Hemker & Gale, St. Louis. Phone: (314) 345-4725. Email: lfh@greensfelder.com.

• Robert H. Iseman, JD, Partner, Rivkin Radler, Albany, NY. Phone: (518) 641-7055. Email: robert.iseman@rivkin.com.