A strict protocol for responding to subpoenas can reduce the risks that come with inadvertently releasing too much information, or the wrong information says Jill M. Steinberg, JD, shareholder with Baker Donelson in Memphis, TN.

Steinberg has found that the best practice for responding to subpoenas or authorizations for production of medical records in legal cases is to set up a special department or designate an employee as the legal health information management (HIM) representative. All requests for records in a legal case would be funneled through a person or persons trained in the legal issues and with ready access to the legal department or outside legal counsel when questions arise, she says.

For example, when a subpoena is served, the HIM department needs to make sure that the subpoena is valid. Issues that the HIM representative should be familiar with include determining if notice to opposing counsel is required under the law and that the provision of notice is evident from the subpoena.

“When providing records pursuant to medical authorizations or court orders, the responding department must make sure that the person requesting records has authority to obtain the records. For example, if the records are requested for a deceased or incompetent person, the authority of the person must be clear on the face of the authorization. The death certificate or documents appointing the person as a representative of the estate or conservator of the person must be provided,” Steinberg says. “If a department just allows anyone who receives a subpoena to prepare records for production without making sure that the subpoena is valid, liability could be invoked against the hospital or medical provider.”

Policies and procedures for responding to subpoenas should include a protocol for evaluating the validity of the subpoena, a calendar system for making sure that the response is timely, and an internal definition for what is produced as a legal medical record, she says.

There also should be a procedure for how to produce a record electronically or on paper. Healthcare providers must decide if they are going to produce records that were prepared by an outside medical provider but have become a part of the medical record, Steinberg says.

For example, when a patient is admitted to labor and delivery, the patient’s prenatal records often will be placed in the medical record, she says. Steinberg recommends a statement added to the medical records custodian affidavit such as the following:

“Please be advised that the records produced herein also contain documents that were not prepared by personnel of the hospital/physician/practice group/clinic or by persons acting under their control with respect to the preparation of records, in the ordinary course of business, at or near the time of the act, condition, or event reported therein. Any such documents produced herein are produced in compliance with statute and regulations defining ‘medical records,’ but no independent certification can be made with respect to the authentication of such documents.”

It also is a best practice to include a caveat in any production of a medical record that explains that not all metadata be produced in a printed or electronic medical record. The following is an example of possible language to consider:

“Some electronic data and metadata relating to the patient’s clinical course, and which may fall within the parameters of the definition of ‘hospital records’ set forth in applicable statutes, cannot be reproduced through the mechanism of printing the records directly or scanning the patient’s records onto a CD or jump drive for printing. The records produced in response to this authorization/subpoena consist of printable data reasonably accessible for scanning and/or printing as of the date of the authorization/subpoena request as established by the third-party software vendor, and by information technology personnel within the hospital system, consistent with the necessity to maintain the electronic records functionality and speed for patient care.”

One of the biggest challenges is the sheer volume of subpoenas and medical records requests that healthcare providers deal with, Steinberg says. Consider establishing a system in which risk managers are advised of medical record requests from any “red flag” attorney. Risk managers can review these records for any potential medical malpractice claim filed, she suggests.

“Every party to an automobile accident, disability claim, and/or medical malpractice action — even if the provider whose records are requested is not a party — will possibly seek to obtain medical records pursuant to subpoena or authorization,” Steinberg says. “It is important for risk managers to have a robust communication system with HIM and to make sure that they are advised when there is a subpoena issued on a case against the medical provider or a request for records from an attorney who typically files suit against medical providers.”


  • Jill M. Steinberg, JD, Shareholder, Baker Donelson, Memphis, TN. Phone: (901) 577-2234. Email: jsteinberg@bakerdonelson.com.