HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What is a HIPAA Subpoena?

The U.S. Department of Justice has recently been cracking down on healthcare offenses, with investigations often involving a HIPAA subpoena being issued. The subpoena compels HIPAA-regulated entities to release information such as patient medical records that they would otherwise not be permitted to disclose due to Privacy Rule restrictions on uses and disclosures. The HIPAA Privacy Rule permits disclosures of protected health information (PHI) if compelled to do so by a valid subpoena.

What is a HIPAA Subpoena?

A HIPAA subpoena is an administrative subpoena which requires a HIPAA-regulated entity to release documents to support investigations of federal criminal healthcare offenses pursuant to 18 U.S.C. § 3486, and the use of these subpoenas is becoming more common. A HIPAA subpoena is similar to a federal grand jury subpoena, in that they both compel a HIPAA regulated entity to release specific information to assist with investigations into healthcare offenses.

A HIPAA subpoena is an administrative subpoena, but they are not generally issued for investigations that are purely civil in nature. When prosecutors at the U.S. Department of Justice issue a HIPAA subpoena, it indicates a criminal investigation is being conducted into healthcare offenses.

How Does a HIPAA Subpoena Differ from a Federal Grand Jury Subpoena?

It is more common for a federal grand jury subpoena to be issued to obtain documents to support a civil or criminal investigation into healthcare offenses. Both types of subpoena compel a covered entity to release documents to support the investigation; however, a federal grand jury subpoena does not allow the sharing of information with civil DOJ attorneys who are pursuing a parallel investigation, whereas a HIPAA subpoena does.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

For example, if there are parallel investigations being conducted into violations of the False Claims Act (civil) and anti-kickback and healthcare fraud statutes (criminal), a HIPAA subpoena may be issued as it supports intra-departmental cooperation. In contrast to a federal grand jury subpoena, it allows civil and criminal DOJ attorneys to work together in their investigations of potential violations of civil and criminal statutes under different statutes. A federal grand jury subpoena would not allow information to be shared between both parties due to grand jury secrecy rules.

Civil Investigative Demands (CIDs) are also often issued for documents or testimony. These may be associated with investigations that are purely civil in nature, although material obtained may also be shared with criminal Assistant United States Attorneys.

If a federal grand jury subpoena is received, it generally means a criminal investigation is being conducted. If you have received a CID, it was likely issued to support a civil investigation, but a criminal prosecutor may also be reviewing the documents. If you have received a HIPAA subpoena, it is probable that the DOJ is conducting parallel civil and criminal investigations.

Have You Received a Subpoena Compelling Release of Documents or Testimony?

If a valid federal grand jury subpoena or HIPAA subpoena is received, the HIPAA Privacy Rule permits the disclosure of PHI. HIPAA assumes the judge or magistrate issuing the subpoena has considered the privacy and confidentiality rights of an individual(s) prior to signing the subpoena. HIPAA regulated entities must provide the requested documents or medical records but only the specific information requested in the subpoena. All other information not specifically mentioned should be redacted.

If a subpoena is received that has been signed by an attorney or clerk, one of the following conditions must be satisfied before any PHI can be disclosed.

  • A written statement is received from the party requesting the information confirming reasonable efforts have been made to contact the individual to whom the requested information relates in writing, that the individual has been given the opportunity to object to the subpoena in court, and that sufficient time for raising an objection has been provided and either no objection was filed or the objection was resolved by the court.
  • Alternatively, if PHI can be provided if the subpoena is accompanied by a written statement from the issuing party confirming the parties to the proceeding have agreed to a qualified protective order that will maintain the confidentiality of the provided information, or that such a protective order has been requested.
  • The HIPAA regulated entity makes reasonable efforts to notify the individual in writing to advise them about the subpoena and the legal obligation to comply, and has provided information to allow the individual to object to the subpoena in court, provided no objection was filed or the objection was unsuccessful. Alternatively, the records can be released if the individual whose PHI has been requested signs an authorization form permitting the requested disclosure.

If one of the above conditions is satisfied, only the information specifically requested in the subpoena can be provided. If one of the above conditions could not be satisfied, PHI could only be provided if a court order is received. A written objection should be filed based on HIPAA restrictions and it will be the responsibility of the issuer of the subpoena to obtain a court order to release the information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.