What is a HIPAA Subpoena?

Lately, the U.S. Department of Justice has been pursuing healthcare criminal acts and investigations frequently entail the issuance of a HIPAA subpoena. The subpoena pressures HIPAA-regulated entities to give data including patient health records that they are not allowed to reveal because of Privacy Rule prohibitions on uses and disclosures. Under the HIPAA Privacy Rule, disclosures of protected health information (PHI) when required to do so through a valid subpoena are permitted.

HIPAA Subpoena Defined

A HIPAA subpoena is an administrative subpoena that calls for a HIPAA-regulated entity to provide papers to assist investigations of federal criminal healthcare offenses (18 U.S.C. § 3486) and using these subpoenas is growing to be more usual. A HIPAA subpoena is a lot like a federal grand jury subpoena because they both make a HIPAA-regulated entity to give certain data to help with investigations of healthcare crimes.

As an administrative subpoena, a HIPAA subpoena is not usually given for strictly civil investigations. When the U.S. Department of Justice prosecutors release a HIPAA subpoena, it implies a healthcare criminal offense is being investigated.

Difference Between a HIPAA Subpoena and a Federal Grand Jury Subpoena

It is more typical for a federal grand jury subpoena to be given to get papers to help investigate a civil or criminal healthcare offense. The two types of subpoenas make a covered entity provide documents to help the investigation; nonetheless, a federal grand jury subpoena doesn’t permit the disclosure of data with civil DOJ lawyers who are having a parallel investigation, while a HIPAA subpoena allows it.

For instance, when there are parallel investigations being performed into violations of the anti-kickback and healthcare fraud statutes (criminal) and False Claims Act (civil), a HIPAA subpoena can be given as it helps intra-departmental cooperation. Unlike a federal grand jury subpoena, it permits civil and criminal DOJ lawyers to come together in their investigations of prospective civil and criminal statutes violations under varied statutes. A federal grand jury subpoena wouldn’t permit the sharing of information between the two parties because of grand jury secrecy regulations.

Civil Investigative Demands (CIDs) are likewise frequently given for documents or testimony. These could be related to investigations that are solely civil, though material acquired could as well be provided to criminal Assistant United States Attorneys.

When receiving a federal grand jury subpoena, it usually means there is a criminal investigation. In case you were given a CID, it was probably given to help support a civil investigation, however, a criminal prosecutor could also be going over the documents. In case you got a HIPAA subpoena, it is likely that the DOJ is performing simultaneous civil and criminal investigations.

When Receiving a Subpoena Requiring the Release of Documents or Testimony

When receiving a valid HIPAA subpoena or federal grand jury subpoena, the HIPAA Privacy Rule allows PHI disclosure. HIPAA considers the judge or magistrate giving the subpoena to have thought of the privacy and secrecy rights of a person(s) before issuing the subpoena. HIPAA-covered entities should present the requested documents or health records but just the particular data required in the subpoena. All other data not particularly stated must be redacted.

When receiving a subpoena that was signed by a clerk or an attorney, one of these conditions should be satisfied prior to disclose any PHI.

A written statement is obtained from the party asking for the data verifying reasonable efforts were made to communicate with the person to whom the requested data pertains, that the person was provided the chance to object to the subpoena in court, and that adequate time for bringing up an objection was given and either the objection was settled by the court or no objection was submitted.

Alternatively, PHI can be presented when the subpoena is complemented by the issuing party’s written statement of the agreement of the parties to the proceeding to a qualified protective order that is going to preserve the confidentiality of the presented data, or that such a protective order was requested.

The HIPAA regulated entity makes reasonable attempts to inform the person in writing to tell them about the subpoena as well as the legal responsibility to comply and has given data to permit the person to object to the subpoena in court, as long as no objection was submitted or the objection was not successful. Alternatively, the records may be provided when the person whose PHI was requested signs an authorization allowing the disclosure.

When one of the above-mentioned conditions is met, solely the data particularly asked for in the subpoena may be given. When one of the above-mentioned conditions is not met, PHI can only be given if there is a court order. A written objection must be filed according to HIPAA limitations and it will be the accountability of the issuer of the subpoena to get a court order to disclose the data.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.