September 2016

The 411 on Subpoenas
By Keith Loria
For The Record
Vol. 28 No. 9 P. 18

What happens when a hospital's medical records are served notice?

AHIMA defines a legal health record as a document being generated at or for a health care organization as its business record and designated as the record to be released upon request.

When a hospital's EHR is subpoenaed, the organization may face different concerns from those present in a paper environment. For example, what are the differences between releasing electronic patient data and paper records? What parts of the EHR should be released? Do printouts of electronic data qualify as admissible evidence in litigation?

"When a subpoena comes in, the first thing you need to do is verify the subpoena is for your jurisdiction," says Angela Rose, MHA, RHIA, CHPS, FAHIMA, director of HIM practice excellence at AHIMA. "Then there are certain things you definitely want to look for and verify—like whether the patient was truly a patient on the dates that the subpoena is requesting."

Understanding the Rules
Christine Rys, RHIA, an HIM consultant with Illinois-based Midwest Medical Records Association, notes that first and foremost, federal and state laws must be followed when answering subpoenas. "Each state is slightly different, and it's important to know those differences," she says. "Each health care facility may also have their own interpretation and should consult with their legal department on those specifics."

Karen Gallagher Grant, RHIA, CHP, chief operating officer for the Massachusetts-headquartered MRA Health Information Services, a release of information vendor, notes that all subpoenas should be hand-delivered by a constable to one central location at the hospital. "A valid subpoena must be issued and signed by a clerk of the court, notary public, or the justice of the peace, and must state the name of the court, [state] the title of the action, and be accompanied by a witness fee," she says.

Kathy Gordon, RHIA, vice president of disclosure management for MRA, says that whoever in the HIM department accepts the subpoena must examine it with care. "They should determine that it is in fact for the HIM department and that they are looking for medical records as opposed to billing or human resources records," she says. "They really need to take a little time to look it over rather than just giving it a name and putting it in a pile to be processed."

In one subpoena MRA received, the wording was vague, requesting only "records." Once the document was examined, it turns out it had nothing to do with medical information—it sought a personnel file. Health care organizations must be careful in such circumstances or risk being put in a situation where their actions may be considered to be a breach of protected health information.

"You really need professional health information professionals to do the release of the information because it is complicated," Gordon says. "Sometimes you have to talk with compliance officers, sometimes you have to talk with attorneys, and in some hospitals you don't have professionals doing it, and that can lead to problems."

Attention also should be paid to the subpoena's due date. These are time-sensitive documents that can't be mixed in with other types of requests where they may get lost in the shuffle, Rys says, adding that providers also must determine whether a court order or patient authorization is necessary. She says law offices may not understand the reason a subpoena has not been fulfilled. For example, when a subpoena asks for "any and all" dates of service, records may need to be pulled from an offsite storage facility, thus lengthening the processing time.

Rys says to be alert for improper authorization forms. If there are blanks, they shouldn't be completed. For example, some subpoenas require a patient's authorization form (ie, workers' compensation) if the patient's record contains sensitive information or if directed by the hospital.

Julia Applegate, vice president of client operations for Verisma Systems, says the most common mistake made by providers is accepting an attorney's request with what appears to be a valid docket number signed by the attorney but not a court official.

"There are many cases where the attorney is attempting to make the request look more official. But without patient or legally authorized representative authorization, the provider will process the request in error," she says. "Our team uses a checklist to validate any subpoena request."

The Subpoena Checklist
According to Applegate, most organizations follow a general guideline for subpoenas—although some health care facilities have stricter guidelines with more safeguards attached to their checklists—that includes the following information:

• name of court;

• names of plaintiff and defendant;

• name and telephone number of the attorney issuing the subpoena;

• docket or civil action number;

• date, time, and location of proceeding (trial subpoenas require 24 hours notice, while discovery subpoenas require a 10-day notice);

• the specific documents sought (eg, medical records with specified time frames);

• carbon copies for the opposing attorney;

• a statement that the subpoenaed evidence shall not be produced or released until the date specified for the taking of the deposition and that if the subpoenaed person is notified that a motion to quash the subpoena has been filed, he or she shall not produce or release the evidence until ordered to do so by the court or the release is consented to by all parties to the action. (This does not apply to trial subpoenas or court orders.); and

• the signature of a person authorized to issue the subpoena.

Challenges Abound
For the most part, subpoenas are pretty cut and dried, but there are a host of challenges that may pop up when providers attempt to fulfill a request, beginning with gathering all the information in a timely manner.

"Let's say the doctor hasn't finalized a report in the record. That would create a problem because you can't release it until finalized, and we'd have to track down the doctor," Gordon says. "Plus, now with the electronic medical record in most facilities, we're dealing with hybrid records. That's a challenge in itself because you have to get the hard copy and the electronic copy and have everything merge together."

Releasing too much information also can be problematic. Rose notes that when fulfilling a subpoena request, HIM professionals should provide exactly what is asked for—no more, no less.

"This can be a gray area because the definition of the minimal necessary isn't entirely clear cut. What is meant for one organization can have a totally different meaning for another organization," she says. "You may, therefore, wind up releasing more information than needed, which would go against the minimum-necessary rule."

Authorization also can be dicey. Whether it must be present with the subpoena can vary by state law—and even that's not straightforward. "In Oklahoma, for instance, an authorization has to accompany a subpoena or else you cannot release the information," Rose says. "With the recent guidance from the Office for Civil Rights on access, that has caused some confusion over what a patient request is vs what an authorization is."

To Send or Not to Send
Not all subpoenas should be adhered to. In fact, Gordon says close to 40% of subpoenas received by MRA last year were objected to for various reasons. Some didn't contain the patient's date of birth, some didn't request the dates of service, and others sought information that wasn't permitted to be released.

For example, Grant notes that if the record contains privileged or sensitive information, the subpoena does not apply. "If it's not served correctly or put in the mail, that's unacceptable," she says. "A letter of insurance should also be present."

Rose says subpoenas requesting psychotherapy notes or alcohol and drug abuse records should not be filled unless the proper authorization is obtained from the patient. "Those have separate laws that offer further protection to [patients], so a lot of times we will require a court order," she says.

In these cases, an objection letter must be sent to the attorney who requested the information explaining why the information can't be released and why the subpoena can't be processed. "The onus is on the attorney. It's their responsibility to either get a court order or patient authorization," Grant says. "Our responsibility is simply to send the letter."

It often is difficult for health care organizations to make sense of the gray areas between following court directives and complying with HIPAA regulations. Subpoenas issued pursuant to a judicial or administrative tribunal order override any HIPAA obligation as long as the subpoena has been signed by a judge with proper jurisdiction. However, Grant says if the judge who signed the court order is out of state, the health care organization is not obligated to respond to the subpoena.

Redacting Information
Applegate says redacting documents may occur at some health care organizations but typically most states do not redact actual information listed on a specific page. Instead, documents will be removed from the record in their entirety if not covered/authorized.

Applegate cites a case in which the requested record contained health information that noted the presence of HIV and other sexually transmitted diseases. The subpoena was promptly returned to the requester with a request for supporting authorization to cover the release of sensitive information. Within a week, a valid authorization was provided to the facility and the records were released without redaction.

"If redaction may be necessary as a result of the presence of statutorily protected information not covered under the subpoena, the provider may return the request asking for patient authorization that covers this protected information," Applegate says. "There are some providers in a few states that commonly redact all information throughout the chart using an Office for Civil Rights tool."

Health care organizations interested in redaction technology have other options besides the federal tool. For example, Verisma offers a review solution that helps users locate statutorily protected information and identify those requests/subpoenas requiring more information or authorization before processing and releasing.

Ann Dooley, RHIA, MRA's director of disclosure management, says information in subpoenas isn't typically redacted, adding that if there is a problem with sensitive information, organizations should first respond by filing an objection letter. "If there is then a response with a court order and it says that we need to redact the legally protected information, in that particular case we would," she says. "There are other times when the director of the department will just tell us we need to redact and we will do it then also."

Rys recommends organizations seek patient authorization or a court order before turning to redacting sensitive information. "Redaction is too subjective and mistakes can occur that may open the health care facility up to litigation," she notes.

According to Rose, requestors may be uncertain about the exact information they need, so they will request the patient's entire history. As a result, HIM departments waste time and resources. Opening lines of communication can remedy this problem. "A lot of times talking to the requestor will help alleviate all of this and figure out what's really needed—a lab result or something from a certain date—and that saves time," Rose says. "You can't just take out information, though."

In Summation
In most cases, subpoenas are given priority status and, if valid, fulfilled immediately. However, Applegate says there are cases—depending on the facility's perspective—in which the subpoena is not fulfilled until just days before the due date with the intention of delivering it on the exact due date. Although this strategy is uncommon, it is protocol when a facility believes opposing counsel should be given a reasonable opportunity to quash a motion.

When it comes to subpoenas, Rose notes it's important to comply but equally as important to do so only if the request meets every standard, including those involving the signature, stamp, and documentation. It comes down to a series of checks and balances.

"There are a lot of times you might have seen the patient but the date of service they request is not a day they were there, and they may have just sent it to the wrong place. You don't volunteer information that they haven't requested," Rose says. "And make sure you know the laws when it comes to the more sensitive information. With all subpoenas, you want to make sure your satisfactory assurance was fulfilled as required by HIPAA."

Subpoenas are issued for many different reasons and request many types of patient information. As a result, it can be a messy process, making it all the more important that HIM departments ensure each request is valid.

— Keith Loria is a freelance writer based in Oakton, Virginia.