Urgent Message: Urgent care centers need documented, consistent, and reportable processes for receiving, tracking, responding to, and collecting payment on subpoenas for patient medical records.
Citation: Ayers A. How Should an Urgent Care Handle Requests for Medical Records by Subpoena? J Urgent Care Med. 2024; 19(2): 29-32
Alan A. Ayers, MBA, MAcc, is President of Urgent Care Consultants and is Senior Editor of The Journal of Urgent Care Medicine.
Medical records are the critical foundation of a compelling personal injury case. These documents are the way in which a plaintiff’s attorney can prove their case by providing this evidence of their client’s injuries, treatment, and recovery.[1] The legal term for a records request is subpoena duces tecum, which is Latin for “bring with under penalty of punishment.” This type of subpoena compels the production of specific medical records or other documents by a specific date.[2] Urgent care centers may receive such subpoenas.[3] This article isn’t designed to address routine protected health information (PHI) release under HIPAA but instead will examine circumstances when an urgent care center receives a subpoena arising from litigation.
HIPAA Privacy Rule
A request for specific medical records often pertains to a medical malpractice action that may be filed against the urgent care or a healthcare provider, for example, or a motor vehicle personal injury lawsuit, a life insurance claim, workers compensation benefits, or other circumstances. Regardless of what the attorney requests, as a HIPAA covered entity, an urgent care must comply with the HIPAA Privacy Rule when responding to subpoenas for medical records. Under the HIPAA Privacy Rule, medical practices and other covered entities must safeguard PHI contained in patients’ medical records. When an urgent care receives a subpoena requesting medical records, it must analyze the subpoena to determine if it meets Privacy Rule protections. If it fails to do so, HIPAA prohibits the disclosure of the record.[4]
A Patient’s Right to Privacy
The California Supreme Court stated that even highly relevant, nonprivileged information may be shielded from discovery if its disclosure would impair a person’s “inalienable right of privacy” provided by California Constitution Article 1, section 1.[5]
The framework for evaluating invasions of privacy in discovery was clarified by the Supreme Court in 2017. In Williams v. Superior Court,[6] the Court held that, generally, “[t]he party asserting a privacy right must establish a legally protected privacy interest, an objectively reasonable expectation of privacy in the given circumstances, and a threatened intrusion that is serious.[7] The party seeking information may raise in response whatever legitimate and important countervailing interest disclosure serves, while the party seeking protection may identify feasible alternatives that serve the same interests or protective measures that would diminish the loss of privacy. A court must then balance these competing considerations.”[8]
In Britt v. Superior Court[9], the plaintiffs—who were owners and residents of homes located near the San Diego International Airport who claimed injury caused by airport operations—challenged the trial court’s discovery order that compelled them to disclose to the defendant their entire lifetime medical histories. The plaintiffs argued that “while they are completely willing to provide defendant with medical information which relates in any way to the physical or emotional injuries for which they seek recovery in the underlying action and, indeed, that they have already done so they object to the trial court’s unlimited order which requires them to comply with defendant’s request for information related to all past medical conditions, without regard to whether such conditions have any bearing on the present litigation.”9
The defendant argued in response that the broad discovery order properly afforded it the opportunity to determine for itself whether the injuries, which the plaintiffs asserted were caused by airport operations, actually arose from other medical conditions.[10]
In overturning the trial court’s discovery order, the California Supreme Court held that the plaintiffs were not obligated to sacrifice all privacy to seek redress for a specific physical, mental, or emotional injury. While they could not withhold information that related to any physical or mental condition that they brought up in the lawsuit, they were entitled to retain the confidentiality of all unrelated medical or psychotherapeutic treatment they may have undergone in the past.10
As a result, the trial court erred in ordering the plaintiffs to disclose their entire lifetime medical histories. This aspect of the challenged discovery order was vacated.[11] The California Supreme Court held that a trial court cannot order disclosure of a party’s healthcare records unless the records are directly relevant to the issues put forward in the action.11
However, some states have what is known as a “patient-litigant exception,” which is a legal exemption that allows for the disclosure of a “communication or record relevant to an issue of the physical, mental, or emotional condition of a patient in any proceeding in which any party relies upon the condition as a part of the party’s claim or defense.”[12]
When to Comply With Subpoenas
Urgent care operators should note that a valid subpoena will include the following pieces of information:
- The name of the court issuing the subpoena and the case docket number (usually time and date stamped with the name of the clerk of court)
- The name, address, and contact information of the attorney and law firm that issued the subpoena
- The names of the parties in the legal proceeding.[13]
Attorneys have certain requirements they must meet before issuing a subpoena. When an attorney files a subpoena for medical records, the records cannot legally be released unless one of the following is true:
- The individual issuing the subpoena has notified the patient of the subpoena and explained their right to object. They must provide a written statement and supporting documents that prove this. If there are no objections, the healthcare provider may release the records[14]
- All parties involved in the legal action have agreed to a qualified protective order.[15] The individual issuing the subpoena must provide a written statement and supporting documents that prove this
- The patient has signed a HIPAA authorization for the release of the specific medical records outlined in the subpoena.14
If the subpoena isn’t valid, no response is required. An urgent operator or provider should ask an experienced attorney as to whether the subpoena is valid.[16] Typically, if the subpoena is signed by a judge and is issued in a court proceeding, it must be honored. And the requested health information must be provided. However, urgent cares may object by writing to the court specifying the grounds for objection.16
The urgent care is only permitted to disclose the information specifically stated in the subpoena and no more. Note that if other information is provided, it would be an impermissible disclosure of PHI. So, if a subpoena requests a patient’s clinic records for a specific date, that is all that the urgent care should deliver—not the entire medical record.
Personal information such as the patient’s Social Security number, address, phone number, bank account or credit card numbers, should be redacted if that information isn’t needed to comply with the subpoena.[17]
Urgent care operators should be aware that in a civil case, state law will frequently provide for advance notice. This requires attorneys requesting disclosure of PHI pursuant to a subpoena to provide advance notice to the healthcare provider and the individual whose PHI is requested (or his or her attorney) that the subpoena request is imminent. That way, the person or physician has a chance to seek a protective order from the court to prevent the disclosure from happening.[18] However, in criminal cases, there’s no advance notice requirement.
How Can Medical Records be Transmitted?
There’s no specific way that the law requires subpoenaed medical records to be delivered. But keep in mind that HIPAA requires that a healthcare provider have some level of security in place to safeguard this information.
Sending medical records via email is not secure as emails can be intercepted and read by unauthorized parties. Emails can also be forwarded to unintended recipients, resulting in breaches in confidentiality.[19]
A secure patient portal is convenient for patients to track their doctor’s appointments, test results, billing and insurance information, prescriptions, and diagnoses as well as communications with their healthcare providers.[20] However, patient portals are only practical for the patient to retrieve his or her own records, not to facilitate medical record requests by third parties.
Finally, while somewhat old school, faxing still offers useful features for transmitting medical records. Chief among these is end-to-end security. Many online faxing services now allow for password protection to secure the document at the endpoints, as well as dual-layer encryption to safeguard it during transmission.[21]
In addition, it’s prudent for urgent care operators to keep a copy of what was produced pursuant to the subpoena and note how and when it was sent.
Charging Administrative Fees
When providing records, an urgent care may charge copy fees as it would with any other request for records.[22] HIPAA permits charging a reasonable, cost-based fee for copies and for summaries and explanations of the record.[23] The fee may include only the cost of certain labor, supplies, and postage.23 Because plaintiff attorneys have been known to hold invoices indefinitely, until a settlement is received, it’s best to require payment in advance of sending the records.
When a Request is Challenged
An urgent care that has been issued a subpoena may also receive a copy of a motion to quash when the patient wants to have the request limited or denied.[24]
A motion to quash is a formal request made to a court to declare a specific proceeding, such as a subpoena, as invalid or void. The purpose of filing a motion to quash is to challenge the legal sufficiency or validity of the document or proceeding in question. When a motion to quash is filed, the court will review the arguments and evidence presented by the party filing the motion, as well as any opposing arguments. The court will then decide whether the motion is granted or denied.[25]
Takeaways
Remember that when attorneys request and use medical records in court, HIPAA laws still take precedence. Legal HIPAA-covered entities can share only medical information immediately relevant in court, and this varies in every case.
Any subpoena received by an urgent care operator should be carefully reviewed to check the validity of the subpoena, the scope of the request, and the deadline for complying. If the subpoena is issued from a court in another state, it may not be valid in the operator’s state.
A subpoena should not be ignored. Questions about what information to release should be considered by legal counsel.
Technology Solutions Facilitate Management of Records Requests
When the document request process is not a core part of clinic operations or revenue cycle management, subpoena requests may be poorly managed, which can create risk for non-compliance with a court order. There are now web-based services focused specifically on this situation, which can reduce friction by:
- Enabling attorneys and others to submit document requests electronically in one centralized location, thus assuring the request is received, versus requests coming in through multiple channels (including certified mail to clinic locations, which can result in delays and lost orders)
- Ensuring consistency in the request format and required elements (including HIPAA authorization or court order) and consistency in staff review and acceptance or rejection of requests, assuring compliance with the HIPAA standards described in this article
- Consolidating all activity related to requests into one place, versus recording activity in individual patient charts or paper processes which aren’t tracked, enabling operators to see and run reports on all communication related to the status, history, and disposition of requests received
- Tightening controls over invoicing and payment processing (By enabling online payment by credit card, the portal eliminates time-consuming invoicing, collections, receipt and deposit of checks, and other tasks. Invoicing through the portal also eliminates inefficient back-and-forth regarding fees, and assures payment is received in full before records are turned over.)
- Encrypting transmission of records across a secure, certified platform using multi-factor authentication in one standard format, versus converting records to different media and sending through different channels (Digital transmission also assures the correct party receives the record, and the system provides an audit trail of who sent and received records, when, and from what IP address.)
Furthermore, some vendors offer medical records retrieval as an outsourced service by connecting to the urgent care’s electronic medical record and receiving and responding to requests on behalf of providers. Others have established networks of requesters (ie, law firms, insurance companies and government agencies) linked through their websites to networks of participating healthcare facilities (including urgent care centers) creating a secure, transactional marketplace.
References
- [1]. See Medical Records: A Lawyer’s Guide to Records Retrieval, Clio. Retrieved at https://www.clio.com/resources/personal-injury-for-lawyers/medical-records/.
- [2]. Anne Flitcroft, Responding to a Subpoena for Medical Records or Deposition, Washington State Medical Association (April 16, 2024). Retrieved at https://wsma.org/Shared_Content/News/Latest_News/2024/responding-to-a-subpoena-for-medical-records-or-deposition.
- [3]. See Samuel Strom, What Is a Subpoena? FindLaw (Last reviewed September 20, 2023). Retrieved at https://www.findlaw.com/litigation/going-to-court/what-is-a-subpoena.html.
- [4]. Jeanne Varner Powell, HIPAA Compliance When Responding to Subpoenas for Medical Records, Mutual Insurance Company of Arizona (September 25, 2023). Retrieved at https://www.mica-insurance.com/blog/posts/hipaa-compliance-when-responding-to-subpoenas-for-medical-records/.
- [5]. Ramirez v. World Oil Corp., 2021 Cal. Super. LEXIS 1345, *6-7 (Ca. Sup. Los Angeles, March 1, 2021), citing Britt v. Superior Court, 20 Cal.3d 844, 855-56, 143 Cal. Rptr. 695, 574 P.2d 766 (Cal. 1978). See Christensen v. City of San Diego, 2021 Cal. Super. LEXIS 82584, (Cal. Sup. San Diego June 30, 2021)
- [6]. Williams v. Superior Court, 3 Cal.5th 531, 220 Cal. Rptr. 3d 472, 398 P.3d 69 (Cal. 2017).
- [7]. Williams, at 532.
- [8]. Williams, at 533, citing Hill v. National Collegiate Athletic Assn., 7 Cal.4th 1, 35, 26 Cal. Rptr. 2d 834, 865 P.2d 633 (Cal. 1994).
- [9]. Britt v. Superior Court, 20 Cal. 3d 844, 862, 143 Cal. Rptr. 695, 706, 574 P.2d 766, 777 (Cal. 1978).
- [10]. Id. See generally Gregory M. Duckett and Janelle Burns, Responding to Subpoenas for Medical Records: In Compliance with HIPAA, 39 Tenn. B.J. 18 (May 2003).
- [11]. Id. See Samuel D. Hodge, Jr., An Attorney’s Guide to Understanding Medical Records in the Digital Age, 58 Tort & Ins. L.J. 65 (Winter 2023).
- [12]. See Simek v. Superior Ct., 117 Cal. App. 3d 169, 174, 172 Cal. Rptr. 564 (Cal. App. 1981). See also Maya v. Amway Corp., 2021 Cal. Super. LEXIS 79334, *1-2 (Cal. Super. Orange Cnty., February 22, 2021)
- [13]. See Will Kenton, What Is a Subpoena? How It Works, How They’re Used, and Types, Investopedia (Updated February 20, 2024). Retrieved at https://www.investopedia.com/terms/s/subpoena.asp.
- [14]. Andrew Zellers, How do Subpoenas for Medical Records Work? Chart Request (October 26, 2021). Retrieved at https://chartrequest.com/how-do-subpoenas-for-medical-records-work/
- [15]. U.S. Department of Health & Human Services,Office for Civil Rights (OCR). FAQ 711 May a Covered Entity That is not a Party to a Legal Proceeding Disclose Protected Health Information in Response to a Subpoena, Discovery Request, or Other Lawful Process That is not Accompanied by a Court Order? Retrieved at https://www.hhs.gov/guidance/document/faq-711-may-covered-entity-not-party-legal-proceeding-disclose-protected-health.
- [16]. Liam Johnson, HIPAA Subpoena for Medical Records: What You Need to Know, The HIPAA Guide (December 1, 2023). Retrieved at https://www.hipaaguide.net/hipaa-subpoena-for-medical-records/.
- [17]. Johnson, supra. See, e.g., Ramirez v. Myerly, 2023 Cal. Super. LEXIS 107168, *6 (Cal. Sup. Orange County December 21, 2023)
- [18]. Flitcroft, supra. See, e.g., Oirya v. Mando Am. Corp., No. 3:19-cv-635-ECM-CWB, 2023 U.S. Dist. LEXIS 106254, at *9 (M.D. Ala. June 20, 2023).
- [19]. HIPAA Compliant Document Sharing: How to Send Medical Records Electronically, Compliance Group (March 31, 2023). Retrieved at https://compliancy-group.com/hipaa-compliant-document-sharing/.
- [20]. Sara Berg, What Doctors Wish Patients Knew About Using a Patient Portal, AMA (June 17, 2022). Retrieved at https://www.ama-assn.org/practice-management/digital/what-doctors-wish-patients-knew-about-using-patient-portal.
- [21]. Kamran Shafii, How to Fax Medical Records: Tips for HIPAA Compliance, eFax (July 22, 2024). Retrieved at https://www.efax.com/blog/how-to-fax-medical-records.
- [22]. Flitcroft, supra.
- [23]. U.S. Department of Health & Human Services. HIPAA Guidance: May a covered entity charge individuals a fee for providing the individuals with a copy of their PHI? Retrieved at https://www.hhs.gov/hipaa/for-professionals/faq/2024/may-a-covered-entity-charge-individuals-a-fee/index.html.
- [24]. See, e.g., Petty v. Bluegrass Cellular, No. 3:19-CV-00193-RGJ-LLK, 2021 U.S. Dist. LEXIS 64853, at *3 (W.D. Ky. Apr. 2, 2021); Pugh v. Heartland Express, 2023 Cal. Super. LEXIS 58319, *1-2 (Cal. Sup., Los Angeles August 14, 2023).
- [25]. Motion to Quash, Legal Information Institute Retrieved at https://www.law.cornell.edu/wex/motion_to_quash.