Protected Health Information: Providers Must Proceed with Caution

July 25, 2016

Medical records are a powerful weapon in the courtroom. They may reveal the extent of an individual’s injury in a personal injury case or substantiate the severity of an individual’s mental illness when that mental illness is being used as a defense. However, while using medical records in litigation can be a dream come true for litigators, it can be a nightmare for health care providers (“Providers”). Upon receiving a subpoena or other document requesting access to medical records, a Provider must determine whether he or she is required to release medical information or is prohibited from doing so under state and federal law. If a Provider improperly releases information, the penalty could be a hefty fine.

The Health Information Portability and Accountability Act (“HIPAA”) and its implementing regulations place constraints on the release of an individual’s protected health information (“PHI”) by Providers to litigants. 45 C.F.R. 164.512(e). Under HIPAA, there are four methods to obtain access to medical records for the purposes of judicial and administrative proceedings. Each of these methods is more fully explained below:

  1. Authorizations. Patient authorizations are a popular means of obtaining medical records from Providers because they are often the fastest and easiest means of obtaining the records. However, a Provider should not release PHI unless the patient authorization is HIPAA-compliant. In order to be HIPAA-compliant, the authorization must: (a) describe the information to be disclosed in a meaningful way; (b) state who is authorized to disclose the information; (c) state who is authorized to receive the information; (d) explain the purpose of each disclosure; (e) state the expiration date or event; (f) be signed and dated by the patient; (g) include a statement regarding the right to revoke and the potential for disclosure by the recipient; and (h) include a statement explaining that care, payment, or coverage is not conditioned upon authorization. 45 C.F.R. § 164.508
  2. Subpoenas and Discovery Requests. Under HIPAA, a Provider may release patient information in response to a subpoena or discovery request if the subpoena or discovery request is accompanied by an order of the court or administrative tribunal. If the subpoena or discovery request is not accompanied by an order of the court or administrative tribunal, then the Provider may only release a patient’s information if the Provider first receives satisfactory assurances from the party seeking the information that the patient has received notice of the request. In order to obtain valid satisfactory assurances, a Provider must receive a written statement and documentation demonstrating that the party requesting the information made a good faith attempt to provide written notice to the individual, the notice contained sufficient information to permit the patient to object, no objections were made, and the time for making objections has lapsed.
  3. Court Order. HIPAA allows Providers to disclose medical records in response to a court order or administrative tribunal. However, the Provider may only disclose the patient records or information “expressly authorized” by the order.45 C.F.R. § 164.512(e)(ii).
  4. Qualified Protective Order (“QPO”). A Provider may disclose records in response to a subpoena or discovery request that is accompanied with satisfactory assurances that the party requesting the records has made “reasonable efforts” to secure a QPO. A Provider must receive a written statement and documentation that the parties have agreed to a QPO and have presented it to the court or the party seeking the PHI has filed the QPO with the court. 45 C.F.R. § 164.512(e)(ii).


In addition to the restrictions imposed by federal laws like HIPAA, state law may impose additional restrictions on if and when providers may release patient information.

For example, Pennsylvania law protects the confidential relationship and communications between a psychiatrist or a licensed psychologist (collectively, “Professional”) and his/her client on the same basis as that provided for between an attorney and a client. 42 Pa.C.S.A. § 5944. Absent a client’s written consent, the Professional may not be examined in any civil or criminal matter as to any information acquired in the course of the Professional’s professional services on behalf of the client.

Moreover, in Pennsylvania, the Mental Health Procedure Act (“MHPA”) restricts the mental health information that Providers can disclose both with and without patient consent. 50 P.S. § § 7101-7503.

Providers may only release mental health records with patient consent if the consent meets a number of specific requirements, including;

  • a time limit on its validity, including starting and ending dates;
  • identification of the person to whom the records are to be released;
  • a statement of the specific purposes for which the released records are to be used;
  • a statement identifying the specific relevant and timely information to be released;
  • a place for the signature of the patient or parent or guardian and the date following a statement that the person understands the nature of this release;
  • a place for the signature of a staff person obtaining the consent of the client/patient or parent or guardian and the date;
  • a place to record a verbal consent to release of information given by a person physically unable to provide a signature and a place for the signatures of two responsible persons who witnessed that the person understood the nature of the release and freely gave his verbal consent; and
  • indication that the consent is revocable at the written request of the person giving consent, or oral request as noted above. 55 Pa. Code § 5100.34.

Providers may release patient information without patient consent to a court in the course of legal proceedings authorized by the MHPA (50 P.S. § 7111 (a)), or Providers may release relevant portions or summaries of a patient’s mental health record in response to a court order. 55 Pa. Code § 5100.32.

Please note that this post is only a brief summary and does not address all restrictions on the information that providers may release. There may be additional restrictions on providers based upon the state that they are in and the type of information to be released.