Health care providers and their medical records custodians constantly find themselves under pressure to release medical records immediately upon receipt of a subpoena. However, regardless of the subpoena or the pesky insistence of the requesting attorney, with the recent ruling by the Connecticut Supreme Court in Byrne v. Avery Ctr., 314 Conn. 433 (2014), health care providers’ responses to requests for medical records must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) more than ever. To adhere to HIPAA regulations, health care providers must first receive “satisfactory assurances” that the person whose medical records are requested received notice of the request. While most subpoenas include some type of notice language, the Court outlined that to truly show “satisfactory assurances” the requesting attorney must have provided:
- Written notice to the affected individual;
- Sufficient information for the individual to raise an objection; and
- Time for the individual to raise an objection or confirm that there are no objections or that all objections have been resolved.
The requesting attorney may also provide “satisfactory assurances” that it has secured a protective order prior to the issuance of the subpoena. The Court said in its opinion that it is not enough for a subpoena to include a statement that a protective order WILL be filed or for it to include DRAFT language for a protective order. The appropriate protective order must be FILED with the court. Remember, there could also be other state laws that apply to protected health information and state laws that are even more restrictive than HIPAA when it comes to sensitive health information such as mental health treatment or sexually transmitted diseases.
Under this new opinion from the Connecticut Supreme Court, health care providers in Connecticut who fail to comply with HIPAA may be subject to patient lawsuits and possible state damages for negligence and emotional distress, in addition to a potential federal investigation for HIPAA violations.