AMARILLO, TX – Assume that a DME supplier is a plaintiff, defendant, or witness in a civil lawsuit. Assume that the supplier receives a subpoena from a party to the lawsuit…and assume that the subpoena asks for a patient’s file. How should the supplier respond? First, it should be noted that the subpoena is not a court order; rather, it is a request by an attorney for the patient files.
The DME supplier is a “covered entity” under HIPAA. Patient files constitute “protected health information” (or “PHI”). A covered entity can disclose PHI only if certain conditions are met. And so the question becomes: How should the DME supplier respond to the subpoena?
Summary
If the party issuing the subpoena (“requesting party”) has provided the DME supplier with a written statement (with supporting documentation) that states that the requesting party has provided notice to the DME supplier’s patient, and the requesting party did not receive any objection from the patient, then disclosure is likely appropriate. Alternatively, if the requesting party secured a protective order from the court and has notified the supplier of the protective order (and so long as certain requirements are met), then disclosure may also be appropriate. If neither of the above two options have been met, then the DME supplier may either: (1) obtain a protective order from the court and then disclose the PHI; (2) enter into a stipulated agreement with the requesting party for a protective order and then disclose the PHI; or (3) object to the subpoena on the grounds that it violates HIPAA and that the requesting party has not provided the necessary satisfactory assurances needed for the disclosure of PHI. Below is a more detailed explanation of the DME supplier’s options.
Legal Analysis
The general privacy rule under HIPAA is that a covered entity may not use or disclose PHI without valid authorization by the individual whose PHI is being requested (in our example, the “patient”). See 42 CFR § 164.508(a)(1). HIPAA, however, does carve out certain exceptions to the general rule that allows a covered entity (such as a DME supplier) to disclose PHI without the written authorization of the patient. See 45 CFR § 164.512.
When a covered entity receives a subpoena for PHI, it may disclose the PHI if the requesting party has provided the supplier “satisfactory assurance” that the requesting party has made reasonable efforts to either: (1) ensure that notice about the request has been given to the patient or (2) secure a qualified protective order. Id. § 164.512(e)(1)(ii).
If the requesting party provided notice to the patient, “satisfactory assurance” means that the supplier must receive a written statement and accompanying documentation that demonstrates:
(A) That the requesting party made a good faith attempt to provide written notice to the patient;
(B) The contents of the notice included sufficient information about the lawsuit and that the patient may raise an objection in court to the use of his/her PHI in the suit; and
(C) The deadline for the patient to respond has passed and the patient did not object or if the patient did object, the objections were “resolved by the court . . . and the disclosures being sought are consistent with such resolution.” § 164.512(e)(1)(iii).
Thus, if the DME supplier did receive a notice that meets the requirements set forth above, then the discovery request for the PHI is proper and disclosure is appropriate.
The other method the requesting party may use to obtain PHI through a subpoena is by securing a qualified protective order pertaining to the PHI. § 164.512(e)(1)(ii)(B). In this case, the supplier must also receive “satisfactory assurances” from the requesting party that a qualified protective order has been secured. This includes sending a written statement and certain accompanying documentation to the supplier that a protective order was secured from the court or that both the supplier and the requesting party have agreed to the protective order and have filed it with the court. § 164.512(e)(1)(iv).
If the requesting party has not secured a qualified protective order for the PHI and also has not demonstrated any evidence that it has provided any notice to the patient subject to the PHI (including giving time for the patient to object to the disclosure), then the supplier has a few options on how it may proceed forward.
One option is that the supplier may file for a qualified protective order before the PHI is disclosed. To be considered a qualified protective order, the protective order must “prohibit the parties from using or disclosing the [PHI] for any purpose other than the [lawsuit] . . . and . . . requires the return to [the supplier] or destruction of the [PHI] (including all copies made) at the end of the [lawsuit].” § 164.512(e)(1)(v).
Another option is that both the supplier and the requesting party may enter into a stipulated agreement for a qualified protective order covering the PHI and then filing the agreement with the court. § 164.512(e)(1)(iv)(A).
The final option is that the supplier may object to the discovery request on the grounds that it violates HIPAA and that the requesting party has not provided the necessary satisfactory assurances needed for the disclosure of PHI.
AAHomecare’s Retail Work Group
The Retail Work Group is a vibrant network of DME industry stakeholders (suppliers, manufacturers, consultants) that meets once a month via video conference during which (i) an expert guest will present a topic on an aspect of selling products at retail, and (ii) a question and answer period will follow. The next Retail Work Group video conference is scheduled for August 8, 2019, at 11:00 a.m. Central. Mike Scarsella, Compass Health Brands, will present “Marketing ROI-Make Your Investment Measure Up.” Participation in the Retail Work Group is free to AAHomecare members. For more information, contact Ashley Plauché Manager of Government Affairs, AAHomecare ([email protected]).
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Texas. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or [email protected].