Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Medical Privacy - National Standards to Protect the Privacy of Personal Health Information
Subpoenas and Discovery Requests

Last updated October 24, 2004


Background | Rules | Web Sites | Federal Register | Judicial Decisions | Law Reviews

Background : The privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The Department of Health and Human Services (HHS) has issued regulations entitled "Standards for Privacy of Individually Identifiable Health Information" ("Privacy Rules"), applicable to entities covered by HIPAA. The compliance date for most entities covered by the Privacy Rules is April 14, 2003. The primary purpose of the Privacy Rules is to require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access.

The regulations begin with the premise that "[a] covered entity may not use or disclose protected health information, except as permitted or required by [the regulations]." 45 C.F.R. § 164.502(a). The Privacy Rules, however, permit disclosures in response to an order of a court or administrative tribunal and in response to a subpoena � or in response to a discovery request, or other lawful process. Detailed and specific qualifications to these permitted disclosures are stated. In addition, disclosures are permitted for certain law enforcement and workers' compensation purposes.


Rules and Partial Regulatory History


Web Sites:


Federal Register Documents:


  • Dept. of Health and Human Services, Office for Civil Rights, Notice of Addresses for Submission of HIPAA Health Information Privacy Complaints , 68 Fed. Reg. 13711-12 (Mar. 20, 2003)

    Delegation the Office for Civil Rights (OCR) the authority to receive and investigate complaints as they may relate to the Privacy Rule.


  • Dept. of Health and Human Services, Office of the Secretary, Centers for Medicare & Medicaid Services, Final rule: Health Insurance Reform: Security Standards 45 CFR Parts 160, 162, and 164 , 68 Fed. Reg. 8334-8381 (Feb. 20, 2003)

    Final rule implementing some of the requirements of the Administrative Simplification subtitle of HIPAA. Purpose is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.


  • Dept. of Health and Human Services, Office of the Secretary, 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information; Final Rule , 67 Fed. Reg. 53182-53273 (Aug. 14, 2002)

    Final rule implementing the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.


  • Standards for Privacy of Individually Identifiable Health Information; Proposed Rule, Modification On March 27, 2002, the Secretary of Health and Human Services published proposed modifications to the regulations implementing Section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) . Office for Civil Rights, HHS, Proposed rule; modification, Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164, 67 Fed. Reg. 14775 (Mar. 27, 2002).


  • Standards for Privacy of Individually Identifiable Health Information; Proposed Rule On November 3, 1999, the Secretary of Health and Human Services promulgated proposed regulations to implement Section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) , Public Law 104-191, enacted August 21, 1996.
    Federal Register Notice : Health and Human Services, Proposed Rule, Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 through 164 , 64 Fed. Reg. 59917 (Nov. 3, 1999)    HTML | PDF Version

Selected federal court DECISIONS:


  • United States v. Sutherland , 143 F.Supp.2d 609, 612 (W.D. Va. 2001) (a blank subpoena issued by the clerk of the court to be completed later by the party seeking evidence is not an "order of the court" - thus, HIPAA requires that the subpoena be accompanied by satisfactory assurances; court applied then non-final HIPAA rules as reasonable conditions for the government's obtaining of certain subpoenaed medical records).


  • Hutton v. City of Martinez , 219 F.R.D. 164, 167 (N.D. Ca. 2003) (HIPAA does not preclude the production of medical records and workers' compensation files in response to either a discovery request, subpoena or court order under an adequate protective order).


  • Law v. Zuckerman , 307 F.Supp.2d 705 (D.Md. 2004) (HIPAA preempted Maryland state law which did not prohibit ex parte communication between a lawyer and the treating physician of an adverse party; how a court should treat a HIPAA violation during discovery or at trial is within the discretion of the court under FRCP 37; since plaintiff's attorney believed in good faith that the ex parte contact did not violate the law, no sanction would be imposed).


  • Crenshaw v. Mony Life Insurance Co. , 318 F.Supp.2d 1015, 1027-30 (S.D. Ca. 2004) (insurer's attorney's ex parte communications with a non-treating physician is not prohibited by California law, but HIPAA places certain requirements on both the medical professional and the party seeking medical information in the course of administrative or judicial proceedings: defense counsel's ex parte communication violated HIPAA, which requires formal discovery and disclosure procedures; HIPAA does not address how to treat a violation that occurs during discovery or trial: court notes that Law v. Zuckerman used Rule 37 and that another court in a pre-HIPAA case had imposed sanctions under state law: in the instant case, the court found no ethical violation under the law of the attorney's state bar membership, and found that disqualification was too severe a sanction for what transpired, but ordered the defendant to produce the physician for deposition at its expense, and ordered no further ex parte communications prior to the deposition.

Selected ALJ decisions:


  • King v. IMC Global , 2003-LHC-2234 (ALJ July 29, 2004) (Purcell) (Claimant alleged that Respondent's attorney had an ex parte communication with a treating physician (who was also being tendered by the Respondent as an occupational expert) in violation of a HIPAA protective agreement prohibiting verbal communications with treatment providers; Claimant sought exclusion of deposition testimony; the ALJ excluded the deposition on other grounds, and did not reach the ex parte communication issue; the ALJ noted, however, that it was unclear that the alleged ex parte communication -- a conversation with the physician in preparation for a deposition -- was a prohibited communication under HIPAA).

Selected state decisions:


  • In re PPA Litigation (NJ. Super Ct Sept. 23, 2003) (unpublished) (defendants could not use New Jersey's informal process that permits a defendant attorney to interview a plaintiff's physician without the plaintiff's attorney present because the state's patient notification process did not comply with HIPAA).

Selected law reviews:


Johanna G. Averill, HIPAA Privacy Rules , 51 La. B.J. 280 (Dec. 2003/Jan. 2004)
  • Defense counsel must have a "Business Associate Agreement" with the covered entity before the attorney can access any protected health information
  • Non-business associate attorneys seeking protected health information have three options:
    • Individual authorizations
    • Subpoenas and discovery requests
    • Court or administrative tribunal orders
  • Authorizations, subpoenas and discovery requests must be accompanied by certain HIPAA-required assurances
  • Court orders do not need any special assurances


Clay J. Countryman, HIPAA and the Practice of Law , 52 La. B.J. 103 (Aug./Sept. 2004)
  • Common misunderstanding: covered entities do not know that HIPAA does not apply to healthcare information in workers' compensation cases
  • How to obtain protected health information in litigation from covered entity:
    • have the client ask to have the records sent to his attorney
    • have the subject individual complete a written authorization
    • no written authorization needed if court order, subpoena or other discovery request, or qualified protective order, with required assurances
  • if the covered entity is your client, you must have a "business-associate agreement". The agreement must cover further disclosures to potential witnesses, experts, litigation support personnel, etc. The sharing of information cannot exceed the agreement's terms. On the other hand, if the covered entity is not your client and you obtained the protected information through other means permitted by HIPAA, there are no restrictions on further disclosures.


Wirtes, Lambert & Gomez, An Important Consequence of HIPAA: No More Ex Parte Communications Between Defense Attorneys and Plaintiffs' Treating Physicians , 27 Am. J. Trial Advoc. 1 (Summer 2003)
  • Ex parte communications between defense attorneys and plaintiff's treating physician were still permitted, in some respects, in Alabama: HIPAA probably puts an end to that.


Dzik, Discovery of Medical Information After HIPAA: A Litigator's Guide , 91 Ill. B. J. 554 (Nov. 2003)
  • Concise overview of HIPAA's methods for obtaining records in litigation
  • Advises that court orders should be the last resort
  • Raises issue of whether court's copy of protected health information is exempted from HIPAA requirement that it be returned or destroyed at the end of the litigation
  • Best practice is to obtain authorization from the individual; should include provisions making it possible to use the information as evidence at trial
  • Advise to also be sure to cover disclosure in the form of testimony
  • Has sample HIPAA Qualified Protective Order and sample Authorization fo Release of Health Information


Nagel, Litigation After HIPAA's Patient Privacy Regulations , 15 No. 5 Health Law 14 (ABA Aug. 2003)
  • Primer for lawyers seeking to disclose protected health information in court or administrative tribunals


Harrison, Discovery of Medical Records After HIPAA , 32 SUM Brief 30 (ABA Summer 2003)
  • Overview of discovery under HIPAA; addresses "administrative prelitigation process" (i.e., obtaining medical records prior to the involvement of a court)
  • States that the workers' compensation exception was only for " a party responsible for paying the benefits and to any agency responsible for handling the individual's claim. There is no express exception or provision for requests from attorneys representing workers' compensation claimants or litigants; responses on this issue during the Notice and Comment process make clear that attorneys must comply with either the authorization or subpoena provisions to obtain records in this context. " (emphasis added)
  • States that HIPAA does not exempt medical examinations performed by a third party for the purpose of establishing the medical or health condition of a claimant in a civil or administrative action.


Duckett & Burns, Responding to Subpoenas for Medical Records in Compliance with HIPAA , 39 Tenn. B.J. 18 (May 2003)
  • Short article about a covered entity's obligation to obtain satisfactory assurances accompanying a subpoena


Gareeb, Practical Implications of HIPAA: How the Privacy of Personal Health Information Concerns Lawyers and Law Firms , 27 L.A. Law 12 (Apr. 2004)
  • Short article about implications for law firms, such as encryption of e-mail containing protected medical information, faxing, preventing discussion of cases outside the office without a valid business purpose, destroying drafts or reports to clients at conclusion of litigation; access control to file room. etc.


Miller & Robertson, HIPAA? Huh? Discovery Medical Records in Oregon After HIPAA , 64 Or. St. B. Bull. 31 (Feb./Mar. 2004)
  • Short article on intersection of HIPAA and state privacy laws; sample cover letters for subpoenas