JEA Q1 2020

Legal Lines

You’ve Been Served with a Subpoena … Now What?

By Robin Sheridan, JD, MILR

Regardless of whether it asks for the production of documents or for testimony, anyone served with a subpoena should always contact counsel. There are often specific rules that will affect the response depending on the subject matter (whether it is a criminal or civil proceeding) or the jurisdiction (state courts have different rules about disclosure of certain protected information). This article will discuss some general parameters so you know what to expect, and so you can ask the right questions when you receive a subpoena.

HIPAA
The first step is to understand whether you are subject to HIPAA. The federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects the confidentiality and security of protected health information (“PHI”). Employee Assistance Plans (“EAPs”) that are covered entities and the EAP vendors that act as their business associates are subject to HIPAA.
Not all EAPs will qualify as covered entities, and consequently, the vendors they work with will not qualify as business associates. EAPs that themselves provide medical care, e.g. are staffed by licensed health care providers who assist employees with health issues, generally qualify as covered entity health plans subject to HIPAA.
However, EAPs that only provide referral services based on publicly available information generally are not considered to be providing medical care, are not health plans as defined by HIPAA, and therefore are not subject to HIPAA’s requirements. That said, even if HIPAA is not applicable to an EAP, the EAP is still subject to the requirements of other state and federal laws.

Protected Health Information (PHI)
HIPAA allows a covered entity to disclose PHI necessary to respond to a valid subpoena—whether requesting the production of documents or testimony—issued in the course of a judicial or administrative proceeding. This is so long as one of the following is true: 

* A valid patient authorization accompanies the subpoena;
* An order of the court or administrative tribunal accompanies the subpoena; or 
* The EAP or EAP vendor must have received satisfactory assurances from the party seeking the information that reasonable efforts have been made by such party to either give the subject individual notice of the request or secure a qualified protective order. 

Satisfactory Assurances
While the first two conditions listed above are easily ascertainable, the third one often presents challenges.
Satisfactory assurances that the subject has been provided notice of the subpoena relating to his or her EAP records requires that the requestor provide a written statement and accompanying documentation showing that the requestor made a good faith attempt to provide written notice to the individual at the individual’s known or last known address.
The notice must include sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal. Before producing any records or providing any testimony, the time for the individual to raise objections must have elapsed either without any objections or the resolution of all objections, and the disclosures must be consistent with such resolution.
A qualified protective order, with respect to PHI, means an order of the court or administrative tribunal, or a stipulation by the parties to the proceeding, that prohibits the parties from using or disclosing the PHI for any purpose outside the proceeding and that requires the return or destruction of the PHI (including all copies) at the end of the proceeding.
Satisfactory assurances with respect to a protective order requires that the requestor provide a written statement and accompanying documentation showing that a qualified protective order is in place, or the party seeking the PHI has requested a qualified protective order from the court or tribunal.
If the requestor does not provide such satisfactory assurances, then the EAP or its vendor may refuse to disclose the requested PHI or, before providing any responsive PHI, it must itself make reasonable efforts to provide adequate notice to the individual or to seek a sufficient qualified protective order.

Special Notice
Please note: HIPAA only sets the floor when it comes to security and confidentiality protections for PHI. If there is a more stringent state or federal law, meaning that the law offers PHI greater protection or offers the individual to whom the PHI pertains greater rights, that state or federal law will take precedence.
For example, some states do not permit the disclosure of medical records in response to a subpoena and instead require a signed patient authorization or a court order. In those states, a subpoena is insufficient to authorize PHI disclosure regardless of whether the process outlined in HIPAA is followed.
Additionally, there are often more stringent laws providing greater protection for particularly sensitive health information, such as information pertaining to minors, genetic testing results, HIV/AIDs or other STD records, behavioral and mental health records and records relating to alcohol, drug or other substance use disorders (“SUDs”).
For instance, federal regulations governing the disclosure of substance use disorder records require a signed patient authorization or court order for disclosure of such information and require the court to follow a particular process in issuing such an order. Those regulations additionally prevent any use of SUD records in certain types of proceedings for certain reasons. For EAPs that are not subject to HIPAA, these more stringent state and federal laws may still apply.
Finally, state and federal jurisdictions have rules of civil procedure that govern both the issuance of and response to subpoenas. Generally, these rules will be the same whether the subpoena is issued on behalf of the client, another interested party or an investigative body. Such procedural rules may afford additional protections for confidential patient information that the EAP must follow.
All EAPs should have policies and procedures in place to identify applicable laws and ensure compliance. Because the time for responding to subpoenas is often limited, it is a good idea to also identify in advance competent counsel to contact as soon as a subpoena is received.

Practical Takeaways
* If a subpoena is requesting particularly sensitive information, or if you believe there may be another law that restricts your ability to respond to the subpoena, counsel can assist with a preemption analysis, guide your response and assist in filing a motion to quash the subpoena, if necessary.

* Where a subpoena is requiring the appearance and testimony of a witness, the individual subpoenaed should still appear at the place, date, and time on the subpoena even if counsel will be arguing that the subpoena is invalid and that the witness is prevented from testifying under applicable law. 

* When responding to a subpoena, the EAP or testifying personnel should ensure that only that information necessary to respond to the subpoena is provided, such as only providing information regarding the requested individual, the identified dates of service, and the identified health issues. 

* If the EAP or provider feels that it is not in the best interest of the subject individual to disclose the information, the EAP should collaborate with counsel in making that argument to the appropriate court or administrative tribunal.

Editor’s note: The recommendations provided in this article are for educational purposes only and are not to be construed as actual legal advice. Always consult with a local attorney.

Robin M. Sheridan is an attorney with Hall, Render, Killian, Heath & Lyman, PC, the largest health care-focused law firm in the U.S. Contact Robin at (414) 721-0469, rsheridan@hallrender.com