The Florida Bar

Florida Bar Journal

Subpoenas Duces Tecum vs. HIPAA: Which Wins?

Health Law

The struggle between HIPAA’s privacy rules and subpoenas for “protected health information” (PHI) is an ongoing issue that needs to be resolved, and this article is intended to assist in that resolution. In this writer’s opinion, the Rules of Civil Procedure trump the privacy regulations of HIPAA once litigation has been initiated. While this article will refer to the Florida Rules of Civil Procedure, it is anticipated that the basic substance of these rules is universal enough to allow this information to be of use in multiple jurisdictions. Like Florida, most states have adopted some form of the Federal Rules of Civil Procedure.

Historical Background and Technical Requirements of Subpoenas For PHI
The filing of a civil lawsuit provides the mechanism for the issuance of subpoenas for witnesses and subpoenas duces tecum for the production of documents. As the Rules of Civil Procedure became more streamlined, the mechanics of issuing subpoenas moved from judges and clerks of court to attorneys, who are officers of the court. Under Rule 1.410, Florida Rules of Civil Procedure, the option exists for either an attorney of record or the clerk of court to issue a subpoena. Fla. R. Civ. P. 1.410(a) (2004).

• Service of the Subpoena Duces Tecum

Any person over the age of 18 who is a nonparty may serve a subpoena including the attorney involved in the case. Rule 1.410(c), Florida Rules of Civil Procedure. F.S. §48.021.

Mailing to a nonparty does not constitute service of the subpoena duces tecum.

A valid subpoena duces tecum must be served in the above manner. A lot of attorneys will mail or send by certified mail the subpoena duces tecum. Weighed against HIPAA regulations, that would suggest a valid service by applicable Rule of Civil Procedure. If the subpoena duces tecum has been served by a person over the age of 18, the proof of such service must be filed with the court by an affidavit of the person serving the subpoena duces tecum. Now all requirements have been met for a valid service of a subpoena duces tecum.

For the production of documentary evidence, a subpoena may “command the person to whom it is directed to produce the books, papers, documents or tangible things designated therein.” Fla. R. Civ. P. 1.410(c). A subpoena duces tecum must specify with reasonable particularity the documents sought to be produced. Vann v. State, 85 So. 2d 133, 136 (Fla. 1956). This requirement is met where identifiable categories of documents are stated, even if the precise identity of the document is unknown. Id.

Motion to Quash

The court, “upon motion made promptly and in any event at or before the time specified in the subpoena for compliance therewith, may. . . quash or modify the subpoena if it is unreasonable and oppressive.” Fla. R. Civ. P. 1.410(c). While the facts must clearly show the unreasonableness or oppressiveness of the subpoena, this determination is within the broad judicial discretion of the trial judge and a trial court’s order will not be overturned absent a clear showing of abuse of that discretion. Matthews v. Cant, 427 So. 2d 369 (Fla. 2d DCA 1983); Sunrise Shopping Center, Inc. v. Allied Stores Corp., 270 So. 2d 32 (Fla. 4th DCA 1972). Another ground for quashing a subpoena may be that it is too indefinite to permit an appropriate response. See Vann, 85 So. 2d at 136. A court may also condition the obligation to respond on the advancement of the costs of producing the books, papers, documents, or tangible things sought. Fla. R. Civ. P. 1.410(c). A party who successfully opposes a subpoena duces tecum may be awarded attorneys’ fees, but it should be noted that a nonparty witness who successfully quashes a subpoena duces tecum is not entitled to attorneys’ fees. Expeditions Unlimited, Inc. v. Rolly Marine Services, Inc., 447 So. 2d 453 (Fla. 4th DCA 1984).

The Purpose of HIPAA
Why was HIPAA enacted? The preamble to the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, states that HIPAA is an act “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936.

The issue of privacy was given special attention in the Administrative Simplification Regulations at 45 C.F.R. §§160, 164. The purpose of the privacy regulations, promulgated under Title II, Subtitle F, §§261-264 of HIPAA was threefold: first, to provide consumers of health care services with enhanced access to their information while controlling access that resulted in misuse; second, to improve the quality of health care by increasing trust in the health care system; and third, to create a nationwide framework for privacy protection consistent with efforts by states and other organizations thereby resulting in increased efficiency. Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,461 (Dec. 28, 2000). Thus, the idea was to facilitate communications between patient and medical practitioner by providing some assurances that the patient’s medical information will not be freely disseminated. The rules in 45 C.F.R. §§160, 164 offer patients these assurances by enacting privacy standards that serve as the minimum permissible level of confidentiality. Because these standards represent a floor, states may enact privacy standards that are more stringent than found in the federal regulations.

Florida’s Medical Information Statute
Pursuant to F.S. §456.057(5)(a), a patient’s medical records may not be furnished to, nor may the medical condition of a patient be discussed with, anyone other than the patient, the patient’s legal representative, or other health care practitioners who are involved in the care or treatment of the patient, absent written authorization from the patient. F.S. §456.057(5)(a) (2003). However, several exceptions to the “prior written authorization” requirement are provided by §456.057(5)(a). The exception most pertinent to this discussion allows disclosure without written authorization in any civil action, unless otherwise prohibited by law, “upon the issuance of a subpoena from a court of competent jurisdiction and proper notice to the patient or the patient’s legal representative by the party seeking such records.” F.S. §456.057(5)(a)(3). Section 456.057(6) reiterates the confidential nature of information disclosed to health care practitioners by a patient during the course of care and treatment, and echoes the requirement that disclosure be accompanied by written authorization or be compelled by subpoena. F.S. §456.057(6). This subsection also carves out an exception to nondisclosure when the health care practitioner is, or reasonably expects to be, named as a defendant in a medical negligence action or administrative proceeding.

Thus, in a medical malpractice action, PHI may be obtained via three avenues:

1) From the health care practitioner or provider who is or reasonably anticipates becoming a defendant, in which case any information it already possesses is not clothed in the privilege of confidentiality;

2) With the patient’s consent; and/or

3) Pursuant to a subpoena that is issued and served after proper notice to the patient. Bradley v. Brotman, 836 So. 2d 1129 (Fla. 4th DCA 2003).

Although the Bradley court did not address the construction of HIPAA restrictions with Florida statutory law, the recent case of Lemieux v. Tandem Healthcare of Florida, 862 So. 2d 745 (Fla. 2d DCA 2004), did discuss the interplay of the HIPAA regulations, found at 45 C.F.R. §§160.203 and 164.512, with F.S. §456.057(6). The facts in Lemieux arose before HIPAA became effective, but the court, indictum, nonetheless addressed the issue of whether the federal regulations or the Florida Statutes should control the disclosure of PHI. The court concluded that while the Florida privacy provisions are procedurally less stringent than HIPAA requirements, they are substantively more rigorous and should therefore control in the event of a perceived conflict:

We note that the newly enacted privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), were not enforceable until April 14, 2003, almost two months after the trial court’s order in this case. Moreover, the HIPAA provisions preempt only those state privacy or privilege provisions that are less stringent than the HIPAA ones. See 45 C.F.R. §160.203 (2003). It appears that the HIPAA procedural requirements for disclosure are more stringent than those in Florida. Compare §456.057(6), Fla. Stat. (2002) (allowing disclosure of protected health care information to those entities falling within the statutory exceptions with no notice or opportunity to object), with 45 C.F.R. §164.512(e)(1)(iii) (2003) (allowing for disclosure of protected health information for litigation purposes only if the disclosing entity has provided written notice of its intent to disclose with sufficient time for the individual to object to the disclosure). However, the substantive provisions of section 456.057(6) are more stringent than those of HIPAA. Compare §456.057(6) (prohibiting disclosure of protected health care information except to entities falling within the four statutory exceptions) with 45 C.F.R. §164.512(e)(1)(i) (allowing disclosure of protected health care information to any third party as long as “satisfactory assurances” are provided). Because Florida’s substantive law on this issue is more stringent than HIPAA, Florida law controls and the HIPAA provisions would not alter the outcome.1

Lemieux, 862 So. 2d 745, 748 n.1; United States ex rel. Pogue v. Diabetes Treatment Centers of Am., 238 F. Supp. 2d 270 (D.D.C. 2002).

Thus, a reading of the statutes and regulations, together with interpreting case law, reveals that neither the Florida nor HIPAA privacy law demands a patient’s consent prior to disclosure of PHI during litigation as long as the procedural requirements of 45 C.F.R. §164.512 are met. Following the procedural safeguards will not only allow the party seeking the PHI to efficiently obtain the requested information, but also results in immunity from sanctions otherwise imposed for violating the confidentiality restrictions for the person providing the PHI.

Procedural Requirements for Subpoenas Duces Tecum
Rule 1.410, Florida Rules of Civil Procedure governs the issuance and service of subpoenas and provides for the penalty of contempt of court for failure to obey a properly served subpoena. Subpoenas may be issued either by the clerk of court or by any attorney of record in an action and may be issued for testimony before the court; for the production of documentary evidence; or for the taking of depositions, with or without the simultaneous production of designated books, papers, documents, or tangible things. Fla. R. Civ. P. 1.410(a), (b), (c), (e). The approved forms for subpoenas are found at Forms 1.910, 1.911, 1.912, 1.913, and 1.922, Florida Rules of Civil Procedure.

There are several variations on a subpoena duces tecum.

1) The person is commanded to appear at a location within the county and to bring the records which will be copied. Form 1.922(b), Florida Rules of Civil Procedure.

2) The witness has the option to furnish records instead of attending the deposition. The subpoena is issued by the clerk of the court. Form 1.922(a), Florida Rules of Civil Procedure.

3) The witness has the option to furnish records instead of attending the deposition. Issuance of subpoena is by the attorney of record. Form 1.922(c), Florida Rules of Civil Procedure.

4) The witness must appear and produce the records. Subpoena is issued by the attorney of record. Form 1.922(d), Florida Rules of Civil Procedure.

Florida’s Notice Meets HIPAA Requirements Rule 1.351
Of particular importance to this discussion is the notice requirement. A party who seeks the production of documents or tangible things from a nonparty witness must give all other parties (attorneys) to the action prior notice and an opportunity to object before service of the subpoena duces tecum. Fla. R. Civ. P. 1.351 (2004). Rule 1.351 specifies the procedure, and Form 1.921 is to be used as the approved format for the advance notice of production. Under Rule 1.351, notice of intent to serve a subpoena must be given to other parties (attorneys) at least 10 days before the subpoena is issued if service is by delivery, and 15 days before the subpoena is issued if the service is by mail. The proposed subpoena must be attached to the notice and must specify the time, place, and method of production, the name and address of the person to whom the subpoena will be directed, and identification of the items to be produced. The proposed subpoena must also state that the person upon whom it is to be served will have the right to object to the production.

Advance notice to other parties, generally through their counsel of record, allows a litigant whose PHI is sought to object to the production of the PHI. Notice to a party’s attorney constitutes notice to the party. If an objection is served within 10 days, the requested documents may not be produced absent court order obtained pursuant to Rule 1.310. Fla. R. Civ. P. 1.351(b). However, if no objection is made by a party, the subpoena may be issued by an attorney of record, or by the clerk of court, upon certificate of counsel that no timely objection has been received. Fla. R. Civ. P. 1.351(c). This procedure provides the patient/litigant with the advance notice and an opportunity to object safeguards contemplated by both the Florida Statutes and HIPAA. In the absence of an objection, consent is presumed and need not be expressly provided. F.S. §456.057(5)(a)(3) and (6); Privacy of Individually Identifiable Health Information, 45 C.F.R. §164.512(e)(1) (2003).

The holder of the PHI may nonetheless object to its production, out of concern for incurring liability or in the mistaken belief that disclosure is unlawful under HIPAA. Generally, providing the nonparty with a letter by the attorney who issues the subpoena to the nonparty with a copy of Rule 1.351 that the subpoena has been issued in compliance with Rule 1.351 reveals the notice was served on all parties and that no objections were made prior to the issuance of the subpoena will suffice to allay the nonparty’s concern. The nonparty still may object to the production of the medical records. The requesting party may then move to compel the production, and nonparties should be aware that if they unreasonably fail to comply with the subpoena, they may be held in contempt of court. Attorneys’ fees can be awarded for noncompliance. Fla. R. Civ. P. 1.310.

The person holding protected health information must realize that a failure to comply with a subpoena duces tecum results in sanctions against that person. The claim that HIPAA preempts a valid subpoena duces tecum is invalid. Any subpoena validly issued by inference is an order of a court, though not signed by a judge or a clerk of the court. The person holding protected health information should comply with the subpoena duces tecum as that person could have sanctions issued against him or her, including the payment of reasonable attorneys’ fees to all parties. In addition, the sanctions are immediate rather than HIPAA sanctions in that the individual may be compelled to appear before a court in a reasonably short time, which would probably require the hiring of an attorney to explain why a subpoena duces tecum was not honored. These are usually orders to show cause why a person should not be held in contempt. The subpoena which provides notice has the following warning: “If you fail(1) to appear, (2) furnish records (3) object, you may be in contempt of court.”

Protective Orders and “Business Associate” Agreements
Outside of the litigation context, HIPAA imposes stringent restrictions on the dissemination of PHI to a health care provider’s “business associates.” A “business associate” of one who holds PHI is, generally, any person or entity who performs a requested service for the practitioner that involves the use or disclosure of PHI which is not merely incidental. General Administrative Requirements, 45 C.F.R. §160.103 (2003). For example, a billing or collection service or a health care provider which must have the PHI in order to perform the contracted services would be considered a business associate. Id. In such situations, the holder of the PHI is required to enter into a “business associate contract” with the outside party in order to safeguard against the improper disclosure of the PHI to which it has access. 45 C.F.R. §164.502(e). The terms of this written agreement are governed by 45 C.F.R. §164.504(e). Among the assurance required in the agreement is the following:

At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

45 C.F.R. 164.504(e)(2)(ii)(I).
Unfortunately, some courts, intending to secure the safeguards for PHI required by HIPAA, have begun to impose similar restrictions in both general circuitwide orders and ad hoc protective orders. In particular, the author is familiar with protective orders requiring a party who obtains PHI that is not filed with the court to ensure that the PHI is returned to the provider or destroyed at the conclusion of the litigation, and that all PHI filed with the court be placed under seal. While a standard protective order specifying that disclosure of the PHI for any purpose other than the pending litigation would certainly be appropriate, the additional restrictions are impractical and likely violate Florida law.

Two common examples of routine litigation practices demonstrate the absurdity of requiring counsel of record to guarantee the destruction or return of all PHI not filed with the court. First, a party often retains more than one expert witness to review a case. If the expert’s review is dependent upon analysis of a patient’s medical records, that PHI must obviously be provided to the witness. The party may thereafter decide to use the witness as an expert, or all of the materials which were provided to the expert may not be admitted as evidence with the court. While the attorney can certainly condition retention of the expert on the latter’s assurance that he or she will not improperly disclose the PHI and will destroy the information at the conclusion of the case, the attorney cannot be a guarantor for another’s actions. Second, a deposition taken by an attorney in a multiparty medical negligence action generally includes PHI documents attached as exhibits. When the deposition is transcribed, all other attorneys of record will receive copies of the deposition together with its exhibits. Again, the attorney has no control over the manner in which the PHI is handled by the court reporter who transcribes the deposition or the other attorneys and/or their clients who received copies of the deposition. Suppose that an irate codefendant leaks information to a newspaper reporter, who then writes an article about the lawsuit detailing the patient/plaintiff’s past medical history. Would the opposing attorney be in contempt of court for the disclosure of this information, even though he or she had no control over its dissemination?

Public Domain
The traditional concept in American justice is that trials and judicial proceedings are open to the public unless there is a special need that either of the court proceedings be closed. There must be a very compelling reason for the closing of court proceedings or the exclusion of the public from a trial.

The requirement that all PHI filed with the court be placed under seal is similarly impractical and probably unlawful. both tradition and constitutional mandate, trials and judicial proceedings in this country are open to the public unless there is a very compelling reason for the proceedings to be closed. Similarly, evidence filed with courts and testimony given therein is part of the public record and may not be sealed except in extraordinary circumstances. See, e.g., Fla. Const. Art. I, §§23 and 24, providing that a Florida citizen’s right of privacy should not be construed to limit the public’s right of access to public records and meetings as provided by law, and that every person has the right to inspect any public record “made or received in connection with the official business of any public body”; the language specifically includes the judicial branch of government.

Fla. Const. §23, Right of Privacy, states: “This section shall not be construed to limit the public’s right of access to public records and meetings as provided by law.” Under §24, “Every person has a right to inspect or copy any public record made or received in connection with the official business of any public body, officer or employee of the state acting on their behalf.”

The sealing of all PHI filed with the court would place an impossible burden on the court system and would hamstring the presentation of evidence to a jury through expert and other witnesses, would potentially prevent news coverage of a trial, would hamper the ability of a clerk of court to prepare a record for appeal, and would create other difficulties limited only by one’s experience and imagination.

A patient/plaintiff who places his or her medical condition at issue in a lawsuit knowingly enters the public domain when the lawsuit is filed and waives the privacy protections of HIPAA and the Florida Statutes with regard to relevant PHI. Once the procedural safeguards of HIPAA and the Florida Statutes are met through the proper advance notice and issuance of a subpoena for the PHI, the patient’s consent is deemed to have been given or waived. Neither the holder of the PHI that is to be produced nor the court should be allowed to impose business associate restrictions on the receiving party as such are neither likely lawful nor practical in the litigation context. Following the Florida Rules of Civil Procedure should therefore facilitate a party’s efficient access to relevant PHI, without encountering additional HIPAA roadblocks.

It would appear that a qualified protective order would fly in the face of the Constitution of the State of Florida when a lawsuit has been filed.

In this author’s opinion, business associate’s agreements are not needed when a lawsuit has been filed. The proceedings are in the public domain. The right to privacy no longer exists because of the American concept that trials are open to the public.

How a Person is to Determine to Obey a Subpoena Duces Tecum
The crux of this argument is that the rule uses the term “may.” 45 C.F.R. §164.512(e). “May” is an optional term. The inference is that the disclosure may be made. Rule 45 C.F.R. 164.512(e) provides “a covered entity may disclose protected health information in the course of any judicial or administrative proceeding.” Does the subpoena duces tecum issued by an attorney meet the requirement of a judicial proceeding? The answer is “yes” because the action taken is part of a judicial proceeding. A complaint has been filed that is a judicial proceeding.

Permitted disclosures under 45 C.F.R. §164.512(e) are in response to a subpoena, a discovery request or lawful process that is not accompanied by an order of a court or administrative tribunal if reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information has been given notice. Obviously, if the individual who is a party to a lawsuit the notice requirement has been met, under Rule 1.351, protected health information must be delivered in response to the subpoena duces tecum.

Subpoena Duces Tecum of Nonparty for Trial
There is no requirement under 45 C.F.R. §164.512(e) to go to the second prong if the person is a party unless the attorney is issuing the subpoena for trial. This changes the equation since neither the party nor the nonparty will have notice of the issuance of a subpoena duces tecum. However, at the pretrial conference, witnesses will be listed. Thus, the custodian of the PHI under subpoena for trial will be listed and that is notice to the party. The careful attorney, when issuing the subpoena for trial, will include a witness list to demonstrate to the nonparty holding PHI that notice was given, as well as a copy of the pretrial order when the subpoena is served on the nonparty.

The Public Domain Theory in Practice
The plaintiff’s lawsuit for medical malpractice or any lawsuit that involves the issue of the health of a party to a lawsuit are perfect examples that there is no protected health information that cannot become public. A lawsuit involving a party’s health status or a medical malpractice case usually involves the plaintiff’s claim against a doctor or a hospital. The complaint is filed in circuit court. That filing of the case is a public record and cannot be destroyed. It is open to the public. The defendant may seek past medical history of the plaintiff. The defendant will also want such medical records to be reviewed by experts, and will also want current medical records to be reviewed by experts.

The point is that once a lawsuit is filed, protected health information is part of the public domain. In this author’s opinion, it is no longer subject to HIPAA that requires a business associate agreement or a circuitwide blanket “protective order” to be imposed upon counsel.

The idiocy of having counsel or trustee for protected health information in a lawsuit that is in the public domain becomes ridiculous. Would counsel, after the case is over, go to the clerk of the court and say, “I want to remove portions of the deposition and I will be responsible for this protected health information and I will destroy it.”? Does that mean an appellate court is now prohibited from writing in its opinion reference to portions of the medical record because of a blanket protective order?

1 The court miscited the “satisfactory assurances” provision of the regulations. Instead of 45 C.F.R. §164.512(e)(1)(i), the correct cite is 45 C.F.R. §164.512(e)(1)(ii).

John D. Buchanan, Jr., is the senior shareholder in the firm of Henry, Buchanan, Hudson, Suber & Carter, P.A. He concentrates in all facets of the health care field, including medical malpractice defense, medical staff problems, and issues involving professional review organizations, physician disciplinary actions, hospital contracting, and administrative law of the health care industry. Mr. Buchanan is a graduate of the University of Virginia and Washington & Lee University School of Law.
This column is submitted on behalf of the Health Law Section, Chet Barclay, chair.

Health Law