A paralegal calls your office on a Tuesday afternoon. She says she's sending over a subpoena for a patient's medical records and expects them by Friday. Your front desk staff starts pulling the chart. And right there — before a single page gets copied — your organization is about to walk into a HIPAA violation that could cost six figures.

So can I subpoena medical records? Yes, but HIPAA creates strict guardrails around how and when a covered entity can release protected health information (PHI) in response to a subpoena. Ignoring those guardrails doesn't just expose you to OCR enforcement. It exposes patients to real harm.

A Subpoena Is Not a Blank Check for PHI

Here's where most people — including attorneys — get this wrong. A subpoena is a legal instrument, but under HIPAA's Privacy Rule, it does not automatically authorize a covered entity to hand over medical records. The regulation draws a hard line between a subpoena and a court order. They are not the same thing.

A court order signed by a judge generally authorizes disclosure of the specific PHI described in the order. A covered entity can release records in response to a court order under 45 CFR § 164.512(e)(1)(i) without jumping through additional hoops — as long as the disclosure matches the scope of the order.

A subpoena issued by an attorney or court clerk, however, triggers additional requirements under 45 CFR § 164.512(e)(1)(ii). Before you release a single page, you need satisfactory assurance that one of two things has happened.

The Two Conditions You Must Verify

  • The patient received notice. The party requesting the records must provide satisfactory assurance that they made reasonable efforts to notify the patient, gave them enough information to object, and that either no objection was filed or any objection was resolved by the court.
  • A qualified protective order has been sought. Alternatively, the requesting party must show satisfactory assurance that they sought — or the parties agreed to — a qualified protective order. This order must prohibit the parties from using or disclosing the PHI for any purpose other than the litigation and require the return or destruction of the records when the case ends.

If neither condition is met, you cannot release the records. Full stop. I've seen practices hand over charts simply because a subpoena looked official. That's not how HIPAA works.

What Happens When Covered Entities Get This Wrong

OCR doesn't treat improper disclosures lightly. In 2011, Cignet Health of Prince George's County received a $4.3 million civil money penalty — the largest at that time — partly for failing to cooperate with an OCR investigation that stemmed from patient access and disclosure issues. While that case involved denial of access rather than subpoena response, it illustrates how seriously HHS treats PHI mishandling.

More practically, I've consulted with clinics that released records to a subpoena without verifying satisfactory assurance. The patient filed a complaint with OCR. The clinic had no documentation showing they'd verified either notice or a protective order. The investigation consumed months of staff time, legal fees, and resulted in a corrective action plan that required full workforce retraining.

Your staff needs to understand this process — not just your compliance officer. That's why organizations invest in comprehensive HIPAA workforce training that covers real-world scenarios like subpoena response.

This is the question I hear most often from attorneys, HR departments, and practice managers. The answer is nuanced.

Yes, HIPAA permits disclosure of PHI in response to a subpoena without the patient's written authorization — but only if the satisfactory assurance requirements under 45 CFR § 164.512(e) are met. The patient doesn't need to sign an authorization form. But they do need to have been notified (or a protective order must be in place).

This is different from a standard authorization under the HIPAA Privacy Rule. In judicial and administrative proceedings, the regulation carves out a specific pathway that bypasses the usual authorization requirement — as long as the procedural safeguards are followed.

State Laws Can Add More Restrictions

HIPAA sets the floor, not the ceiling. Many states impose stricter requirements for releasing medical records in response to a subpoena. Some states require patient authorization regardless of federal rules. Others restrict subpoena-based disclosure for sensitive categories like mental health, substance abuse, HIV/AIDS, or reproductive health records.

42 CFR Part 2 adds another layer for substance use disorder treatment records. Those records generally cannot be disclosed in response to a subpoena alone — you typically need a specific court order under Part 2's requirements, which are more restrictive than HIPAA's standard framework.

Before your organization responds to any subpoena, check both federal and state law. When in doubt, consult legal counsel.

The Step-by-Step Process Your Team Should Follow

I've helped dozens of practices build subpoena response workflows. Here's what works.

Step 1: Verify the Document

Confirm you've received an actual subpoena — not just a records request letter on legal letterhead. Identify whether it's a subpoena or a court order. This distinction determines your obligations.

Step 2: Check for Satisfactory Assurance

If it's a subpoena (not a court order), look for documentation showing the patient was notified or a qualified protective order was obtained. If neither is included, contact the requesting party and ask for it. Do not release records until you have it in hand.

Step 3: Scope the Disclosure

Release only the minimum necessary PHI responsive to the subpoena. HIPAA's minimum necessary standard applies here. If the subpoena asks for "all medical records," you still need to limit disclosure to what's reasonably relevant. Don't dump the entire chart.

Step 4: Document Everything

Log the subpoena, the satisfactory assurance you received, what records you released, the date, and the method of transmission. Under 45 CFR § 164.528, patients have the right to an accounting of disclosures, and subpoena responses must be tracked.

Step 5: Use Secure Transmission

Send records through secure means — encrypted email, secure fax, or tracked mail. Sending ePHI over unencrypted channels adds a breach notification risk on top of the disclosure issue.

Building this workflow into your compliance program starts with training. The HIPAA training catalog at HIPAACertify includes modules that walk staff through exactly these kinds of scenarios — subpoenas, court orders, law enforcement requests, and more.

What About Law Enforcement and Government Subpoenas?

Government agencies sometimes issue administrative subpoenas or civil investigative demands for medical records. HIPAA addresses these separately under 45 CFR § 164.512(f) for law enforcement and § 164.512(e) for judicial/administrative proceedings.

For administrative requests, the information must be relevant, specific, and limited in scope. De-identified information must be used if practicable. The request can't be overly broad. If a government subpoena doesn't meet these standards, you're not obligated to comply without pushing back.

I've seen small practices intimidated into releasing records to law enforcement without verifying the legal basis. That's a training failure, not a character flaw. Your workforce needs to know they have the right — and the obligation — to verify before disclosing.

The Real Risk Isn't the Subpoena — It's the Response

Most HIPAA violations tied to subpoenas don't happen because the subpoena itself was improper. They happen because the covered entity's response was sloppy. No verification. No documentation. No minimum necessary analysis. No secure transmission.

Every one of those failures is preventable with clear policies and consistent training. OCR's resolution agreements repeatedly show that organizations without documented training programs face harsher outcomes. A well-trained workforce is your first line of defense — not your legal department.

If your team hasn't been trained on how to handle subpoenas for medical records, you're operating on borrowed time. Visit the HIPAACertify training catalog and get your staff up to speed before the next subpoena lands on your front desk.

Quick Reference: Can I Subpoena Medical Records Under HIPAA?

  • A subpoena alone does not authorize a covered entity to release PHI.
  • You need satisfactory assurance of patient notice or a qualified protective order.
  • A court order signed by a judge has different (simpler) requirements.
  • Always apply the minimum necessary standard to any disclosure.
  • State laws and 42 CFR Part 2 may impose additional restrictions.
  • Document every step of your response process.
  • Train your entire workforce — not just your privacy officer.