Last year, a mid-size orthopedic practice in the Southeast received a medical records subpoena from an attorney involved in a personal injury lawsuit. The office manager, assuming a subpoena carried the same weight as a court order, released the patient's full treatment history within 48 hours — without notifying the patient or verifying that a protective order was in place. That single disclosure triggered a HIPAA complaint, an OCR investigation, and ultimately a corrective action plan that consumed months of staff time and legal fees.

This scenario plays out more often than most healthcare organizations realize. A medical records subpoena does not automatically override HIPAA's Privacy Rule, and responding incorrectly can put your covered entity at serious regulatory risk.

What HIPAA Actually Says About a Medical Records Subpoena

The Privacy Rule at 45 CFR § 164.512(e) governs disclosures of protected health information in response to judicial and administrative proceedings. It draws a sharp line between two types of legal demands: court orders and subpoenas.

A court order signed by a judge authorizes disclosure of the specific PHI described in the order. Your organization may rely on the order itself as the legal basis for releasing records.

A subpoena — whether issued by an attorney, a court clerk, or an administrative body — is not a court order. Under HIPAA, you cannot release PHI in response to a subpoena alone unless one of two additional conditions is met:

  • The requesting party provides satisfactory assurances that the individual whose records are sought has been given adequate notice, along with time to object.
  • The requesting party provides satisfactory assurances that a qualified protective order has been sought or obtained.

If neither condition is satisfied, your covered entity must not release the records — regardless of the deadline printed on the subpoena.

Satisfactory Assurances: What Counts and What Doesn't

OCR has made clear that "satisfactory assurances" is not a vague standard. Under 45 CFR § 164.512(e)(1)(ii), the party requesting PHI must provide either written evidence that the patient received notice (including enough information about the proceeding to file an objection) or a signed stipulation or court filing showing a protective order was pursued.

In my work with covered entities, the most common mistake is accepting a subpoena accompanied only by a cover letter from an attorney claiming the patient "has been notified." That letter alone rarely qualifies as satisfactory assurance. You need documentation — a copy of the notice sent to the patient, proof of service, and evidence that the objection period (typically 10-14 days, depending on jurisdiction) has elapsed without objection.

If the documentation is incomplete, your organization should not release the records. Instruct your staff to respond to the requesting party in writing, specifying exactly what additional documentation is required before disclosure can proceed.

When Your Organization Must Seek the Protective Order Itself

If the requesting party fails to provide satisfactory assurances and your state law permits it, your covered entity has the option to seek a protective order on its own. In practice, this is rare because of the expense involved. However, some healthcare organizations build this process into their legal workflows for high-profile cases or sensitive records involving mental health, substance abuse, or HIV status — areas where additional federal and state protections layer on top of HIPAA.

The Minimum Necessary Standard Still Applies

Even when all conditions for disclosure are met, HIPAA's minimum necessary standard at 45 CFR § 164.502(b) requires your organization to limit the PHI disclosed to only what is reasonably necessary to fulfill the subpoena's scope. If a medical records subpoena requests "all records" for a patient, do not blindly produce the entire chart.

Review the subpoena language carefully. If it relates to a knee injury from a specific accident, billing records for an unrelated psychiatric evaluation should not be included. When the scope is genuinely ambiguous, consult legal counsel before producing documents.

Workforce Training Gaps That Create Liability

Healthcare organizations consistently struggle with subpoena response because the people who receive these documents — front desk staff, health information managers, office administrators — are often the least trained on HIPAA's judicial proceeding requirements. General HIPAA awareness sessions rarely cover the nuances of 45 CFR § 164.512(e).

Your workforce training program should include scenario-based modules on responding to legal demands for PHI. This goes beyond checking a box for annual compliance. Organizations that invest in comprehensive HIPAA training and certification equip their teams to distinguish between a subpoena and a court order, verify satisfactory assurances, and escalate appropriately before records leave the building.

Build a Subpoena Response Protocol Before You Need One

Every covered entity should maintain a written procedure for handling legal requests for medical records. At a minimum, your protocol should include:

  • Intake and logging: Record every subpoena received, including date, requesting party, patient name, and deadline.
  • Legal review trigger: Define when in-house counsel or outside attorneys must be consulted — ideally before any records are released.
  • Satisfactory assurance checklist: Create a standardized checklist that maps directly to the requirements of 45 CFR § 164.512(e)(1)(ii).
  • Patient notification: If your organization is responsible for notifying the patient (varies by jurisdiction), document every step.
  • Minimum necessary review: Assign a qualified reviewer — typically an HIM professional or privacy officer — to scope the production.
  • Release documentation: Retain copies of everything released, the legal basis for disclosure, and all correspondence with the requesting party.

This protocol should be part of your organization's broader HIPAA compliance program. If your team hasn't revisited its policies recently, HIPAA Certify's workforce compliance platform can help you assess gaps and bring your documentation up to current standards.

State Law Complications You Cannot Ignore

HIPAA sets the federal floor, not the ceiling. Many states impose additional requirements for responding to a medical records subpoena. For example, some states require the covered entity — not the requesting party — to notify the patient before any disclosure. Others impose stricter timelines or additional protections for records involving substance use treatment (42 CFR Part 2), mental health, or genetic information.

When state law is more protective than HIPAA, the stricter standard controls. When state law is less protective, HIPAA preempts. This analysis must be part of your subpoena response workflow, and it reinforces why legal review should never be optional.

OCR Enforcement and the Real Cost of Getting It Wrong

OCR investigations arising from improper subpoena disclosures often result in corrective action plans that mandate policy revisions, staff retraining, and ongoing monitoring for one to three years. In cases involving willful neglect — such as knowingly releasing records without verifying satisfactory assurances — civil monetary penalties under the HITECH Act's tiered structure can reach $50,000 per violation, up to $1.5 million per calendar year for identical provisions.

Beyond OCR, patients whose records are improperly disclosed can pursue state-level causes of action. The reputational harm alone can erode patient trust in ways that no corrective action plan can reverse.

Responding to a medical records subpoena correctly is not about obstructing legal proceedings — it's about fulfilling your obligation to protect protected health information while complying with the law. Build the protocol, train your workforce, and never treat a subpoena as a blank check for disclosure.