Doctors in private practice don’t expect to deal with a lot of legal paperwork beyond standard consent forms and HIPAA disclosures, but there’s always the chance you could be served with a subpoena for medical records. If you do get served, it’s important to understand what your obligations are in the context of a legal proceeding, how to respond, and how to avoid HIPAA violations, lawsuits, or disciplinary action if you make a mistake.
Physician-patient privilege is a legal concept that protects the confidentiality of medical records, but it is defined and limited by statute across various jurisdictions. This privilege is particularly relevant when responding to subpoenas, as it dictates the circumstances under which medical records may be disclosed.
Does a subpoena automatically mean you are in trouble? Hardly. A subpoena is a legal order that requires you to produce records, but should not be confused with a summons. Most subpoenas that doctors encounter will be a subpoena duces tecum. That means that you are being asked to provide tangible evidence, rather than give testimony.
This blog will help you understand the legal frameworks and best practices to comply with confidence and protect patient privacy.
For more information, download our full guide to acting as a medical expert witness here!
The phrase “subpoena duces tecum” is commonly used in legal and medical contexts. It’s pronounced:
/suh-PEE-nuh DOO-seez TAY-kum/
The literal Latin meaning is “bring with you under penalty.” It sounds intimidating, but in modern legal practice, it’s simply a legal command to produce documents or evidence.
A subpoena duces tecum is a type of subpoena that legally compels an individual or organization to produce documents, records, or evidence for a court case or legal proceedings.
Unlike other types of subpoenas (which may compel testimony), a subpoena duces tecum specifically requires the recipient to bring specified items, such as:
They can be used in both civil cases and criminal cases. A subpoena duces tecum can be issued by a court, an attorney (in jurisdictions that allow it), or an administrative agency. Noncompliance may result in legal penalties that arise from being held “in contempt of court.”
HIPAA (the Health Insurance Portability and Accountability Act) is a set of regulations for privacy protections for disclosing protected health information (PHI), and it sets the baseline for how to respond to a subpoena. It permits disclosure under certain conditions, such as when required by law (including subpoenas), but sets strict limits.
The most important part of HIPAA to adhere to when responding to a subpoena is the “minimum necessary” standard, which requires you to release only the part of the record that is directly relevant to the subpoena. Additionally, you must follow HIPAA’s rules for documentation and safeguards when sharing PHI, including tracking disclosures.
Some states have stricter privacy requirements than HIPAA, especially when it comes to mental health, substance use, or HIV/AIDS-related records. In those cases, state law may supersede federal law. This is called preemption, and it means that because the state’s protections are more stringent than HIPAA’s, you must follow the state standard.
Some states that impose more strict requirements are:
Physicians are still bound by professional ethical duties, even if doctor-patient privilege isn’t formally recognized in your state. The AMA Code of Medical Ethics mandates doctors protect patient information as a professional responsibility.
Physician-patient privilege is defined and limited by statute across various jurisdictions, and medical records are subject to mandatory reporting and subpoena in cases of suspicious injuries or mental/physical claims. In many cases, those obligations are overridden only by a valid court order or narrowly tailored subpoena, and even then, only the minimum necessary information should be disclosed.
In cases of civil action, physicians may be required to disclose patient information under a valid court order or narrowly tailored subpoena.
A subpoena duces tecum requires the receiver to produce specific documents or records, often patient files, while a standard subpoena (subpoena ad testificandum) typically compels someone to appear and testify. Understanding which type you've received will help determine if you need to prepare documentation, testimony, or both.
A subpoena requires someone to produce documents, such as medical records, or testify in court. A summons notifies someone that they are being sued or must appear in court to respond to legal action. While both are formal legal notices, a subpoena typically involves producing documentation or offering testimony concerning a third party in a case, whereas a summons initiates a lawsuit against the defendant receiving it.
A subpoena is typically issued by a court, attorney, or court clerk and requests testimony or documents. A court order, on the other hand, is signed by a judge and carries more legal weight. If you receive a court order, you must comply unless successfully challenged by your attorney.
Administrative subpoenas are issued from government agencies like the Department of Justice (DOJ), Centers for Medicare & Medicaid Services (CMS), or your state medical board. These subpoenas often have different rules and may be part of regulatory enforcement or fraud investigations.
Criminal matters usually require additional protections for patient records, especially in cases involving substance use, mental health, or HIV status. Responding to a criminal subpoena requires extreme care, and it’s usually best to consult with legal counsel before responding. In a criminal case, additional protections are often required for patient records, especially those involving sensitive information.
If you receive a subpoena from an attorney, always confirm that the request is legally valid and relevant. In many cases, you’ll need to verify that:
No, a subpoena does not mean you’re in trouble. Unlike a summons, a subpoena is almost always a request for you to provide information about a case that you may be tangentially related to, but are not a litigant or defendant in.
Hypothetically, if someone is suing their employer over a workplace injury, and you are their doctor or once provided medical care to the claimant, you may be subpoenaed to provide medical records or information to try and determine if the injury was indeed caused at the workplace or somewhere else or whether it pre-existed.
Make sure the subpoena is directed at the correct party—whether that’s you personally, your clinic, or your records custodian.
Look for details like:
Do not respond to a subpoena before consulting an attorney. If you have reason to believe it might later involve a claim against you then you may also want to notify your medical malpractice carrier for guidance.
Subpoenas will include deadlines for producing records or appearing in court. These deadlines require compliance by a specified date, and failing to meet this deadline can result in serious consequences. If you need more time, your attorney may be able to request an extension.
Even if you plan to challenge the subpoena, you must preserve any documents that were requested. Avoid deleting, altering, or misfiling any related records.
If you receive a subpoena duces tecum requesting medical records, make sure that it is actually valid and properly served. While formats may vary slightly, a legitimate subpoena duces tecum requesting medical records typically contains:
Work with legal counsel to ensure the subpoena is narrowly tailored to the legal issue at hand. It is crucial to ensure that only relevant documents are requested and produced in response to a subpoena, as this helps in understanding a judgment debtor's financial situation and ensures fair play during legal processes. If the subpoena is too broad, vague, or irrelevant, your lawyer may be able to file a motion to limit it.
You may need to file a motion for a protective order if the subpoena compromises patient privacy or seeks more than what is legally justified. In some cases, sensitive details can be redacted or limited to an in-camera review by a judge.
Depending on your state, you may be required to notify the patient before releasing their records. In some cases, a signed HIPAA authorization is necessary. In others, a valid subpoena may be enough.
Once you’ve confirmed that the subpoena is valid, follow these compliance steps to ensure records are gathered, maintained, and transmitted legally and securely. Witnesses are obligated to produce evidence under subpoenas, and failing to do so can result in contempt of court and other legal consequences.
Pull the complete records from your EHR system or paper files. Verify that what you’re producing matches what the subpoena asks for. Ensure that the patient name and information match the subpoena, and that you are disclosing only the narrowest interpretation of what the subpoena is asking for. Witnesses are obligated to provide documents under subpoenas, and failing to do so can result in contempt of court and other legal consequences. If in doubt, consult with an attorney. Ensure that staff know who may produce records for a subpoena and what the process is.
It’s important to maintain a documented chain of custody to show that the records haven’t been altered or mishandled, especially in criminal cases. Having a clear process is essential, and ensuring it is closely followed and each step documented will provide you and your office cover if an audit log is requested.
Deliver the records securely, either by certified mail, secure courier, or encrypted transfer. The subpoena may specify how the records are to be delivered. Personal delivery is one of several methods through which a subpoena can be served to an individual. To ensure compliance, follow directions explicitly. Keep proof of delivery, and retain a complete copy for your own records.
Subpoenas may request metadata from electronic health records, including audit trails or access logs, as well as electronic records. To ensure that you’re able to comply, train someone on your staff on how to access EMR meta data, and ensure that all electronic records are up to date, accessible, and correct.
HIPAA requires that you log any disclosures of patient information made in response to legal requests. Document the date, recipient, and what was shared. Any additional records, such as certified mail receipts, confirmation of receipt of electronic records, or other records that relate to the handling and delivery of materials should be retained as well.
Yes, in some circumstances it may be possible to get out of a subpoena. Since it is a legal document, you can’t just ignore it, but there are a few legal options available if you have objections to the subpoena.
These records are protected by stricter federal rules. You’ll usually need a specific court order that explicitly authorizes disclosure under 42 CFR Part 2.
Psychotherapy notes are given special status under HIPAA and often require a court order for release. Be sure you understand the difference between general mental health notes and psychotherapy process notes.
Many states have laws requiring patient consent or additional authorization before disclosing HIV-related information.
The Genetic Information Nondiscrimination Act (GINA) limits how genetic data can be used or shared.
Being subpoenaed doesn’t always come with compensation, but it might. If you’re providing testimony as a treating physician, you may receive a small witness fee. If you’re testifying as an expert, your time is more valuable and you’re generally entitled to charge for it.
Failing to obey subpoena can result in contempt of court charges, financial penalties, and disciplinary actions from your licensing board. In practice, you could face censure, fines, and risks to your medical license if you fail to comply. Additionally, failure to comply with subpoenas can lead to severe penalties, including contempt of court and other legal repercussions.
If you share too much, or the wrong information, you may face HIPAA violations and penalties from the Office for Civil Rights (OCR). Remember that almost everything that happens in a court of law becomes public record, so it is always best to err on the side of caution when divulging patient information.
Improper handling of subpoenas can damage your reputation. Patients need to know that they can rely on a doctor’s medical discretion.If medical information is mistakenly released into public record via court of law, it may substantially impact your ability to retain and attract new patients, as well as your ability to seek employment.
If a privacy breach harms a patient, whether intentional or not, you could face malpractice claims or professional liability. Malpractice insurance may cover legal fees, but only if you followed correct protocols. Check with your insurance provider to understand the specifics of your policy, and help guide your response to a subpoena.
Being proactive can reduce the stress and risk of dealing with subpoenas when they arise. Here are best practices to put in place before a subpoena ever arrives. Many jurisdictions have specific requirements for reporting certain injuries or cases that may suggest criminal activity.
Create written protocols for how to receive, triage, and respond to subpoenas. Train your front desk, medical records team, and clinicians so they understand how to receive a subpoena, who to notify, and what procedures to follow to release information. It is important to understand the role of a process server, an authorized individual who delivers legal papers, in serving subpoenas. No action should be taken by your staff until you have had a chance to consult with an attorney, and then only at your sole direction. No records should be released by anyone but you, after review by an attorney.
Make sure your patient records are as detailed as possible, that all patient personal information is correct, and the information is easily accessible in a timely manner. Make sure you follow state and federal requirements for how long to keep records. Destroy old records securely, in accordance with professional best practices.
Set internal guidelines for who responds to attorney calls, how subpoenas are routed, and how to escalate urgent matters. There should be a clear process for how they are handled, and everyone who may interact with the process, from the front desk to clinicians to legal counsel, should know their role. Ensure that all staff know that only those explicitly designated may respond to attorneys or court officers.
Establish a relationship with a healthcare attorney and make sure you have a game plan for how to handle receipt and preparation for a subpoena. This should include helping drafting policies, response plans, and providing guidance for each step of the process, including signing off on final release of documents to ensure they reveal only the minimum requested information.
Log every subpoena received. Track how you handled it, when records were sent, and to whom. These documents should be as detailed as possible to document the process followed, the chain of custody for documents, the review processes, and the time and dates. Having a documented process for document handling will be invaluable if an audit trail is requested.
Example 1: DEA subpoena leads to physician termination
In 2020, Dr. T, an internal medicine physician, received a subpoena from the DEA requesting patient medical records during a federal investigation. Dr. T complied with the subpoena but failed to inform his employer, a large health system. The DEA later contacted the health system directly, resulting in Dr. T's termination for violating his employment contract. He sued for breach of contract and was awarded $2 million in damages.
Example 2: HIPAA violation for misdirected fax
A medical clinic mistakenly faxed a patient’s medical records—including sensitive HIV-related information—to the patient’s workplace instead of the intended healthcare provider. The incident triggered an OCR investigation and resulted in staff retraining and policy updates. This highlights the importance of verifying recipient details before disclosure.
Example 3: Psychotherapy notes in a custody dispute
In a New York custody case, a court was asked to review a parent’s psychotherapy notes. The judge determined that by raising mental fitness as a custody issue, the parent had partially waived confidentiality. The notes were reviewed privately by the judge before determining admissibility.
Here are answers to six common questions physicians ask about handling subpoenas.
During depositions, witnesses may be required to answer questions as part of the discovery process in preparation for a trial.
Subpoenas for medical records can be complex, but the most important steps to remember are: verifying the subpoena’s validity, understanding the difference between subpoenas, summons, court orders, and HIPAA authorizations, and knowing when to consult legal counsel. Don’t forget that special caution is required when handing over sensitive records like mental health, substance use, and VA documentation, even if ordered by a subpoena. By following clear procedures, maintaining HIPAA compliance, and having internal protocols in place, you can protect both your practice and your patients.
Read our guide to prepare for giving expert witness testimony.
Image by tupungato from iStock.
