Personal Health Records: PHRs and Subpoenas

Report home | Read the report (PDF) | Previous section | Next section


Health records, like just about any other record containing personal information held by a third party, can be subpoenaed under a variety of circumstances. For example, a consumer’s records could be sought in a tort suit (e.g., auto accident or medical malpractice), in a divorce or other family lawsuit, or sought if the records are relevant to someone else’s lawsuit. The rules governing subpoenas for health records are complex, and HIPAA includes some significant procedural protections.

In general – noting that there are some exceptions that are too complicated to list in the context of this analysis – if someone seeks to subpoena health records about a consumer from a covered entity, HIPAA requires the person seeking the records provide notice to the consumer. With that notice, the consumer has the chance to contest the subpoena, to argue that the request is too broad, to object that the records are not relevant, or to seek a protective order.

Unfortunately, the protections covering subpoenas of health records provided by HIPAA will not apply to PHRs (unless a covered entity operates the PHR). As a result, no law requires that a consumer receive a notice of a subpoena served on the PHR. Thus, the records in a non-HIPAA- covered PHR do not have the basic procedural protection provided by HIPAA for subpoenas. A non-HIPAA covered PHR company could potentially establish a privacy policy that requires it to give its customers notice of a subpoena, but a privacy policy can be changed at any time.

Another issue is that if a lawyer has a choice between subpoenaing a record from a physician or from a PHR vendor, the lawyer may find it easier to go to the PHR vendor. The PHR record may be centralized, include records from several providers, and be electronic — all features facilitating the sharing and the utility of the records. The PHR record may not always be as useful legally as the original physician’s record, however.

Still, notice for the subpoena is not a legal requirement for non-HIPAA covered PHRs, and the lawyer seeking the record does not have to worry that the physician will claim privilege or otherwise resist the subpoena. A health care provider may perceive a legal, ethical, or professional responsibility to protect a patient’s health record and resist a subpoena. A PHR vendor may have none of those responsibilities and is not likely to be willing to expend funds fighting subpoenas on behalf of a consumer. Some commercial PHR vendors may be willing to provide notice to a consumer even if not legally required, and a commitment to that effect is noteworthy.



Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: II. Discussion – PHRs and Subpoenas


Report home | Read the report (PDF) | Previous section | Next section