904-794-7830

[email protected]

Subpoena Gone Wrong: When PHI Is Shared Without Real Notice

Impermissible release of medical records

Subpoena Gone Wrong is a real-world scenario from your file. A lawyer mailed “notice” letters and then pushed for records anyway. Some letters even suggested sending full records by regular email. That creates compliance and security risk for everyone. So let’s unpack what the rules really say and how to fix the workflow. HHS.gov

What HIPAA actually says, in simple terms

HIPAA allows sharing PHI for lawsuits only if strict steps are followed. The rule is in 45 C.F.R. § 164.512(e). You must either give proper legal notice to the patient or get a qualified protective order. HHS explains “satisfactory assurances” here in plain English: the requester must certify that notice was given or a protective order was sought, with proof attached. See HHS’s FAQ on subpoenas here. ECFRHHS.gov

Business Associates follow the same disclosure limits their Covered Entity follows. The contract rules live at 45 C.F.R. § 164.504(e) and the HHS overview is here. A BAA cannot give a BA more rights than the Covered Entity has. ECFRHHS.gov

“We sent a letter” is not a magic shield

A bare letter is usually not enough. The requester must show real efforts to notify the patient or to obtain a protective order. That proof should be written and specific. See the text of § 164.512(e) and HHS examples that explain the “satisfactory assurances” standard. If you lack those assurances, do not disclose. ECFRHHS.gov

If someone lies about notice or misuses email to pull records, that can raise fraud concerns. You can read the federal mail and wire fraud laws at 18 U.S.C. § 1341 and § 1343. Talk to counsel if you see red flags. Legal Information Institute+1

Emailing records: what’s allowed and what’s risky

HIPAA allows email, but you must use safeguards. The Security Rule requires transmission security under 45 C.F.R. § 164.312(e)(1). HHS also confirms providers may email patients when they apply “reasonable safeguards,” and they explain it in this FAQ here. Patients can request unencrypted email to themselves after being warned of risks, but that exception does not cover routine transmission of full charts to lawyers or third parties. Use secure portals or encrypted exchange for those. ECFRHHS.gov

Also remember the minimum necessary rule. Send only what is needed for the stated purpose. See 45 C.F.R. § 164.502(b) and HHS’s guidance on “minimum necessary” here. ECFRHHS.gov

State laws also count

HIPAA is a federal floor. States can add stronger rules and deadlines. Your policy should assume both HIPAA and your state law apply.

In California, the Confidentiality of Medical Information Act (CMIA) adds strict confidentiality duties. Florida’s breach law, FIPA § 501.171, sets fast notice timelines. New York’s SHIELD Act expands security obligations and broadens “private information.” Washington’s My Health My Data Act regulates consumer health data far beyond HIPAA. Nevada’s SB 370 adds consent and policy duties for “consumer health data.” JustiaFlorida LegislatureNew York State Attorney GeneralWashington State LegislationNevada Legislature

A note on new federal privacy developments

HHS finalized a reproductive health privacy rule in 2024. It added limits on using or disclosing PHI to investigate lawful reproductive care. See the final rule summary here and the Federal Register entry here. In June 2025, a federal court in Texas vacated that rule nationwide. Track this litigation closely with counsel. HHS.govFederal RegisterHolland & Knight

Why this matters to patients and teams

For patients, a sloppy “notice” can move records without your knowledge. You can request an accounting of disclosures under § 164.528 and ask for corrections under § 164.526. You can also file a HIPAA complaint using HHS’s portal here. ECFRLegal Information InstituteHHS.gov

For providers and Business Associates, shortcuts invite breaches and fines. The HHS breach portal shows many large incidents, and HHS describes breach reporting rules and timelines here. Train staff, verify legal process, and document decisions. OCR PortalHHS.gov

Cybersecurity trends raise the stakes

Healthcare remains a top target for cyberattacks. Use the HHS 405(d) program’s free resources, including HICP, to harden defenses. Start with the 405(d) Resource Library here and the HICP hub here. Map your controls to NIST SP 800-66r2, which is available here. 405d.hhs.gov+1NIST Computer Security Resource Center

HHS has also proposed modernizing the Security Rule. The proposal highlights MFA, stronger encryption, and improved vendor oversight. Read the proposed rule here. Watch for updates before changing your policies. Federal Register

What to do right now

If you’re a patient or legal representative:
Ask the requester what satisfactory assurances they provided. Ask who got your PHI and why. Request an accounting of disclosures under § 164.528. If needed, file a complaint with HHS here. Legal Information InstituteHHS.gov

If you’re a provider or Business Associate:
Require documented assurances under § 164.512(e) before disclosing anything. Limit to the minimum necessary. Avoid unencrypted email to third parties; prefer secure exchange under § 164.312(e). Update your risk analysis using NIST 800-66r2 here and adopt 405(d) practices here. ECFR+1HHS.govNIST Publications405d.hhs.gov

Quick law cheat-sheet (linked)

Sources you can share with your team

  • HHS summaries of the Privacy Rule and Security Rule. HHS.gov+1
  • NIST 800-66r2: Implementing the HIPAA Security Rule, PDF here. NIST Publications
  • HHS 405(d) HICP program and resources: program site and resource library. 405d.hhs.gov+1
  • HHS Breach Portal “Wall of Shame”: search it here. OCR Portal