Received a Subpoena for Patient Records: HIPAA-Compliant Response Steps

A process server just handed your front desk a subpoena demanding patient medical records. Maybe it arrived by certified mail, maybe it was left with your office manager between patients. Either way, you are now holding a legal document that carries consequences if you handle it incorrectly — in either direction. Produce the records without following the proper steps and you risk a HIPAA violation. Ignore the subpoena and you risk a contempt finding. The window to respond is measured in days, not weeks.

A Subpoena Is Not a Court Order — and the Difference Matters Enormously

The single most important distinction you need to understand immediately is the difference between a subpoena and a court order. HIPAA treats them very differently under 45 CFR 164.512(e), and confusing the two is one of the most common mistakes practices make.

A court order is issued by a judge. Under 45 CFR 164.512(e)(1)(i), you may disclose PHI in response to a court order — but only the specific PHI expressly authorized by the order. If the order says “treatment records from January through March 2025,” that is exactly what you produce. Nothing more.

A subpoena (or subpoena duces tecum) is typically issued by an attorney, not a judge. It carries legal weight, but it does not automatically authorize HIPAA disclosure. Under 45 CFR 164.512(e)(1)(ii), you may only disclose PHI in response to a subpoena if one of two conditions is met: either the requesting party provides satisfactory assurances that the patient has been notified and given time to object, or the requesting party has obtained a qualified protective order from the court.

Step-by-Step Response Protocol

Step 1: Identify What You Received

Read the document carefully. Determine whether it is a court order signed by a judge, a subpoena issued by an attorney, or an administrative subpoena from a government agency. Check the jurisdiction, the return date, and exactly what records are being requested. Note the case caption and parties involved — is your patient a plaintiff, defendant, or third party?

Step 2: Notify Your Privacy Officer

Your designated HIPAA Privacy Officer must be involved immediately. If you do not have a formal Privacy Officer designation, that is a compliance gap you need to address regardless of this subpoena. The Privacy Officer should coordinate the response and ensure every step is documented.

Step 3: Verify Satisfactory Assurances

If you received a subpoena (not a court order), you cannot release records until you have confirmed that the requesting party has either provided written notice to the patient with sufficient time to object (generally at least 14 days) and the patient has not objected, or obtained a qualified protective order from the court limiting how the disclosed information may be used. If neither condition is documented, you must object to the subpoena or refuse to produce the records until the condition is met.

Step 4: Limit Disclosure to the Minimum Necessary

Even when disclosure is authorized, the HIPAA minimum necessary standard applies. Produce only the specific records described in the subpoena or court order. Do not send the patient’s entire chart unless the document specifically requests it and you have confirmed the legal basis supports that scope. Redact information about other patients if records are intermingled.

Step 5: Document Everything

Create an accounting of the disclosure as required under 45 CFR 164.528. Record the date of disclosure, what was disclosed, to whom, and the legal basis. This entry must be available to the patient upon request for six years. File a copy of the subpoena or court order with your compliance records.

Special Situations That Complicate the Response

Substance Abuse Treatment Records (42 CFR Part 2)

If your practice provides substance use disorder treatment, 42 CFR Part 2 imposes stricter protections than HIPAA. Part 2 records generally cannot be disclosed in response to a subpoena alone — a court order with specific findings is required. The 2024 Part 2 final rule aligned some requirements with HIPAA, but the heightened protections for substance abuse records remain. If you are unsure whether records fall under Part 2, consult legal counsel before disclosing anything.

Psychotherapy Notes

Under 45 CFR 164.508(a)(2), psychotherapy notes receive special protection. They generally require specific patient authorization for disclosure and are not subject to the standard subpoena exceptions. A court order can compel production, but a subpoena alone typically cannot. Treat these records with extreme caution.

Minor Patient Records

State laws governing the confidentiality of minor patient records vary significantly. Some states require parental consent for disclosure; others grant minors independent privacy rights for certain types of care (reproductive health, mental health, substance abuse). Your response must comply with both HIPAA and applicable state law, and where state law is more protective, state law controls.

When to Involve Legal Counsel

You should involve an attorney experienced in healthcare law if the subpoena involves a malpractice claim against your practice, involves records protected by 42 CFR Part 2 or state mental health confidentiality statutes, requests an unusually broad scope of records, arrives from a jurisdiction where you do not practice, or if you have any doubt about whether the satisfactory assurances are adequate. The cost of a brief legal consultation is trivial compared to the cost of a HIPAA violation or a contempt finding.

Common Mistakes That Create Liability

• Producing records immediately without verifying assurances. A subpoena feels urgent, and the instinct is to comply quickly. But producing PHI without confirming that the patient was notified or a protective order was obtained is a HIPAA violation — even if the subpoena is otherwise valid.
• Sending the entire chart. The minimum necessary standard is not optional. If the subpoena requests treatment records for a specific date range, do not send billing records, referral letters, or records from other time periods.
• Failing to log the disclosure. Every disclosure must be recorded in your accounting of disclosures. Missing entries are a red flag during OCR audits.
• Ignoring the subpoena entirely. While you cannot blindly comply, you also cannot simply ignore a valid subpoena. If you believe the subpoena is deficient, file a timely objection or motion to quash through your attorney.

Building a Subpoena Response Policy Before You Need It

The worst time to figure out your subpoena response process is when you are holding the subpoena. Every practice should have a written policy that covers who receives legal process and how it is routed to the Privacy Officer, the verification checklist for distinguishing court orders from subpoenas, template language for objecting to deficient subpoenas, the minimum necessary review process, and accounting of disclosure procedures. This policy should be part of your broader HIPAA compliance program and reviewed annually. Staff who might receive legal process at the front desk should know not to promise production or provide records on the spot — their role is to accept the document and immediately route it to the Privacy Officer.

Conduct a risk assessment that includes legal disclosure scenarios. Practices that have thought through these situations in advance respond faster, make fewer mistakes, and maintain better documentation.