HIPAA and Subpoenas: When Can PHI Be Disclosed? (2026)

Receiving a subpoena for patient medical records puts healthcare providers, hospitals, and health plans in a difficult position. Federal law under HIPAA permits certain disclosures of protected health information for judicial and administrative proceedings, but only when specific procedural safeguards are met. Getting it wrong can result in a Privacy Rule violation, an OCR investigation, and civil monetary penalties.

This article breaks down exactly when and how PHI can be disclosed in response to subpoenas, court orders, and other legal process under the HIPAA Privacy Rule.

Court Orders vs. Subpoenas Under HIPAA

The HIPAA Privacy Rule draws a critical distinction between court orders and subpoenas. The two require different levels of safeguards before a covered entity can release PHI.

Court Orders (45 CFR 164.512(e)(1)(i))

When a court or administrative tribunal issues an order directing the disclosure of PHI, covered entities may comply by releasing the information. However, the disclosure is limited to the PHI expressly authorized by the order. A covered entity cannot treat a court order as a blank check to produce an entire medical record if the order only requests specific treatment notes or billing records.

A court order carries the authority of a judge or magistrate who has already evaluated the need for the information. Because of that judicial oversight, the Privacy Rule does not require additional safeguards like notice to the patient or a protective order.

Subpoenas Without a Court Order (45 CFR 164.512(e)(1)(ii))

Subpoenas issued by attorneys (rather than judges) present a different situation. These discovery subpoenas, subpoenas duces tecum, and similar lawful process instruments lack the judicial oversight that court orders carry. Before disclosing PHI in response to a subpoena not accompanied by a court order, the covered entity must receive "satisfactory assurances" from the requesting party.

This requirement exists because an attorney-issued subpoena does not involve a judge weighing the privacy interests of the patient against the need for the records.

The Satisfactory Assurances Requirement

Under 45 CFR 164.512(e)(1)(ii), a covered entity that is not a party to the litigation can disclose PHI in response to a subpoena only after receiving satisfactory assurances. The requesting party must demonstrate that one of two conditions has been met.

Option 1: Notice to the Individual

The requesting party provides a written statement and documentation showing that reasonable efforts were made to notify the individual whose PHI is being sought. According to HHS FAQ 706, the notice must include:

• Sufficient information about the litigation or proceeding
• A description of the information being requested
• The time and place to raise objections with the court or administrative tribunal
• Evidence that the time period for raising objections has elapsed and either no objections were filed or all objections have been resolved

The notice can go to the individual directly or to their attorney, as confirmed by HHS FAQ 707. If the individual has legal representation in the proceeding, notice to the attorney satisfies this requirement.

Option 2: Qualified Protective Order

As an alternative to individual notice, the requesting party can provide documentation that they have obtained, or are seeking, a qualified protective order. Under the Privacy Rule, a qualified protective order must:

• Prohibit the parties from using or disclosing the PHI for any purpose other than the specific litigation or proceeding
• Require the return or destruction of all PHI (including all copies) at the conclusion of the litigation or proceeding

The requesting party satisfies this requirement by showing either that the parties have agreed to a qualified protective order and presented it to the court, or that the requesting party has filed a motion seeking a qualified protective order from the court.

When the Subpoena Itself Serves as Satisfactory Assurance

HHS FAQ 708 clarifies an important practical point. If the subpoena itself, on its face, demonstrates that the individual received adequate notice, a separate written statement is not required. This applies when the subpoena shows that the individual is a party to the litigation, the individual or their attorney was served with the request, and the time for objections has passed without any being filed.

What Covered Entities Can Do on Their Own

A covered entity does not have to rely solely on assurances from the requesting party. Under 45 CFR 164.512(e)(1)(ii)(B) and (e)(1)(vi), the covered entity itself can take either of the following steps:

• Provide notice directly: The covered entity can send its own written notice to the individual, including the information required under the rule, and wait for the time period for objections to expire.
• Seek a qualified protective order: The covered entity can file its own motion for a qualified protective order before disclosing the records.

This option gives covered entities more control over the process, particularly when they are uncertain about whether the requesting party has actually met the satisfactory assurances standard.

The Minimum Necessary Standard

All disclosures of PHI for judicial and administrative proceedings remain subject to the minimum necessary standard under 45 CFR 164.502(b) and 164.514(d). Even when a covered entity has proper authorization to release records in response to a subpoena or court order, it must limit the disclosure to the minimum amount of PHI reasonably necessary to fulfill the request.

In practice, this means a covered entity should review the subpoena carefully and produce only the records specifically described. If a subpoena requests "all medical records" but the underlying case involves a specific injury or treatment period, the covered entity should consider whether producing the complete record truly meets the minimum necessary standard.

Grand Jury Subpoenas: A Different Framework

Grand jury subpoenas operate under an entirely separate provision of the Privacy Rule. Under 45 CFR 164.512(f)(1)(ii)(B), covered entities may disclose PHI in response to a grand jury subpoena without requiring satisfactory assurances, individual notice, or a qualified protective order.

The rationale is straightforward. Grand jury proceedings are conducted under strict judicial supervision and secrecy requirements. Federal Rule of Criminal Procedure 6(e) imposes secrecy obligations on all participants, providing built-in privacy protections that substitute for the satisfactory assurances otherwise required.

This means healthcare providers who receive a federal or state grand jury subpoena for patient records can comply without taking the additional steps required for civil litigation subpoenas. The disclosure is still limited to the information the grand jury subpoena specifically requests.

Law Enforcement Disclosures (45 CFR 164.512(f))

Beyond subpoenas and court orders, the Privacy Rule separately addresses disclosures to law enforcement under 45 CFR 164.512(f). These provisions cover situations outside of standard judicial proceedings.

Disclosures Required by Law

Covered entities must disclose PHI when required by a law that compels reporting. Mandatory reporting statutes for gunshot wounds, suspected abuse, or certain communicable diseases fall into this category.

Court Orders, Warrants, and Administrative Requests

Under 45 CFR 164.512(f)(1)(ii), covered entities can disclose PHI in response to:

• Court orders
• Court-ordered warrants or search warrants
• Subpoenas or summons issued by a judicial officer
• Grand jury subpoenas
• Administrative requests, including administrative subpoenas or civil investigative demands

For administrative requests specifically, the Privacy Rule imposes three conditions: the information must be relevant and material to a legitimate law enforcement inquiry, the request must be specific and limited in scope, and de-identified information could not reasonably serve the same purpose.

Limited Information for Identification Purposes

Law enforcement may obtain limited identifying information to locate a suspect, fugitive, material witness, or missing person. This is restricted to basic identifiers: name, address, date and place of birth, Social Security number, blood type, injury type, date and time of treatment, and a physical description. DNA analysis, dental records, and typing or tissue samples are excluded from this limited disclosure.

De-Identification as an Alternative

In some situations, covered entities can respond to legal requests by providing de-identified information rather than full PHI. Under 45 CFR 164.514, information qualifies as de-identified through two methods:

• Safe Harbor: Removing all 18 categories of identifiers specified in the rule, including names, geographic data smaller than a state, dates (other than year), phone numbers, email addresses, Social Security numbers, and medical record numbers.
• Expert Determination: A qualified statistical expert certifies that the risk of identifying any individual from the data is very small.

De-identified information is no longer considered PHI under HIPAA, and its disclosure does not trigger Privacy Rule requirements. For reporting HIPAA breaches, this distinction matters because disclosures of properly de-identified data do not constitute breaches.

State Laws That Provide Stronger Protections

HIPAA sets a federal floor, not a ceiling. Under 45 CFR 160.203, when a state law is "more stringent" than HIPAA (meaning it provides greater privacy protections), the state law prevails. Several states impose additional requirements for medical records subpoenas that go beyond HIPAA's satisfactory assurances framework.

California

The California Confidentiality of Medical Information Act (CMIA), codified at Cal. Civ. Code Section 56.10, generally requires patient authorization before disclosing medical information. While exceptions exist for court orders and properly served subpoenas, mental health records in California require either written patient authorization or a court order before release to any party other than the court itself.

New York

New York Public Health Law Article 27-F requires written informed consent for any disclosure of HIV-related information, even in response to a subpoena. Mental health records receive additional protection under Mental Hygiene Law Section 33.13, which generally requires a court order (not just a subpoena) for disclosure.

Texas

Texas Health and Safety Code Chapter 181 (the Texas Medical Records Privacy Act) gives patients broader rights than HIPAA in several areas. Texas facilities generally must respond to records requests within 15 days, compared to HIPAA's 30-day standard.

General Principle

Covered entities operating in multiple states must identify and comply with the most protective applicable law for each disclosure. When a state law requires a court order where HIPAA would permit disclosure with satisfactory assurances alone, the state law controls.

Penalties for Improper Disclosure

Disclosing PHI in response to a subpoena without meeting the Privacy Rule's requirements constitutes a HIPAA violation. The HHS Office for Civil Rights (OCR) investigates complaints and can impose civil monetary penalties under the HIPAA Enforcement Rule.

OCR has documented cases where covered entities improperly disclosed PHI in response to subpoenas. In one enforcement example, a public hospital disclosed a patient's PHI in response to a subpoena that was not accompanied by a court order, without first verifying that the requesting party had provided satisfactory assurances of notice to the individual or a qualified protective order.

Penalty tiers under the HITECH Act range from $141 to $2,134,831 per violation (adjusted for inflation), depending on the level of culpability. Willful neglect that is not corrected carries the highest penalties. As of 2024, OCR has resolved 152 enforcement cases totaling over $144.8 million in settlements and civil monetary penalties.

Practical Steps for Covered Entities

Healthcare providers and health plans that receive subpoenas for medical records can follow a structured approach to stay compliant.

Step 1: Determine the type of legal process. Identify whether the request is a court order, an attorney-issued subpoena, a grand jury subpoena, or an administrative demand. Each follows a different pathway under the Privacy Rule.

Step 2: Verify satisfactory assurances (for non-court-order subpoenas). Request and review the written statement and documentation from the requesting party. Confirm that the individual received proper notice or that a qualified protective order is in place.

Step 3: Apply the minimum necessary standard. Review the scope of the request and limit the disclosure to the specific records identified. Do not produce an entire medical chart when the subpoena requests records from a specific date range or related to a specific condition.

Step 4: Check state law. Determine whether the state where the patient was treated or where the provider is located imposes additional requirements. If state law is more restrictive, follow the state law.

Step 5: Document the process. Maintain records of the subpoena, the satisfactory assurances received, the PHI disclosed, and the legal basis for the disclosure. HIPAA requires covered entities to retain documentation of disclosures for six years under 45 CFR 164.530(j).

Understanding these requirements is part of the broader framework of HIPAA privacy protections that govern how covered entities handle protected health information across all contexts, not only legal proceedings.

This article provides legal information, not legal advice. Laws and regulations change, and their application depends on specific facts and circumstances. Consult an attorney for advice specific to your situation.