Joelle Duval and Patricia Mooney provide their insights
Part B News / partbnews.com
Volume 38, Issue 10
March 4, 2024
By: Roy Edroso
When a criminal or civil case embroils a practice, subpoenas or court orders requesting or demanding records may come to the front desk. You may face different types of requests that can be made in connection with the case in question, and it’s vital that your staff understand the difference.
The documentation requests sometimes lead to legal cases against providers, as with a case presently before the Maine District Court concerning Meredith Norris, D.O., who has been indicted on alleged violations of the Controlled Substances Act based in part on documents obtained in an FBI search. Norris has challenged some of the document seizures on which the case against her is based.
Records are often protected by laws such as HIPAA, but that protection may not count in all circumstances. Misunderstandings about this have led to some costly errors. Consider a case adjudicated by the Connecticut Supreme Court in Byrne v. Avery Center for Obstetrics and Gynecology (PBN 1/28/19). In that case, an OB/GYN practice had surrendered patient records in response to a subpoena, apparently believing they had no choice. That turned out to be false, and cost the practice heavily in a suit brought by the patient whose protected health information (PHI) was surrendered.
Broadly speaking, PHI is protected by federal and, in some cases, state privacy laws against civil demands, though it may be surrendered in criminal matters. But it’s important to understand the details.
Civil subpoenas: Easier
“Subpoenas can come from many sources,” explains Alex J. Keoskey, a partner with Mandelbaum Barrett PC in Roseland, N.J. “They can be issued by plaintiff attorneys handling civil claims such as personal injury or malpractice lawsuits, other counsel handling divorce actions, government law enforcement and regulatory agencies, criminal prosecutors, state licensing authorities or state and federal government agencies which prosecute insurance fraud, misconduct or gross malpractice.”
John C. Eason of Bass, Berry & Sims PLC in Nashville names the types of documents you’re likely to see: a grand jury subpoena (criminal investigation), a civil investigative demand (civil investigation), an administrative investigative
demand (criminal investigation), and an administrative subpoena (likely an administrative or civil investigation, but could be part of a criminal investigation). These should be identifiable on their face.
Generally speaking, subpoenas that come from a lawyer in a civil case do not require an immediate remand, and state and federal HIPAA laws will guide your response with regard to medical records. That is, you cannot give out PHI without the patient’s permission.
Often these subpoenas with be accompanied by a HIPAA authorization signed by the patient that the attorney has already obtained, says Paul D. Werner of the Buttaci, Leardi & Werner law firm in Princeton, N.J.
“With your standard civil-court subpoena, nine times out of 10, you’re getting served via mail or a delivery service, as opposed to somebody walking in and physically handing it to you,” Werner says. But however it comes, the authorization has to be cleared with the patient for HIPAA compliance. Once it is, in most cases you should comply with the request.
When the judge asks, comply
Orders from a judge or magistrate usually require a different response. If you find a judge’s name and signature on the bottom of the subpoena, chances are HIPAA is no longer operable. Note, however, that’s not an ironclad rule; there can be exceptions.
Court orders are not only for criminal proceedings, says Joelle Duval, counsel with Coffey Modica LLP in White Plains, N.Y. “Even in your ordinary slip-and-fall case, you can have a judge order a subpoena directing Doctor Smith’s practice to send medical records for the plaintiff to the courthouse,” she notes.
Failure to comply timely can be considered contempt of court with a monetary fine. Usually, it’s a modest $50 fine, says Patricia A. Mooney, a partner at Coffey Modica, though “obviously you want to be compliant with the court.”
Search warrant: Must do
Take note of one thing that’s an immediate-action scenario: A search warrant in a criminal investigation. “In that instance, you’ve got zero control over the situation,” Werner says.
The first thing staff should do when agents present a warrant is to obtain a copy and get your lawyer on the phone, Werner says. But forget about blocking the agents from doing what the warrant says they can do. “Usually, when federal officers like FBI or IRS agents come in, they will sort of segregate out the staff that’s in the office, and start cataloguing and taking what they need to take,” Werner says.
“The agents can prevent you from leaving while they conduct the search, or they can require you to leave the physical premises but remain in the general area until they’ve completed it,” Werner adds. “They can temporarily take your pocketbooks, backpacks, cell phones, things like that, and keep them away from you while they conduct their search. Eventually they’ll give you or your lawyer an inventory of what they took and leave.”
During the search, agents can prohibit staff from talking to one another and from talking to other people on the phone about the search. But, Werner says, “they can’t prevent you from contacting your lawyer to advise on the subpoena or search warrant. In fact, more often than not, they’ll get on the phone with a lawyer and provide copies of the search warrant.”
And they can’t prohibit you from discussing the raid after they leave. Neither can the agents compel you to talk to them based on the warrant. But note: Your practice “can’t compel your employees to not talk to the agents, either,” Werner says.
Another must: CMS calling
There’s another situation in which practices can’t stonewall: Medicare investigations, such as when CMS contractors come around to confirm that you’re a real practice “because there’s been a lot of fraud over the years where providers
put up an address purporting to be their business address, and Medicare comes out to check and it’s a post office box or a nail salon, or doesn’t exist at all,” Werner says.
Generally these officials identify themselves and show a document which you may read “but which they will not permit you to keep or make a copy of,” Werner says.
You should immediately get your lawyer on the phone for this. “We’ve had a lot of those phone calls where I’m on speakerphone with the office manager and talking to the Medicare contractor about the scope of what they’re doing,” Werner says. You may even get the contractor to wait to do their look-around until the practice is less busy.
Exceptions for ‘sensitive’ records
Not all orders signed by judges — even in criminal investigations — require or even allow immediate delivery of requested patient information in all cases.
Meredith Norris has challenged some of the document seizures on which the case against her is based. In one instance, she has contested admission of documents obtained with a subpoena that was served to a “federally regulated substance abuse treatment facility” with which she is associated, on grounds that such a request “requires a valid court Order authorizing disclosure pursuant to 42 U.S.C. ¤290dd-2 and the federal regulations implementing the same.” That subpoena has since been withdrawn.
Werner notes that if a patient is in treatment for a substance use disorder (SUD), the confidentiality of their records is covered by federal law — specifically, 42 CFR Part Two, “Confidentiality of Substance Use Disorder Patient Records” — and there are a number of added steps lawyers and even government and law enforcement officials must complete before the order may be obeyed (see resources, below).
“If we assume, for the sake of this discussion, that the cops aren’t there looking for the records of the person they’re going after, then they can’t get those records at all,” Werner says. “If they’re looking to investigate somebody other than the person they’re after, they can’t have the records even if the person whose records they’re seeking signs [standard HIPAA] paperwork consenting to it — unless they have also signed very specific paperwork that contains very specific language that complies with Part Two, which is clear on what exactly what has to be contained within that document. Absent that, they can’t comply if they don’t have consent.”
In fact, Werner says, even if records are those of a fugitive or someone else the authorities are empowered to apprehend, you might not be able to turn them over under Part Two, because it “has particular sections governing the use of SUD records in the context of criminal investigations, and generally speaking those records cannot be used for purposes of investigation or prosecution barring exceptional circumstances.”
Also note: Some state privacy and HIPAA laws are stricter than federal HIPAA. As a rule of thumb, federal HIPAA prevails if there’s a conflict with state law, except “if the state has more stringent rules, in which case the practice can follow the state’s rule instead,” Duval explains.
And some states have especially tight laws regarding “sensitive” patient records. In New York State, requests for “anything about mental health, drug, alcohol use, opioid addiction [and] HIV status requires specific signed authorization from the patient,” Duval explains. The patient must check and initial Box 9(a) of the state authorization form before any of these sensitive records can be disclosed, and “this agreement for disclosure must be done individually for each category.”
Make the call
In all of the situations described above you’re advised to contact your legal counsel before doing anything. Fortunately, most such cases don’t require an immediate answer, even “when it’s Inspector General or FBI agents showing up at your office to serve that document,” Werner says.
One example Werner cites is a civil investigative demand, often seen in False Claims Act investigations. “Those are sometimes sent in the mail, but sometimes they’re served in person by agents,” Werner says. “In those instances, practices may get confused — understandably, because you’ve got guys with badges coming in. But even in those cases, they can be treated no differently than a subpoena — they’re just a request for documents and nothing else.”
Chances are your lawyer will talk to their lawyer, and work to revise the requirements so they’re less onerous. “That’s why subpoenas have extended return dates on them,” Werner says. “And we always get more time for subpoenas. In 17 years of practice, I don’t think I’ve ever responded to a subpoena by the return date originally identified on the subpoena.”
Subpoena via Twitter?
Reagan E. Boyce, partner at with the Chamblee Ryan firm in Dallas, says if your practice group is in Texas and has a social media presence, someone should check the account on a regular basis: “Texas now allows for the service of legal process such as subpoenas and citations through social media as a form of substitute service when the regular methods have failed,” she says.
In such cases, a court order is still required before social media sites can be used for service, Boyce says, but “if an order is obtained, service is proper via social media platforms and all related deadlines will begin to run once service is completed.”
Resource • Code of Federal Regulations, Title 42 Part Two, Confidentiality of Substance Use Disorder Patient Records: www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
https://pbn.decisionhealth.com/Articles/Detail.aspx?id=547441