Section 164.512(e) addresses when a covered entity is permitted to disclose protected health information in response to requests for protected health information that are made in the course of judicial and administrative proceedings - for example, when a non-party health care provider receives a subpoena (under Federal Rule of Civil Procedure Rule 45 or similar provision) for medical records from a party to a law suit. In the NPRM we would have allowed covered entities to disclose protected health information in the course of any judicial or administrative proceeding: (1) in response to an order of a court or administrative tribunal; or (2) where an individual was a party to the proceeding and his or her medical condition or history was at issue and the disclosure was pursuant to lawful process or otherwise authorized by law. Under the NPRM, if the request for disclosure of protected health information was accompanied by a court order, a covered entity could have disclosed that protected health information which the court order authorized to be disclosed. If the request for disclosure of protected health information were not accompanied by a court order, covered entities could not have disclosed the information requested unless a request authorized by law had been made by the agency requesting the information or by legal counsel representing a party to litigation, with a written statement certifying that the protected health information requested concerned a litigant to the proceeding and that the health condition of the litigant was at issue at the proceeding.
In § 164.512(e) of the final rule, we permit covered entities to disclose protected health information in a judicial or administrative proceeding if the request for such protected health information is made through or pursuant to an order from a court or administrative tribunal or in response to a subpoena or discovery request from, or other lawful process by a party to the proceeding. When a request is made pursuant to an order from a court or administrative tribunal, a covered entity may disclose the information requested without additional process. For example, a subpoena issued by a court constitutes a disclosure which is required by law as defined in this rule, and nothing in this rule is intended to interfere with the ability of the covered entity to comply with such subpoena.
However, absent an order of, or a subpoena issued by, a court or administrative tribunal, a covered entity may respond to a subpoena or discovery request from, or other lawful process by, a party to the proceeding only if the covered entity obtains either: (1) satisfactory assurances that reasonable efforts have been made to give the individual whose information has been requested notice of the request; or (2) satisfactory assurances that the party seeking such information has made reasonable efforts to secure a protective order that will guard the confidentiality of the information. In meeting the first test, a covered entity is considered to have received satisfactory assurances from the party seeking the information if that party demonstrates that it has made a good faith effort (such as by sending a notice to the individual's last known address) to provide written notice to the individual whose information is the subject of the request, that the written notice included sufficient information about the proceeding to permit the individual to raise an objection, and that the time for the individual to raise objections to the court or administrative tribunal has elapsed and no objections were filed or any objections filed by the individual have been resolved.
Unless required to do so by other law, the covered entity is not required to explain the procedures (if any) available for the individual to object to the disclosure. Under the rule, the individual exercises the right to object before the court or other body having jurisdiction over the proceeding, and not to the covered entity. The provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party.
As described above, in this paragraph we also permit a covered entity to disclose protected health information in response to a subpoena, discovery request, or other lawful process if the covered entity receives satisfactory assurances that the party seeking the information has made reasonable efforts to seek a qualified protective order that would protect the privacy of the information. A "qualified protective order" means an order of a court or of an administrative tribunal or a stipulation that: (1) prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which the records are requested; and (2) requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding. Satisfactory assurances of reasonable efforts to secure a qualified protective order are a statement and documentation that the parties to the dispute have agreed to a protective order and that it has been submitted to the court or administrative tribunal with jurisdiction, or that the party seeking the protected health information has requested a qualified protective order from such court or tribunal. We encourage the development of "model" protective orders that will facilitate adherence with this subpart.
In the final rule we also permit the covered entity itself to satisfy the requirement to make reasonable efforts to notify the individual whose information has been requested or to seek a qualified protective order. We intend this to be a permissible activity for covered entities: we do not require covered entities to undertake these efforts in response to a subpoena, discovery request, or similar process (other than an order from a court or administrative tribunal). If a covered entity receives such a request without receiving the satisfactory assurances described above from the party requesting the information, the covered entity is free to object to the disclosure and is not required to undertake the reasonable efforts itself.
We clarify that the provisions of this paragraph do not supersede or otherwise invalidate other provisions of this rule that permit uses and disclosures of protected health information. For example, the fact that protected health information is the subject of a matter before a court or tribunal does not prevent its disclosure under another provision of the rule, such as §§ 164.512(b), 164.512(d), or 164.512(f), even if a public agency's method of requesting the information is pursuant to an administrative proceeding. For example, where a public agency commences a disciplinary action against a health professional, and requests protected health information as part of its investigation, the disclosure made be made to the agency under paragraph (d) of this section (relating to health oversight) even if the method of making the request is through the proceeding. As with any request for disclosure under this section, the covered entity will need to verify the authority under which the request is being made, and we expect that public agencies will identify their authority when making such requests. We note that covered entities may reasonably rely on assertions of authority made by government agencies.
Where a disclosure made pursuant to this paragraph is required by law, such as in the case of an order from a court or administrative tribunal, the minimum necessary requirements in § 164.514(d) do not apply to disclosures made under this paragraph. A covered entity making a disclosure under this paragraph, however, may of course disclose only that protected health information that is within the scope of the permitted disclosure. For instance, in response to an order of a court or administrative tribunal, the covered entity may disclose only the protected health information that is expressly authorized by such an order. Where a disclosure is not considered under this rule to be required by law, the minimum necessary requirements apply, and the covered entity must make reasonable efforts to limit the information disclosed to that which is reasonably necessary to fulfill the request. A covered entity is not required to second guess the scope or purpose of the request, or take action to resist the request because they believe that it is over broad. In complying with the request, however, the covered entity must make reasonable efforts not to disclose more information than is requested. For example, a covered entity may not provide a party free access to its medical records under the theory that the party can identify the information necessary for the request. In some instances, it may be appropriate for a covered entity, presented with a relatively broad discovery request, to permit access to a relatively large amount of information in order for a party to identify the relevant information. This is permissible as long as the covered entity makes reasonable efforts to circumscribe the access as appropriate.
The NPRM indicated that when a covered entity was itself a government agency, the covered entity could use protected health information in all cases in which it would have been allowed to disclose such information in the course of any judicial or administrative proceeding. As explained above, the final rule does not include this provision.