Oregon State Bar Bulletin — FEBRUARY/MARCH 2004

Discovering medical records in Oregon after HIPAA
By Robert B. Miller and Jeff Robertson

Every day lawyers request medical records on behalf of their clients for information relevant to a particular case, whether it be a personal injury dispute, commercial litigation or dispute between two physicians. Today, these lawyers face objections from medical records custodians declining to release the requested information due to the requirements imposed on them by HIPAA. The lawyers’ typical response is 'HIPAA? Huh?'

An understanding of HIPAA and its rules is essential to the efficient and proper discovery of medical records for your clients. This article is intended to be a practical overview for attorneys on the HIPAA requirements and their intersection with Oregon statutory laws relating to medical records privacy and the Oregon Rules of Civil Procedure. As there are several rules for varying situations, please carefully review the HIPAA rules for your specific practice area and the facts of your case.

Background of HIPAA
In 1996, Congress passed sweeping reform for medical records privacy in the form of the Health Insurance Portability Accountability Act ('HIPAA'), 42 U.S.C. § 1320d. During 1999, the Department of Health and Human Services issued proposed regulations and final regulations on Dec. 28, 2000, with a final modification on Aug. 14, 2002, implementing the HIPAA privacy provisions. 45 CFR Parts 160 and 164. HIPAA was designed to improve the efficiency and effectiveness of the health care and insurance industry through electronic information delivery. With electronic disclosure, concern arose over protecting the privacy of this information. In general, the HIPAA privacy rules restrict the use and disclosure of an individual’s personal health information ( 'Protected Health Information' or 'PHI').

'Covered Entities' are subject to HIPAA’s requirements. The term covered entity includes: group health plans, health care clearinghouses (e.g., a billing entity) and health care providers. 45 CFR § 160.103, 104. HIPAA defines these terms very broadly. A covered entity may only disclose protected health information pursuant to a specified exception or a signed individual authorization. HIPAA contains severe penalties for the improper disclosure of medical records containing PHI — $100 per violation up to a maximum of $25,000. (See § 1176 of the Social Security Act.) Discovery from a covered entity can be achieved in any of the following three different ways.

Three Methods to Receive Medical Records
As previously stated, a covered entity may not disclose medical records unless disclosed pursuant to a specific exception or a signed individual authorization. To meet these requirements, a lawyer has three choices. First, a lawyer may use a subpoena or administrative order. Second, a lawyer may use a judicially signed court order. Third, a lawyer may submit a signed individual authorization as to the specific medical information requested.

1. Obtaining Medical Records Pursuant to a Discovery Request
Typically, defense counsel obtains a plaintiff’s medical records through a discovery request as per ORCP 43D; ORCP 55. Under HIPAA, a lawyer in an Oregon state court case may no longer simply send a subpoena duces tecum to the covered entity to request medical records, wait 14 days and receive the disclosure, pursuant to the old rules under ORCP 55I.1 Pursuant to amendments promulgated to comply with HIPAA, a subpoena duces tecum under the amended ORCP 55H2 must include 'Satisfactory Assurances' to the covered entity that the lawyer has given notice to the individual whose medical records are in question. 45 CFR § 164.512. In federal court, the applicable Federal Rules of Civil Procedure ('FRCP') are Rule 26 and Rule 45.

Satisfactory Assurances means:

The requesting party made reasonable efforts to give notice of the request to the individual; and

The notice included sufficient information and a specific time period so that the individual could object; and

That no objection has been filed, or if filed, was resolved. See, 45 CFR § 164.512.

A lawyer can meet the notice requirement by sending a letter to the individual whose records are in question or, if the person is represented by counsel, to the lawyer, stating that the lawyer will subpoena records from certain providers. The letter must include notice that the individual or attorney has until 14 days from the date of the notice to object.3 If 14 days passes and no objection is filed, the requesting party may serve the subpoena in accordance with ORCP 55. The requirement for satisfactory assurances to the covered entity can be met by including a cover letter with the subpoena that specifies the manner of notice given to the individual before the subpoena was served.

Alternatively, a lawyer may apply for a qualified protective order to meet the requirement for satisfactory assurances. 45 CFR § 164.512. A Qualified Protective Order can be an order from the court or a stipulation among the parties specifically limiting the use of the information and requiring the return or destruction of the information after its use in the case at bar. We have seen frequent requests for qualified protective orders as the discovery method preferred by both records custodians and counsel. The qualified protective order provides assurance that the requirements of HIPAA have been met, but it is more costly than a simple discovery request.

2. Signed Judicial Order
HIPAA allows for the disclosure of medical records by a covered entity pursuant to a signed court (or administrative tribunal) order which expressly authorizes the specific information’s disclosure. If the discovery request is signed by a judge or administrative officer, satisfactory assurances are not required.

3. Signed Individual Authorization
The easiest and safest way to receive protected health information is pursuant to a signed individual authorization. However, obtaining the authorization can be cumbersome and strategically difficult.

An individual’s authorization to disclose medical records must meet the specific HIPAA requirements of 45 CFR § 164.508 and any applicable state requirements.4 Beware of model forms which may not include the specific state law requirements, which are in addition to the HIPAA authorization requirements.

Because of the additional state requirements, counsel may wish to draft and send their own authorization form, as well as a cover letter explaining that an authorization is enclosed which meets both the federal and state requirements allowing the disclosure of medical records to the appropriate records custodian.

HIPAA requires more notice and care be given to disclosure of protected health information, even in connection with litigation. However, rumors of the demise of discovery of medical information are greatly exaggerated. As the HIPAA privacy rules near their first anniversary in April 2004, our experience has shown that difficulties encountered by both counsel and records custodians arise primarily from misunderstanding and varying practices regarding HIPAA and the applicable state laws. However, the HIPAA rules provide for 3 specific discovery methods, and complying with the rules to efficiently obtain the records necessary for your client is relatively simple and just a matter of revising your current procedures.



This letter places you and your client on notice, within the requirements of the HIPAA Privacy Regulations, 45 CFR § 164.512(e), that we will request your client’s medical records pursuant to a subpoena duces tecum from the listed covered entities:


Copies of the subpoena(s) are attached for your review.

You have until 5:00 p.m. Pacific Standard Time, 14 days from the date of this notice, [INSERT APPLICABLE REPLY DATE], to file an objection with the Court in question or otherwise notify me in writing of your objection. If you do not notify us of any objection, we will issue the subpoena(s) and notify you of any applicable deposition(s). We will enclose a copy of this letter with the subpoena to provide Satisfactory Assurances to the medical records custodian that you have received notice of the subpoena and received adequate opportunity to object.



Please find enclosed, a [Notice of Deposition, Subpoena Duces Tecum] from [INSERT NAME OF DEFENDANT], Defendant, in the referenced action. These documents are being sent to you in order to obtain a certified copy of the complete medical file of [INSERT PATIENT NAME].

In accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Regulations, 45 CFR § 164.512(e)(1) (iii), Defendant is making Satisfactory Assurances that [INSERT PATIENT NAME] has, in accordance with HIPAA, been afforded notice and an opportunity to object to the issuance of this subpoena, and we have received no objection nor any notice of any objection.



1. ORCP 55(l) was repealed by the 2003 Legislative Assembly.

2. The 2003 Legislative Assembly amended ORCP 55(h) to reflect HIPAA requirements.

3. ORCP 55(h) contains the 14 day notice requirement formerly within ORCP 55(l).

4. ORS § 192.525 has been updated by HB 2305.

Robert B. Miller is a shareholder with Bullivant Houser Bailey. His practice focuses on complex litigation and coverage analysis arising under individual policies, government plans and group plans governed by ERISA. Jeff Robertson is an attorney with Bullivant Houser Bailey, whose practice focuses on advising health care clients and ERISA group health plans on issues relating to HIPAA and related laws..

© 2004 Robert B. Miller & Jeff Robertson

return to top
return to Table of Contents