Responding to subpoenas for protected health information

Scott Templeton
Scott Templeton is a lawyer in Kirksville and an assistant professor of business administration at Truman State University.

Scott Schwend
Scott Schwend is an associate at Bryan Cave Leighton Paisner LLP in Kansas City.

Not having a subpoena in hand and with a trial in the morning, the lawyer resorted to pointing his finger at the farmer and with a stern look advised him that he was being subpoenaed to testify in court and that failing to appear at the specified time and place could constitute contempt. Despite this clearly invalid subpoena process, the farmer dutifully appeared in court at the appointed hour.

This story is not offered as a suggestion of good legal practice,³ but instead to illustrate that laypeople often do not understand the rules associated with subpoenas and are prone to blindly disclose or attempt to comply with a subpoena or other legal document without careful thought of the consequences.⁴ Why did the farmer appear as directed when he had not been served with a valid subpoena? Almost certainly, he did not know the technical requirements for proper subpoena issuance and service. However, the use of a Latin phrase by an officer of the court in connection with a court proceeding likely engendered a fear of consequence.

There is even more uncertainty in responding to subpoenas that seek the production of patient medical records, the disclosure of which is subject to complicated restrictions under state and federal privacy laws. While health care providers typically understand the day-to-day mechanisms of compliance as well as their responsibility to keep protected health information confidential, some mistakenly believe that following the directive of a subpoena, even if valid, will automatically equate to compliance with their obligation to keep patient medical records confidential. Similarly, lawyers who fail to understand the requirements that must be met before    health care providers can disclose patient records often issue subpoenas in last-minute trial preparation scrambles and fail to leave sufficient time to satisfy the prerequisites for disclosure.

This article covers the information health care providers, and their lawyers, should know to comply with state and federal privacy laws when served with a subpoena for protected health information (“PHI”).⁵

Missouri law on subpoena issuance, service, and compliance
Missouri’s primary body of law governing subpoenas is Chapter 491 of the Missouri Revised Statutes. In addition, Rule 57.09 sets forth the procedural rules for issuing subpoenas to secure deposition testimony and document production from non-parties. Missouri law requires court clerks or notary publics issue subpoenas.⁶ Subpoenas must state the name of the court and the title of the action and include the name, address, and telephone number of all lawyers of record.⁷ Subpoenas must also command the witness to attend and testify at the time and place specified therein.⁸ Normally, the requesting lawyer supplies a proposed subpoena to the circuit clerk through Missouri Case.net, and the circuit clerk will then sign it and make it available for printing.

In Missouri, subpoenas must be served by a representative of the sheriff’s office or any non-party who is at least 18 years old.⁹ Service requires delivery of a copy of the subpoena to the witness, together with any applicable witness or mileage fees.¹⁰ Witness fees are $25 per day and the current mileage fee is computed at the rate of 10 cents per mile.¹¹ In addition, when someone seeks medical records from a non-party health care provider, the subpoena usually includes a request for its production at trial or deposition (i.e., a subpoena duces tecum). Where a subpoena directs a non-party to produce records at a deposition (as opposed to trial), it must be served at least 10 days in advance.¹² Moreover, it is important that lawyers understand the only proper use of a subpoena duces tecum is in conjunction with a deposition or trial.¹³ Unless all parties agree in writing to the contrary, a witness served with a subpoena duces tecum must produce the requested items at the time of his or her appearance.¹⁴ If, in response to a subpoena, a lawyer receives medical records prior to the deposition, the lawyer should not review them.¹⁵ “[I]t is professional misconduct for a requesting attorney to review or otherwise use privileged records that a provider mails contrary to a subpoena requiring production of documents at a deposition.”¹⁶

Any non-party who can demonstrate that a subpoena duces tecum is unreasonable or burdensome can appeal to the discretion of the court for relief by filing a motion to quash.¹⁷ The claim of a subpoena being unreasonable or oppressive is personal to the witness,¹⁸ and the determination of reasonableness “rests within the sound discretion of the trial court.”¹⁹ In the event the court denies the motion, it still may require the party seeking the documents to advance the reasonable cost of his or her production.²⁰ With respect to subpoenas that call for document production at a deposition, requesting lawyers must “take reasonable steps to avoid imposing undue burden or expense on a non-party subject to the subpoena.”²¹ Similarly, “experts or other persons from whom discovery is sought are entitled to an order protecting them from ‘annoyance, embarrassment, oppression, or undue burden or expense.’”²² While there is no similar admonition related to trial subpoenas, claims of undue burden or expense can support a motion to quash.²³

Failure to comply with a subpoena, absent adequate excuse, is punishable as contempt of the court.²⁴ Upon receiving a request to produce patient records, a health care provider should immediately calendar the response date and review and preserve the requested medical information. A health care provider should also be instructed to promptly alert its compliance officer and/or legal counsel. The lawyers should then verify the validity of the subpoena²⁵ and service and communicate with the health care provider staff as to whether compliance with the subpoena is manageable or whether it would be unreasonable and burdensome. The inquiry then turns to whether disclosure is authorized in relation to state and federal privacy laws.

Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (“HIPAA”) is a comprehensive federal law that required the creation of national standards to prevent certain health information from being disclosed without a patient’s knowledge or consent.²⁶ The U.S. Department of Health and Human Services issued regulations to implement HIPAA requirements, which are collectively known as the Privacy Rule.²⁷ The Privacy Rule sets forth standards on the use and disclosure of PHI by “covered entities.”²⁸ Covered entities include most health care providers, including hospitals and physicians.²⁹ PHI includes information that may be used to identify an individual (e.g., name, address, birth date, and Social Security Number) and relates to an individual’s physical or mental health or condition, the provision of health care to the individual, or payment for health care.³⁰ Pursuant to the Privacy Rule, a covered entity may not use or disclose PHI except as permitted by the regulations.³¹

In the context of a judicial or administrative proceeding, there are two instances where a covered entity may disclose PHI without a patient authorization.³²

The first permitted disclosure is in response to a court order, provided that the disclosure is limited to the information expressly authorized in the order.³³ To health care providers receiving subpoenas for PHI, this provision may be misleading because a subpoena is not the equivalent of a court order. Unlike a court order, which is issued by a judge, Missouri law authorizes the clerk of the court or a notary public to issue subpoenas.³⁴ In some other states, lawyers can issue subpoenas themselves.³⁵ It follows that compliance with a subpoena without consideration of the privacy laws can result in legal liability for health care providers.

The second permitted disclosure of PHI in the context of a judicial proceeding is in response to a subpoena, but only if additional conditions are satisfied.³⁶ A subpoena, by itself, is insufficient to relieve health care providers of their HIPAA obligations. Rather, a health care provider must also receive “satisfactory assurance” that the requesting party has (a) provided the person whose PHI is sought with notice of the request or (b) made reasonable efforts to secure a qualified protective order.³⁷ As to the notice provision, satisfactory assurance also requires that the requesting party provide written documentation that a notice was sent to the individual’s last known address advising them of the litigation.³⁸ As to the procurement of a qualified protective order, satisfactory assurance requires that the requesting party provide documentation that either the parties to the litigation have agreed to a qualified protective order and have presented it to the court or that the party seeking the PHI has requested one.³⁹ Alternatively, a health care provider can act “sua sponte” either by providing the requisite notice to the patient or attempting to secure a protective order.⁴⁰

A health care provider should be instructed to promptly alert its compliance officer and/or legal counsel upon receiving a request for patient information. If a provider consults outside counsel, HIPAA requires a written agreement between the provider and lawyers before protected information may be disclosed.⁴¹ In any event, compliance officers and lawyers representing health care providers should confirm their providers know when disclosure of PHI is permitted, as HIPAA violations can result in serious liability. Violators may be subject to civil penalties ranging $100-$50,000, depending on the mental state of the violator (i.e., unknowing versus negligent).⁴² Intentional violations can result in criminal penalties of up to $250,000 in fines and up to 10 years imprisonment.⁴³ Since the compliance date of the Privacy Rule in April 2003, the U.S. Department of Health and Human Services’ Office of Civil Rights has received more than 259,972 HIPAA complaints; initiated more than 1,073 compliance reviews; and obtained settlements for fines totaling $135,298,482.⁴⁴ While HIPAA does not provide for a private cause of action, the Connecticut case of Byrne v. Avery Center for Obstetrics & Gynecology, P.C. held that HIPAA does not preempt state law causes of action for improper disclosure of patient information.⁴⁵ Possible causes of action for improper disclosure of confidential information include negligence, medical malpractice, invasion of privacy,⁴⁶ and breach of the physician-patient privilege.⁴⁷

Substance abuse disorder treatment records and information
Additional security is required, and additional measures must be taken, with respect to substance use disorder (“SUD”) treatment records and information.

The federal laws related to the confidentiality of SUD records can be traced to the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 and the Drug Abuse Office and Treatment Act of 1972.⁴⁸ Congress later reaffirmed and reorganized the confidentiality statutes by merging them into one act, the Public Health Service Act.⁴⁹ More recently, Congress amended the federal privacy law for SUD patient records (42 U.S.C. § 290dd-2) as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.⁵⁰ The regulations implementing the law are commonly referred to as “Part 2.”⁵¹

Part 2’s protections were enacted to provide strong guarantees of confidentiality with respect to SUD treatment records in recognition that those in need of such services might balk if they had concerns that such information might come back to haunt them.⁵² Examples of situations where such records might have a negative impact are criminal prosecutions and proceedings related to child custody, divorce, or employment.⁵³ In light of the recent opioid crisis, it is especially important that SUD treatment records are not unnecessarily disclosed so that those living with SUDs are more likely to seek and stay in treatment.⁵⁴

In recognition of the sensitivity of SUD treatment records, Part 2 protects patient records and information obtained by a Part 2 provider in connection with SUD diagnosis, treatment, or referral for treatment.⁵⁵ A health care provider is subject to Part 2 if it (a) receives federal assistance⁵⁶ and (b) holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment.⁵⁷ A provider “holds itself out” by engaging in “any activity that would lead one to reasonably conclude” that it offers such services.⁵⁸ Moreover, with respect to primary care physicians who provide SUD services to some patients as part of a larger medical practice, Part 2 does not apply unless their “principal practice” consists of providing SUD diagnosis, treatment, or referral for treatment.⁵⁹

Generally, Part 2 prohibits the use or disclosure of any information which would reasonably identify an individual as applying for, seeking, or receiving SUD services from a Part 2 program.⁶⁰ The regulations permit disclosure pursuant to the patient’s written consent,⁶¹ including situations where the patient agreed to participation in SUD treatment as a condition of the disposition of criminal proceedings, parole, or release from custody.⁶² The trap for the unwary comes as Part 2’s restrictions also apply to those who come into possession of protected SUD records pursuant to a patient’s consent.⁶³ Note, however, that recipients are not necessarily subject to Part 2 when a patient self-discloses information about their own SUD.⁶⁴ “Such self-disclosures by the patient are only protected by Part 2 if the recipient of the information is a Part 2 program.”⁶⁵

In the context of civil proceedings, the disclosure or use of SUD treatment records requires “a unique kind of court order.”⁶⁶ The court order is “unique” because “[i]ts only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited …”⁶⁷ Such an order, by itself, does not compel disclosure.⁶⁸ Rather, a subpoena or similar legal mandate must be issued to compel the disclosure of patient information authorized by the order.⁶⁹ An order authorizing disclosure must limit disclosure to the minimum necessary to fulfill the objective of the order, limit disclosure to only those who need it, and include other necessary measures to limit disclosure for the patient’s protection.⁷⁰

The procedure for obtaining an order begins with an application for an order authorizing the disclosure of the patient records.⁷¹ The patient and the person holding the records must then be provided notice that the order is being requested and given an opportunity to respond to the application.⁷² Often, this is satisfied by serving the patient or record holder with a subpoena directing them to appear at a hearing on the application.⁷³ At the hearing, the judge will review the evidence to determine if there is good cause for entry of the order.⁷⁴ There are two requirements for good cause: (1) other ways of obtaining the records are not available or would not be effective and (2) the public interest⁷⁵ and need for disclosure outweighs the potential injury to the patient, the physician-patient relationship, and the treatment services.⁷⁶ There is a strong presumption against disclosing SUD records,⁷⁷ so there should be a clear understanding that the court’s issuance of the order cannot be considered routine.

Additional safeguards apply to confidential communications a patient made to Part 2 program personnel in the course of SUD treatment.⁷⁸ In contrast to objective data (i.e., not confidential communications), confidential communications may be disclosed only if the “good cause” test is met and one of the following circumstances is established: (a) disclosure is necessary to protect against an existing threat to life or of serious bodily injury, (b) disclosure is necessary in connection with the investigation or prosecution of an extremely serious crime⁷⁹ allegedly committed by the patient, or (c) disclosure is in connection with a proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.⁸⁰ Similar to HIPAA, Part 2 requires a written agreement between a provider and outside counsel before any protected information may be disclosed.⁸¹ With respect to improper disclosures, violations of Part 2 are subject to the same civil and criminal penalties imposed for HIPAA violations.⁸² And although Part 2 does not allow a private cause of action,⁸³ there may be support for a state law cause of action for a Part 2 violation as has been identified with improper disclosures under HIPAA.

Missouri’s physician-patient privilege and duty of confidentiality
It is important to note that the regulations under HIPAA and Part 2 create a floor of privacy protections, not a ceiling. Where state law prohibits disclosure of information or records that would otherwise be permitted under HIPAA or Part 2, the more stringent state law protections prevail.⁸⁴ In Missouri, tension with the federal privacy regulations most often arises with respect to the physician-patient privilege and duty of confidentiality.⁸⁵

Missouri’s physician-patient privilege is a testimonial privilege that “relates to the disclosure of confidential medical information by testimony in court or by formal discovery.”⁸⁶  The privilege applies to medical records⁸⁷ and provides that a physician is incompetent to testify concerning any medical information acquired while treating a patient.⁸⁸ Of close relation to the physician-patient privilege is a physician’s common law duty of confidentiality. Missouri case law provides that those in possession of medical records shielded by the physician-patient privilege have a fiduciary duty to protect those records from unauthorized disclosure.⁸⁹ In contrast to the physician-patient privilege, Missouri courts have extended the duty of confidentiality beyond physicians to include hospitals⁹⁰ and insurance companies.⁹¹ Where privileged records are disclosed “under circumstances where this duty of confidentiality has not been waived, the patient has a cause of action for damages in tort against the physician.”⁹²

A potential pitfall exists in situations where disclosure is permitted under HIPAA or Part 2, but the physician-patient privilege and duty of confidentiality have not been waived. Generally speaking, disclosure under HIPAA and Part 2 requires a particular court order and/or subpoena. However, the physician-patient privilege, together with the duty of confidentiality, is waived only where the patient’s medical condition is in issue under the pleadings.⁹³ A subpoena does not waive the privilege.⁹⁴ Even if permitted under the federal privacy regulations, disclosure of medical information or records is improper under Missouri law to the extent the patient’s medical condition has not been placed in issue. This scenario may arise in non-personal injury civil suits⁹⁵ or where the records sought are of a witness or other non-party.⁹⁶

The Missouri Court of Appeals-Eastern District’s opinion in C.J.V. v. Jamison is an example of the application of state law privacy protections and their interplay with federal privacy laws. During this divorce proceeding, a husband alleged his marriage was irretrievably broken due to his wife’s addiction to alcohol and sought her medical records related to treatment of alcoholism.⁹⁷ Although the trial court found the requisite “good cause” under Part 2 and ordered disclosure of the records, the Court of Appeals held that the trial court erred in ordering disclosure in part because the wife had not put her alcoholism in issue or otherwise waived the physician-patient privilege.⁹⁸ In doing so, the Court of Appeals held that there is a “strong presumption” against disclosure of records of this kind.⁹⁹

Conclusion
Lawyers requesting protected health information and lawyers representing responding health care providers need to understand that compliance with a subpoena does not equate to compliance with state and federal privacy laws. Both sides should communicate and cooperate with each other to confirm that appropriate procedures are followed to authorize disclosure. Health care providers should do the best they can to alert their patients that protected health information is the subject of a subpoena. It may be that the patient is the one requesting the information or that the patient does not object to the disclosure and will sign a written authorization. If a valid authorization cannot be secured, the health care provider should disclose the information only upon confirmation of compliance with state law and the federal regulations.

To be clear, HIPAA requires either a court order or a subpoena along with satisfactory assurances that either notice has been provided to the patient or that a qualified protective order is being sought. Substance use disorder records may only be disclosed where a valid subpoena has been issued and the court concludes there is “good cause” based upon a finding that other ways of obtaining the records are not available or would not be effective and the public interest and the need for disclosure outweighs the potential injury to the patient, the physician-patient relationship, and the treatment services. And finally, even where HIPAA and Part 2 requirements have been satisfied, it must be determined that Missouri’s physician-patient privilege and duty of confidentiality have been waived.

Endnotes
1 Scott Templeton is a lawyer in Kirksville and an assistant professor of business administration at Truman State University.

2 Scott Schwend is an associate at Bryan Cave Leighton Paisner LLP in Kansas City.

3 In fact, using a “secret subpoena” may constitute abuse of process or an ethical violation. See Edward C. Clausen, [Im]properly Noticed: The Misuse of the Subpoena Duces Tecum, 67 J. Mo. B. 166 (2011).

4 “Subpoena” is Latin for “under penalty” and “duces tecum” is Latin for “to bring with you.” Black’s Law Dictionary 515 and 1440 (7th ed. 1999).

5 This article only addresses third-party subpoenas that seek to produce medical records in civil litigation. It does not address requests for protected health information in criminal proceedings or subpoenas issued by federal courts.

6 Section491.100.1, RSMo (Westlaw through West ID No. 45 of the 2021 First Regular and First Extraordinary Sessions of the 101st General Assembly).

7 Id. Missouri courts often provide blank subpoena forms on the courts’ website. St. Charles County and Jackson County circuit courts offer subpoena forms that have already been signed by the clerk.

8 Id.

9 Section 491.110, RSMo (Westlaw through West ID No. 45 of the 2021 First Regular and First Extraordinary Sessions of the 101st General Assembly); Rule 57.09(d).

10 Rule 57.09(d).

11 Sections 491.280.1 and 33.095, RSMo (Westlaw through West ID No. 45 of the 2021 First Regular and First Extraordinary Sessions of the 101st General Assembly).

12 Rule 57.09(c).

13 Id.

14 Id.

15 Amy J. Sokol, Missouri’s Physician-Patient Privilege Presents Problems, 60 J. Mo. B. 32 (2004).

16 State ex rel. Crowden v. Dandurand, 970 S.W.2d 340, 343 (Mo. banc 1998).

17 Section 491.100.3, RSMo (Westlaw); Rule 57.09(b). E.g., State ex rel. Whitacre v. Ladd, 701 S.W.2d 796 (Mo. App. E.D. 1985) (held that a subpoena served on a non-party expert medical witness was unreasonable, oppressive, and intrusive where it commanded the witness to produce calendars, appointment books, recorded court testimony, and charges for the rendition of medical opinions for a two-year time period); Coble v. Coble, 931 S.W.2d 206 (Mo. App. W.D. 1996) (Held that the trial court properly quashed a husband’s subpoena duces tecum as oppressive where the “subpoena demanded production of a great volume of documents and was not served [on the wife] until the afternoon preceding the morning hearing …”).

18 State ex rel. R.W. Filkey, Inc. v. Scott, 407 S.W.2d 79, 85 (Mo. App. E.D. 1966).

19 State ex rel. Rowland Group, Inc. v. Koehr, 831 S.W.2d 930, 933 (Mo. banc 1992).

20 Section 491.100.3, RSMo (Westlaw); Rule 57.09(b).

21 Rule 57.09(c).

22 State ex rel. Pooker ex rel. Pooker v. Kramer, 216 S.W.3d 670, 672 (Mo. banc 2007).

23 See § 491.100, RSMo (Westlaw).

24 Rule 57.09(f).

25 While a subpoena issued according to Federal Rule 45 may be served out of state, state court subpoena power is limited to the forum state’s geographic boundaries. Minder v. State of Ga., 183 U.S. 559, 562 (1902).

26 The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996); Citizens for Health v. Leavitt, 428 F.3d 167, 171-72 (3d Cir. 2005).

27 Summary of the HIPPA Privacy Rule 1, Office of Civil Rights, U.S. Dep’t of Health & Human Services (2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf; 45 C.F.R. § 164.500-164.534.

28 See 45 C.F.R. § 164.502 (2021).

29 See 42 U.S.C. §§ 1320d-1(a), 1320d(3) (2021).

30 45 C.F.R. § 160.103 (Westlaw through Sept. 30, 2021) (definition of “protected health information”).

31 45 C.F.R. § 164.502(a) (2021); State ex rel. Proctor v. Messina, 320 S.W.3d 145,155 (Mo. banc 2010).

32 45 C.F.R. § 164.512(e)(1)(i)-(ii) (2021).

33 45 C.F.R. § 164.512(e)(1)(i) (2021). As an example, HIPAA provides special protection for “psychotherapy notes” that are separated from the patient’s medical record. 45 C.F.R. § 164.501 (definition of “psychotherapy notes”) (Westlaw). Such records may be compelled through the court process, but they should not be disclosed unless the subpoena/order specifically provides for such records. Kalinoski v. Evans, 377 F. Supp. 2d 136, 138 (D.D.C. 2005); see generally Evenson v. Hartford Life and Annuity Ins. Co., 244 F.R.D. 666, 668 (M.D. Fla. 2007).

34 Section 491.100.1, RSMo (2021).

35 Fla. R. Civ. P. 1.410(a).

36 45 C.F.R. § 164.512(e)(1)(ii) (2021).

37 Id.

38 45 C.F.R. § 164.512(e)(1)(iii) (2021).

39 45 C.F.R. § 164.512(e)(1)(iv) (2021).

40 45 C.F.R. § 164.512(e)(1)(vi) (2021).

41 45 C.F.R. § 160.103 (definition of “business associate”) (2021). HIPAA’s regulations set forth the required elements for such agreements. 45 C.F.R. § 164.504(e)(1).

42 42 U.S.C. § 1320d-5(a)(1), (3) (2021).

43 42 U.S.C. § 1320d-6(b) (2021).

44 Enforcement Highlights, U.S. DEP’T OF HEALTH & HUMAN SERVICES. (Oct. 20, 2020), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html (based on data reported as of March 31, 2021).

45 314 Conn. 433, 458-59 (2014).

46 See Walgreen Co. v. Hinchy, 21 N.E.3d 99, 109-10, 112 (Ind. Ct. App. 2014).

47 Haddad v. Gopal, 787 A.2d 975, 980-81 (Pa. Super. Ct. 2001).

48 Technical Assistance Publication 1, Substance Abuse and Mental Health Services, U.S. Dept’ of Health & Human Services (1994), https://www.mhrbeo.org/Downloads/42%20CFR%20Part%202-Federal%20Drug%20and%20Alcohol%20Confidentiality%20Law.pdf.

49 Id.

50 Coronavirus Aid, Relief, and Economic Security (CARES) Act § 3221, Pub. L. No. 116-136 (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/748/text.

51 See generally 42 C.F.R. §§ 2.1-2.67 (2021).

52 Deborah A. Reid et al., Fundamentals of 42 CFR Part 2, Legal Action Center (October 2020), https://www.lac.org/resource/the-fundamentals-of-42-cfr-part-2.

53 Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me?, Substance Abuse and Mental Health Services Admin., https://www.samhsa.gov/sites/default/files/does-part2-apply.pdf (last visited Nov. 20, 2020).

54 Id.

55 42 U.S.C. § 290dd-2(a) (2021); 42 C.F.R. §§ 2.2(b)(1), 2.11 (definition of “records”), 2.12(a) (2021).

56 A program is considered “federally assisted” if the program: (i) is conducted by the federal government or a state or local government that receives funds which could be (but are not necessarily) spent for SUD treatment; (ii) receives federal assistance in any form, including financial assistance (even if the funds do not directly pay for SUD services); (iii) is assisted by the Internal Revenue Service through allowance of income tax deductions for contributions or the granting of tax-exempt status; or (iv) is conducted under a license, certification, or other authorization granted by the federal government, including being certified as a Medicare or Medicaid provider or licensed to dispense controlled substances used in the treatment of SUDs (e.g., methadone, benzodiazepines, or buprenorphine). 42 C.F.R. § 2.12(b) (2021). 

57 42 C.F.R. § 2.11 (definition of “Part 2 program”) (2021). Medical personnel or other staff who provide SUD services in a general medical facility, such as a hospital or community health center, do not meet the definition of “program” unless their primary function is to provide SUD diagnosis, treatment, or referral for treatment. See id.

58 Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data?, Substance abuse and mental health services admin., https://www.samhsa.gov/sites/default/files/how-do-i-exchange-part2.pdf (last visited 2020) (Examples of such activities include: “state licensing procedures, advertising or the posting of notices in the offices, certifications in addiction medicine, listings in registries, internet statements, consultation activities for non-‘program’ practitioners, information presented to patients or their families.”).

59 Id.

60 42 U.S.C. § 290dd-2(a) (2021); 42 C.F.R. §§ 2.12(a)(1)(i), 2.11 (definitions of “patient” and “patient identifying information”) (2021).

61 42 C.F.R. § 2.31 (2021).

62 42 C.F.R. § 2.35(a) (2021).

63 42 C.F.R. §§ 2.32, 2.12(d) (2021).

64 Legal Action Center, Confidentiality & Communication: An Abridged and Updated Guide to 42 CFR Part 2 and HIPAA Fundamentals, at 28 (Jacqueline Seitz et al. eds., 8th ed. 2020) (ebook).

65 Id.

66 42 C.F.R. § 2.61(a) (2021).

67 Id.

68 Id.

69 Id.

70 42 C.F.R. §§ 2.64(e), 2.65(e) (2021).

71 42 C.F.R. § 2.64(a) (2021). In referring to the patient, the application must use a fictitious name, such as John Doe, to avoid disclosing identifying information. Id.

72 42 C.F.R. § 2.64(b) (2021).

73 Legal Action Center, supra note 64, at 117-18.

74 42 C.F.R. § 2.64(c) (2021). The judge may examine the records in private before determining whether to issue the order (i.e., an in camera review). Id.

75 Courts give little weight to arguments of a broad public interest in assuring the availability of all material and competent evidence for the proper resolution of litigated matters as this consideration would be relevant to every application seeking an order authorizing disclosure. State ex rel. C.J.V. v. Jamison, 973 S.W.2d 183, 186 (Mo. App. E.D. 1998).

76 42 C.F.R. § 2.64(d) (2021).

77 State ex rel. C.J.V., 973 S.W.2d at 185.

78 42 C.F.R. § 2.63(a) (2021). The regulations do not allow the disclosure of confidential communications even if the patients’ identities have been removed. U.S. ex rel. Chandler v. Hektoen Institute for Medical Research, 2003 WL 22284199.

79 “[S]uch as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect …” 42 C.F.R. § 2.63(a)(2) (2021).

80 42 C.F.R. § 2.63(a) (2021).

81 42 C.F.R. §§ 2.11 (definition of “qualified service organization”), 2.12(c)(4) (2021).

82 42 U.S.C. § 290dd-2(f) (2021).

83 Legal Action Center, supra note 64, at 163-64.

84 45 C.F.R. § 160.203(b) (2021); 42 C.F.R. § 2.20 ().

85 Missouri provides additional protections to certain types of patient records which are not addressed in this article (e.g., § 630.140, RSMo [mental health records]; § 191.656, RSMo [HIV/AIDS status]; § 375.1309, RSMo [genetic information]; and § 199.033, RSMo [treatment records of those who suffered brain injuries]).

86 Brandt v. Medical Defense Associates., 856 S.W.2d 667, 669 (Mo. banc 1993).

87 Leritz v. Koehr, 844 S.W.2d 583, 584 (Mo. App. E.D. 1993).

88 Section 491.060(5), RSMo (Westlaw through West ID No. 45 of the 2021 First Regular and First Extraordinary Sessions of the 101st General Assembly).

89 Inghram v. Mutual of Omaha Ins. Co., 170 F. Supp. 2d 907, 911 (W.D. Mo. 2001).

90 Fierstein v. DePaul Health Center., 949 S.W.2d 90, 92 (Mo. App. E.D. 1997).

91 Inghram, 170 F. Supp. 2d at 911.

92 Brandt, 856 S.W.2d at 670.

93 Id. at 671.

94 See Inghram, 170 F. Supp. 2d at 911-12.

95 E.g., State ex rel. C.J.V., 973 S.W.2d at 184-87 (finding that husband was not entitled to wife’s alcohol abuse treatment records in divorce proceeding because, in additional to failing to satisfy the requirements of Part 2, the wife never placed her health at issue).

96 E.g., Inghram, 170 F. Supp. 2d at 908 (finding that insurance company breached a fiduciary duty where the medical records of a potential witness were disclosed in response to a subpoena from defendant).

97 State ex rel. C.J.V., 973 S.W.2d at 184.

98 Id. at 185, 187.

99 Id. at 185 (citing U.S. v. Cresta, 825 F.2d 538, 551-52 (1st Cir. 1987)).