Yes, if certain conditions are met. A covered entity that is not a party to litigation, such as where the covered entity is neither a plaintiff nor a defendant, may disclose protected health information in response to a subpoena, discovery request, or other lawful process, that is not accompanied by a court order, provided that the covered entity:

• Receives a written statement and accompanying documentation from the party seeking the information that reasonable efforts have been made either (1) to ensure that the individual(s) who are the subject of the information have been notified of the request, or (2) to secure a qualified protective order for the information; or
• Itself makes reasonable efforts either (1) to provide notice to the individual(s) that meets the same requirements as set forth below for sufficient notice by the party making the request, or (2) to seek a qualified protective order as defined below. See 45 CFR 164.512(e).

The covered entity must make reasonable efforts to limit the protected health information used or disclosed to the minimum necessary to respond to the request. See 45 CFR 164.502(b) and 164.514(d).

The requirement to provide sufficient notice to the individual(s) is met when a party provides a written statement and accompanying documentation that demonstrates:

• A good faith attempt was made to notify the individual (or if the individual’s location is unknown, to mail a notice to the individual’s last known address);
• The notice included sufficient detail to permit the individual to raise an objection with the court or administrative tribunal; and
• The time for the individual to raise objections under the rules of the court or tribunal has lapsed and no objections were filed or all objections filed by the individual have been resolved by the court and the disclosures being sought are consistent with the resolution.

A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and requires the return to the covered entity or destruction of the protected health information (including any copies) at the end of the litigation or proceeding. The party requesting the information must provide a written statement and accompanying documentation that demonstrates:
The parties to the dispute have agreed to a qualified protective order and have presented it to the court or administrative tribunal; or

• The party seeking the protected health information has requested a qualified protective order from the court or administrative tribunal.

A copy of the subpoena (or other request pursuant to lawful process) is sufficient when, on its face, it meets the requirements of 45 CFR 164.512(e)(1)(iii), such as by demonstrating that the individual whose protected health information is requested is a party to the litigation, notice of the request has been provided to the individual or his or her attorney, and the time for the individual to raise objections has elapsed and no objections were filed or all objections filed have been resolved. When the above requirements are evident on the face of the subpoena (or other request), no additional documentation is required.

Yes. A covered entity that is not a party to litigation must obtain or receive the satisfactory assurances required by 45 CFR 164.512(e) before making a disclosure for a judicial or administrative proceeding. Where the satisfactory assurances are in the form of notice to the individual, a written statement and accompanying documentation of notice to the individual’s lawyer is considered to be notice to the individual and, thus, suffices, provided the documentation otherwise meets the requirements of 45 CFR 164.512(e)(1)(iii). Specifically, the written statement and accompanying documentation must demonstrate that the notice included sufficient information about the litigation to permit the individual to raise an objection to the court; and that the time for the individual to raise objections has elapsed, with no objections having been filed, or all filed objections having been resolved.

Under 45 CFR 164.512(e)(1)(ii) of the Privacy Rule, a covered entity that is not a party to the litigation may disclose protected health information in response to a subpoena, discovery request, or other lawful process if the covered entity receives certain satisfactory assurances from the party seeking the information. Specifically, the covered entity must receive a written statement and accompanying documentation that the requestor has made reasonable efforts either (1) to ensure that the individual(s) who are the subject of the information have been given sufficient notice of the request, or (2) to secure a qualified protective order. (Alternatively, the covered entity may make such disclosures if it itself makes reasonable efforts to notify the individual(s) or seek a qualified protective order.) If the conditions above have been met, a court order is not required to make the disclosure.

For notice to the individual(s), the written statement and accompanying documentation must demonstrate that the requestor has made a good faith attempt to provide written notice to the individual; and that the notice included sufficient information about the litigation to permit the individual to raise an objection with the court, the time for the individual to raise an objection has elapsed, and no objections were filed or all objections filed were resolved and the request is consistent with the resolution. Such statements and documentation may include, for example, a copy of the notice mailed to the individual that includes instructions for raising an objection with the court and the deadline for doing so, and a written statement or other documentation demonstrating that no objections were raised or all objections raised were resolved and the request is consistent with the resolution. To the extent that the subpoena or other request itself demonstrates the above elements, no additional documentation is required.

For a qualified protective order, the written statement and accompanying documentation must demonstrate that the parties to the dispute have agreed to a qualified protective order and have presented it to the court or administrative tribunal; or the party seeking the protected health information has requested a qualified protective order from the court or administrative tribunal. See the definition of “qualified protective order” at 45 CFR 164.512(e)(1)(v). Such statements and documentation may include, for example, a copy of the qualified protective order that the parties have agreed to and documentation or a statement that the order was presented to the court, or a copy of the motion to the court requesting a qualified protective order.

A covered entity may use or disclose protected health information as permitted or required by the Privacy Rule, see 45 CFR 164.502(a) (PDF); and, subject to certain conditions the Rule typically permits uses and disclosures for litigation, whether for judicial or administrative proceedings, under particular provisions for judicial and administrative proceedings set forth at 45 CFR 164.512(e) (GPO), or as part of the covered entity’s health care operations, 45 CFR 164.506(a) (PDF). Depending on the context, a covered entity’s use or disclosure of protected health information in the course of litigation also may be permitted under a number of other provisions of the Rule, including uses or disclosures that are:

• required by law (as when the court has ordered certain disclosures),
• for a proceeding before a health oversight agency (as in a contested licensing revocation),
• for payment purposes (as in a collection action on an unpaid claim), or
• with the individual’s written authorization.

Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of “health care operations” at 45 CFR 164.501 (GPO) includes a covered entity’s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity’s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse), including legal services related to an entity’s treatment or payment functions. Thus, for example, a covered entity that is a defendant in a malpractice action or a plaintiff in a suit to obtain payment may use or disclose protected health information for such litigation as part of its health care operations. The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b) , 164.514(d).

Where the covered entity is not a party to the proceeding, the covered entity may disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements of 45 CFR 164.512(e) (GPO) for disclosures for judicial and administrative proceedings are met.

Yes. A covered entity may disclose protected health information to comply with a court order, including an order of an administrative tribunal. Such disclosures must be limited to the protected health information expressly authorized by the order. See 45 CFR 164.512(e)(1)(i).