We Just Received a Government Subpoena. Now What?

Merle M. DeLancey Jr., Steven J. Roman, James R. Murray, and Christian N. Curran

Merle Delancey Justin A. ChiarodoJames Murray Christian N. Curran




If you are a multi-million dollar company and receive a subpoena for your documents and records, you simply send it to the legal department. But what if you are a smaller healthcare provider? Responding to a government subpoena can be daunting, especially if it is your first one, and you may not have the personnel or resources to respond without a significant disruption to your business. Does the subpoena mean you or your company is about to be charged with a crime? Do you have to submit original records? Will the government insist on the production of all documents within the often broadly worded scope of a subpoena? How do you deal with electronic information on your computer system? How do you protect patient confidentiality? Will your insurance help with the costs of complying with the subpoena? What can you do to ensure the company is prepared ahead of time?

Step One: Issue a Document Hold Notice and Consult Counsel

The first thing you should do when you receive a government subpoena is issue a written notice to your employees to protect and maintain any documents and records that may be encompassed by the subpoena. As part of that process, you will also need to suspend any records destruction practices that you currently have in place. The failure to produce or preserve potentially relevant documents and information can result in significant exposure. Courts have regularly penalized companies and individuals who fail to produce or preserve potentially relevant materials. It is important to send the notice out as soon as possible and to thoroughly document its distribution. You should also simultaneously consult with counsel to review the subpoena and ensure that you are taking all necessary steps to preserve information.

Step Two: Ascertain the Purpose and Respond to the Subpoena

Subpoenas for healthcare documents and records can come in different forms and from different entities, but, generally speaking, they are either issued administratively from a government investigative agency or by a prosecutor as part of a grand jury proceeding. Different procedures apply to each, but both types of subpoenas can be enforced through court action and carry potentially severe penalties, including fines and imprisonment for non-compliance. The issuance of a subpoena is usually one of the first steps taken in an investigation, and the receipt of a subpoena does not mean that you or your company are about to be charged. Many subpoenas are served on companies that are never charged with a crime. However, the fact that you have a subpoena in hand does mean that you should immediately consult counsel to determine the best way to protect yourself and your company.

Once counsel has reviewed the subpoena, you should have counsel engage with the agency office that issued the subpoena in order to obtain information about the investigation and the purpose of the subpoena. It is important for your counsel to learn whatever he or she can about the investigation from the government, including the target of the investigation, issues being investigated, whether the investigation will change the company’s status or require that regulatory notices be issued, whether the government will agree to narrow the scope of the subpoena, and whether there is flexibility with the deadline for a response (which there often is). Your counsel should also work with the government to manage any accompanying requests for employee interviews.

Challenging a subpoena in court is difficult due to the latitude the government is given when it comes to its investigatory powers. Generally, courts will not interfere with a subpoena as long as the evidence sought is relevant, the demand is definite, the investigation is authorized by statute, and the agency has followed the proper procedures in issuing the subpoena. Grounds for challenging a subpoena include improper service of the subpoena, that the subpoena is overly broad, or that the subpoena seeks privileged information. You may also challenge a subpoena if you can show that the government has issued it for the purposes of harassment or coercion. If you decide to challenge the subpoena in court, you should do so within the period specified for such challenges—an issue with which counsel will be familiar.

In most instances, companies are much better served by attempting to narrow or limit the subpoena through discussions with the issuing agency or prosecutor’s office, rather than to challenge the subpoena in court. Prosecutors and agents are often willing to narrow overly broad requests, identify the more easily produced documents in which they are most interested, and otherwise work to reduce the burden of compliance. This is especially important with requests for electronically stored information (ESI), which can be particularly burdensome to respond to. Counsel should work with the prosecutor or agent and the company to ascertain what ESI is available and how burdensome it will be to provide it in order to negotiate a reasonable scope and timeframe for a response.

Step Three: Understanding HIPAA Subpoenas and Requests for Protected Healthcare Information

As a healthcare provider, you may also receive a subpoena related to a HIPAA enforcement proceeding brought by the Department of Health and Human Services (HHS). This is a different type of subpoena than one that simply seeks Protected Healthcare Information (PHI) in conjunction with a separate judicial proceeding. A HIPAA subpoena is designed to investigate complaints made to HHS that a provider has violated the HIPAA rules by, for example, improperly treating PHI. Under the HIPAA enforcement procedures, the secretary of HHS can issue a subpoena for production of evidence and/or for testimony of witnesses as part of an investigation into a potential violation of the HIPAA rules. See 45 CFR § 160.314 (describing an enforcement subpoena).

Given that a violation of the HIPAA rules can result in a separate administrative proceeding, companies need to be concerned about HIPAA privacy rules when complying with a subpoena that requests PHI. The steps required to comply with a subpoena requesting PHI will depend on how the subpoena is issued. If the subpoena is issued by a judge, grand jury, or an administrative tribunal, you may disclose PHI, but only to the extent it is strictly necessary to comply with the subpoena. For subpoenas signed by a prosecutor, or someone other than a judge or administrative tribunal, you cannot disclose PHI until you have followed certain safeguards, such as notifying the patient whose information is going to be disclosed, or obtaining a HIPAA authorization from the patient. Additionally, responding to standard administrative subpoenas or investigative demands requesting PHI require that certain steps be taken to ensure that the PHI is relevant and material, and that the request cannot be satisfied without it. Counsel should review the relevant HIPAA rules and procedures to ensure that your response is fully compliant.

Step Four: Consult Your Insurance Policy

The government will not compensate you for responding to a subpoena; however, you may be able to recoup some of the expenditure through insurance. Depending on the language in the policy, companies may be able to assert that the receipt of a subpoena is a “claim” within the meaning of an insurance policy and therefore the policy covers fees incurred in defending against and responding to the subpoena.

A common definition for a “claim” under a policy is written notice that seeks either monetary or non-monetary relief. Additionally, some policies will also define a claim as any administrative or regulatory proceeding commenced through a notice of charges or formal investigation by a government agency. Under this type of definition, a company can argue that a subpoena is a demand for non-monetary relief and a notice of investigation related to an administrative or regulatory proceeding. In the event that your insurance company denies the request for coverage, you should consult specialized insurance counsel who can advise whether action is warranted to force the insurance company to honor the language in its policy.

Get Prepared Now, Before You Receive a Subpoena

You can take several proactive steps to ensure that the appropriate procedures are in place before receiving a subpoena.

Companies that have current and complete document retention policies and guidelines for responding to a subpoena as part of a robust compliance scheme will be better equipped to deal with responding to a subpoena. Such policies or guidelines should include directions to employees on steps necessary to preserve relevant records and information, directions for the issuance of and compliance with a document hold notice, directions on the distribution and completion of questionnaires related to where employees have stored both paper and electronic data, and designating a point of contact to oversee the retention and collection of information.

Additionally, if you do not have a compliance program for internal complaints already, you should consider implementing one. Most investigations stem from either current or former employee complaints. In some cases, where a complaint is filed under seal and the government cannot provide information as to the origin of the subpoena, the investigation is likely connected to a qui tam suit filed by a whistleblower. In order to ensure that you are prepared to deal with these types of complaints, your compliance program should contain procedures that promote a chain of communication that will allow you to properly evaluate the internal reporting of employee complaints and to investigate them (e.g., a complaint hotline, anonymous reporting procedures, internal review and interview processes). Such a program will allow you to deal with employee concerns in a proactive fashion by promoting a culture of compliance and will alert you to early signs of potential or alleged wrongdoing so that you can investigate before any external complaints are raised and make informed decisions. It is also important in the case of an internal complaint to ensure that you do not retaliate or take adverse action against any suspected whistleblowers in order to avoid even more significant consequences, such as claims for retaliation or further accusations of fraud. Instead, you should investigate the matter as you would any other and try to determine the validity of any allegations of misconduct by the company or its employees. A robust compliance program is a great way to ensure you are ahead of the curve.

%d bloggers like this: