(2009) , 94 Op. Att'y Gen. 44 ( 2009 )

Dear Jerry F. Barnes

You have asked for our opinion about the procedures a State's Attorney should use to obtain medical records for criminal investigations and trials, in light of federal and State laws making such records confidential. In this regard, you are primarily concerned with the effect of the Maryland Confidentiality of Medical Records Act ("Medical Records Law") and the federal regulations issued under the Health Insurance Portability and Accountability Act ("HIPAA"). In particular, you pose the following questions from the perspective of a State's Attorney:

1. During a criminal investigation, what process may be used to obtain medical records or information?

2. During a pending criminal case, what process may be used to obtain medical records or information?

3. With respect to both scenarios, what, if any, notice must be provided to the subject of the records and what is the appropriatestandard to be applied by a judge who may be called upon to approve a subpoena, warrant, or other order for medical records?

In responding to your questions, we have attempted to frame our conclusions in practical terms. However, we believe it is also useful to provide an overview of the relevant constitutional principles, statutes and regulations. Part I of this opinion discusses the scope and applicable standards of State and federal law governing disclosure of medical records. In most cases, both State and federal law will apply, in which case the more stringent requirement will be given effect. Also, mental health records and records pertaining to treatment for substance abuse may be subject *Page 45 to greater restrictions than are medical records generally. These laws are also discussed in Part I.

Part II of this opinion more directly responds to the first two questions you have posed. It describes the methods for obtaining medical records, including the types of compulsory process available for a criminal investigation and for a pending criminal case. Part II also explains how, with respect to many forms of criminal process, such as grand jury subpoenas and search warrants, State and federal confidentiality laws do not establish standards for the issuance of such process that are unique to medical records. However, those laws may require additional averments or showings when other forms of process are used, such as a State's Attorney investigatory subpoena, or a subpoenaduces tecum for a hearing or trial under Maryland Rule 4-265.

The issues of notice and judicial involvement, raised in your third question, are addressed in Part II in connection with each specific method for obtaining medical information, as the means chosen may govern what notice is required or what assurances must be made to protect a patient's privacy rights. As explained more fully below, notice to the patient is not a prerequisite for obtaining records in a criminal investigation, although it may be required to use certain types of process during the prosecution of a case. In either event, a health care provider who is served with compulsory process may choose to notify the patient, unless a court order is sought to delay or bar notice to the patient. To the extent that court approval is required for particular types of process — e.g., a search warrant — a court would apply the usual standard for issuance of that type of process. But if a patient objects to disclosure of medical information, a prosecutor may be required to demonstrate that the need for the information is a compelling one that outweighs the patient's right of privacy.

Finally, as a practical aid, Part III of this opinion outlines the analytical steps a State's Attorney should follow when seeking protected medical information in connection with a criminal investigation or criminal court proceeding. A State's Attorney who follows the procedures outlined in that part of the opinion should be able to obtain medical records for purposes of a criminal case in compliance with various State and federal confidentiality laws. *Page 46

A. Standards Derived from Constitutional and Statutory Sources

In Doe, supra, the Court of Appeals adopted an interest balancing test that took account of various factors: the type of record requested, the information it contains, the potential for harm in subsequent non-consensual disclosure, the injury from disclosure to the relationship for which the record was generated, the adequacy of safeguards to prevent unauthorized disclosures, the government's need for access, and whether there is an express statutory mandate, articulate public policy, or other public interest militating in favor of access. 384 Md. at 185-86 (adopting factors derived from UnitedStates v. Westinghouse Electric Corp., 638 F.2d 570, 578 (3d Cir. 1980)). With respect to the last factor, there is a "compelling" public interest in the enforcement of criminal and regulatory statutes.384 Md. at 188-89.

State and federal laws delineating the use and disclosure of medical records attempt to strike the appropriate balance between the needs of the State to acquire information for law enforcement needs and the interest of individuals in keeping health information private. The two primary laws governing confidentiality of medical records are the State Medical Records Law and the federal HIPAA *Page 47 regulations.¹ While HIPAA preempts inconsistent State laws, it specifically does not preempt "more stringent" State laws. Some requirements of State law are more protective of confidentiality than HIPAA; thus, both laws may affect the answers to your questions. Other federal and State laws protect special categories of records, such as records relating to treatment for substance abuse. Those laws must also be considered in specific cases.

As with certain other types of confidential information, ² medical records are often in the custody of a third party — for example, a provider or payer — rather than the individual with the direct privacy interest in the records. In the context of a criminal investigation or proceeding, that person m ay be a suspect, defendant, victim, witness, or only tangentially related to the inquiry or proceeding. Because service of a subpoena or other compulsory process on the custodian does not necessarily give notice to that individual who is the subject of the records, this raises the question you have highlighted of when such a person may be entitled to notice of the effort to obtain the records. In some circumstances, the confidentiality laws provide for such notice; in others, they do not. *Page 48

B. State Medical Records Law

"Medical Records" in Custody of "Health Care Providers"

The statute defines "medical record" broadly to include information transmitted in any form or medium that is identified with a particular patient and relates to the health care of the patient. HG § 4-301(h). It requires health care providers and others to preserve the confidentiality of medical records, although it permits disclosure with the written authorization or stipulation of the patient or another authorized person — collectively referred to as a "person in interest."⁴ HG §§ 4-302, 4-303, 4-306(b)(6)(ii). Under the statute, the phrase "health care provider" includes licensed health care professionals, health care facilities such as hospitals, clinics, and *Page 49 medical laboratories, health maintenance organizations, and the agents and employees of those individuals and entities. HG § 4-301(g).⁵ Permitted Disclosures

A health care provider may disclose "directory information" concerning a patient — defined as information concerning the presence and general health condition of the patient⁶ — without the *Page 50 authorization of a person in interest, unless the patient expressly directs otherwise in writing. HG §§ 4-301(b), 4-302(c). The law also permits other disclosures without the authorization of a person in interest in specified circumstances. HG §§ 4-305, 4-306. In some instances disclosure is within the discretion of the health care provider;⁷ in other instances it is mandatory.⁸ There are special restrictions for mental health records. HG § 4-307. Even when disclosure is authorized, the statute restricts use and redisclosure of the records by the person receiving them. HG § 4-302(d). *Page 51 Disclosure without Patient Consent for Criminal Investigations andProsecutions

The State Medical Records Law provides for disclosures without the consent of the patient in connection with certain types of proceedings and investigations. HG § 4-306. With respect to criminal matters, the statute provides, in relevant part:

A health care provider shall disclose a medical record without the authorization of a person in interest:

. . .

(7) Subject to the additional limitations for a medical record developed primarily in connection w with the provision of mental health services in § 4-307 . . ., to grand juries, prosecution agencies, law enforcement agencies or their agents or employees to further an investigation or prosecution, pursuant to a subpoena, warrant, or court order for the sole purposes of investigating and prosecuting criminal activity, provided that the prosecution agencies and law enforcement agencies have written procedures to protect the confidentiality of the records; . . .

H G § 4-306(b)(7). Documentation of the request for records, as w ell as of the disclosure of the records, is to be included in the patient's record. HG § 4-306(c). Thus, to obtain medical records for a criminal investigation or trial in compliance with the Medical *Page 52 Records Act, ⁹ a State's Attorney must use compulsory process¹⁰ — a subpoena, warrant, or court order — for the particular records and must have written procedures for protecting the confidentiality of medical records.¹¹ Redisclosure

While the State law is primarily addressed to disclosure by health care providers, it also restricts "redisclosure" — i.e., disclosure of the records by someone who obtains access to medical records under the statute. In particular, it states:

A person to whom a medical record is disclosed may not redisclose the medical record to any other person unless the redisclosure is:

(1) Authorized by the person in interest;

(2) Otherwise permitted by this subtitle;

(3) Permitted under § 1-202(b) or (c) of the Human Services Article [concerning mandatory notice of suspected child abuse]; or

(4) Directory information. HG § 4-302(d).

HG § 4-306. *Page 53 Special Restrictions for Mental Health Records

If medical records are compiled "primarily in connection with the provision of mental health services," there are additional restrictions on disclosure. HG § 4-307. In general, unless the patient otherwise consents, "only the information in the record relevant to the purpose for which disclosure is sought may be released." HG § 4-307(c). With respect to judicial proceedings, the statute authorizes a health care provider to disclose mental health records to a court in response to a court order. HG § 4-307(k)(1)(iv).¹² The statute also authorizes disclosure to grand juries, prosecutors, and law enforcement agencies in response to a subpoena without a court order for investigation of certain enumerated crimes by health care providers, provided that written confidentiality procedures are in place¹³ and efforts are made to redact information that identifies the patient. HG § 4-307(k)(1)(v)2.¹⁴

C. Federal HIPAA Regulations

The HIPAA regulations contain a general presumption of confidentiality of protected health information. There are exceptions to the general rule of confidentiality for disclosures for purposes of treatment, payment and health care operations. In addition, a patient may authorize disclosure of the information by signing a form that meets certain requirements. 45 CFR § 164.508(b). Beyond informational needs for the direct health care of the patient, or patient-directed disclosures, the regulations also recognize numerous additional public uses for health care information. One category of public uses for this information involves disclosures for law enforcement. Unlike the State Medical Records Law, the HIPAA regulations do not control redisclosure of health information.

General Rule of Confidentiality

The HIPAA regulations govern the confidentiality of "protected health information" in the custody of "covered entities." To understand the regulations, it is first necessary to understand those key terms. "Protected health information" is individually identifiable health information maintained or transmitted in any form or medium.45 CFR § 164.501; see also 45 CFR § 160.103 (definition of "health information"). "Covered entity" encompasses both health care professionals and facilities; it is defined to include health plans, health care clearinghouses (i.e., billing services and similar networks), and health care providers¹⁵ who transmit health information electronically — virtually all health care providers.45 CFR § 160.103.

The HIPAA regulations provide that "[a] covered entity may not use or disclose protected health information, except as permitted or required by [the HIPAA regulations]." 45 CFR § 164.502(a). Thus, as a general rule, the HIPAA regulations prohibit the use or disclosure of protected health information without the authorization of the patient. Patient authorization is not required to use or disclose the information for "treatment, payment, or health care operations." 45 CFR § 164.506. The regulations also specifically define other circumstances under which a disclosure may be made without first obtaining the patient's authorization. A provider may disclose *Page 55 directory information if the patient is given an opportunity to object to such disclosures. 45 CFR § 164.510(a). The regulations do not restrict the use or disclosure of "de-identified information."¹⁶ Disclosure for Law Enforcement Purposes

Under the H IPAA regulations, a "covered entity" may disclose protected health information to law enforcement officials for law enforcement purposes without the authorization of the patient or other authorized person in six enumerated circumstances.¹⁷45 CFR § 164.512(f). The HHS commentary states that this portion of the regulations was designed "to balance competing and legitimate interests" of public safety and individual privacy. See Standards for Privacy ofIndividually Identifiable Health Information, Final Rule, 65 Fed. Reg. 82461, 82678 (December 28, 2000). The rules attempt "to match the level of procedural protection for privacy . . . with the nature of the law enforcement need for access, the existence of other procedural protections, and individuals' privacy interests." Id. at 82679.

First, information may be disclosed in response to compulsory process "and as otherwise required by law." 45 CFR § 164.512(f)(1); see also45 CFR § 164.103 (definition of "required by law").¹⁸ In particular, protected health information may be disclosed "in compliance with and as limited by the relevant requirements of: *Page 56

(A) a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;

(B) a grand jury subpoena; or

(C) an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: (1) The information sought is relevant and material to a legitimate law enforcement inquiry; (2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) De-identified information could not reasonably be used."

45 CFR § 164.512(f)(1)(ii). Thus, a health care provider may respond to a grand jury subpoena or process issued by a judge or other "judicial officer."¹⁹ If administrative process is used, certain conditions must be met concerning the need for the information and the scope of the request. See Neb. Op. Atty. Gen. No. 03018, 2003 WL 21540497 (June 30, 2003) (application of law enforcement exception to fire marshal subpoena).

Second, protected health information may be disclosed in response to a request of a law enforcement officer (i.e., without compulsory process) for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person.²⁰ *Page 57 45 CFR § 164.512(f)(2). However, the regulation limits such disclosure to specific types of information — e.g., name and address, date and place of birth, social security number, blood type, a description of physical characteristics, type of injury, and other similar information.Id. On the other hand, a covered entity may not disclose DNA information, dental records, or analysis of body fluids or tissue.45 CFR § 164.512(f)(2)(ii). The HHS commentary stresses that the regulation is not intended to allow a covered entity to disclose identifying information in the absence of a request initiated by law enforcement officers. 65 Fed. Reg. at 82531.

Other circumstances in which the regulations permit disclosure for law enforcement purposes without patient consent or compulsory process relate to protected health information about victims of crimes,45 CFR § 164.512(f)(3); about decedents who may have been victims of a crime,45 CFR § 164.512(f)(4); about crimes committed on the premises of the covered entity, 45 CFR § 164.512(f)(5); and about circumstances under which the entity is providing emergency care that may be the result of crime, 45 CFR § 164.512(f)(6).²¹ *Page 58

Upon request of a patient, a covered entity must make an "accounting" to the patient of any disclosures made under various exceptions, including the law enforcement exceptions outlined above.45 CFR § 164.528. However, the accounting can be delayed if the law enforcement agency notifies the entity that it would impede an investigation.45 CFR § 164.528(a)(2).

Other Permitted Disclosures Related to Law Enforcement

Some other exceptions to the general rule of confidentiality are also related to law enforcement purposes, although they concern disclosures initiated by the covered entity rather than by a prosecutor. One such provision concerns disclosures to law enforcement and other governmental authorities when the covered entity believes that an individual is a victim of abuse, neglect, or domestic violence. 45 CFR § 164.512(c). A covered entity is also permitted to disclose protected health information if it believes in good faith that the disclosure is necessary to avert a serious and imminent threat to health or safety or is necessary for law enforcement authorities to apprehend an individual who has admitted participation in a violent crime or escaped from a correctional institution. 45 CFR § 164.512(j).

Disclosure for Court Proceedings

The HIPAA regulations authorize a covered entity to disclose protected health information in judicial or administrative proceedings in response to a court or administrative order. 45 CFR § 164.512(e)(1)(i). If the covered entity receives a subpoena, discovery request, or other process that is not accompanied by a court order, it must receive certain "satisfactory assurances" from the party seeking the information before it may disclose the information. 45 CFR § 164.512(e)(1)(ii). To provide "satisfactory assurances," the party seeking the information must demonstrate either that it has given notice to the individual who is the subject of the information²² *Page 59 or that it is seeking a protective order concerning the information.²³ *Page 60 Alternatively, the covered entity may disclose protected health information in response to process without a court order if the covered entity itself makes reasonable efforts to notify the individual or to seek a protective order. 45 CFR § 164.512(e)(vi).

HIPAA Preemption of State Law

As a general rule, the HIPAA regulations preempt any contrary State law on the same subject. 42 U.S.C. § 1320d-7(a)(1). There is an exception to that general rule if a State law "imposes requirements, standards, or implementation specifications that are more stringent than" the comparable federal standard. Pub.L. 104-191, § 264(c)(2),incorporated by reference in 42 U.S.C. § 1320d-7 (a)(2)(B); seealso 45 C FR § 16 0.203(b). see generally 88 O pinions of the AttorneyGeneral 205 (2003) (discussing the extent to which federal HIPAA regulations preempt State Medical Records Law).²⁴

D. Laws Governing Records Relating to Substance Abuse Treatment

Since the early 1970s, federal law has provided for the confidentiality of records of programs for the treatment for alcohol and drug abuse. See 42 U.S.C. § 290dd-2.²⁵ That statute provides *Page 61 that "[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States" are to remain confidential and to be disclosed only as expressly allowed by the statute.42 U.S.C. § 290dd-2(a).²⁶

These records may be disclosed with the consent of the patient in certain circumstances. 42 U.S.C. § 290dd-2(b)(1). They may also be disclosed without patient consent in three situations described in the statute:

• to medical personnel to meet a "bona fide medical emergency"

• to "qualified personnel" for research, audit, or evaluation purposes, so long as any resulting report does not identify individual patients

• pursuant to a court order to avoid "a substantial risk of death or serious bodily harm"

42 U.S.C. § 290dd-2(b)(2). The statute explicitly prohibits the use of these records "to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient," except in very limited circumstances. 42 U.S.C. § 290dd-2(c).

The purpose of this statute is unambiguous. It is designed to encourage participation in drug treatment programs by eliminating *Page 62 the possibility that participation will be used to penalize an individual participant. See United States v. Eide, 875 F.2d 1429, 1436 (9th Cir. 1989) ("The rationale behind [42 U.S.C. § 290dd-2] is to encourage people with drug or alcohol problems to seek treatment");Doe v. Broderick, 225 F.3d 440, 449 (4th Cir. 2000) ("Congress was concerned primarily with fostering programs aimed at curtailing our nation's staggering substance abuse problems . . . Legislative history . . . confirms . . . that Congress intended to encourage individuals to seek treatment").

The federal statute authorizes HHS to adopt regulations to carry out the purposes of the statute. 42 U.S.C. § 290dd-2(g). Those regulations, which are found in 42 CFR Part 2, further delineate the prohibition against disclosure of records. The term "records" is defined broadly to mean "any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program."42 CFR § 2.11 (emphasis added). Similarly, although the statute applies only to federally assisted programs, the HHS regulations define "federal assistance" broadly to include licensing or certification of the entity by a federal agency, as well as "[f]ederal financial assistance in any form including financial assistance which does not directly pay for the . . . diagnosis, treatment, or referral activities." 42 CFR § 2.12(b). The prohibition on the use of information for law enforcement purposes extends to any information received or maintained by a program "for the purpose of treating alcohol or drug abuse, making a diagnosis for the treatment, or making a referral for the treatment." 42 CFR § 2.12(a)(2). The regulations include a limited exception for communications from program personnel to law enforcement officers related to a patient's commission of, or threat to commit, a crime on the program's premises or against its personnel. 42 CFR § 2.12(c)(5).

With respect to a general medical care facility such as a hospital, the regulations define "program" as:

An identified unit within a general medical facility which holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment; or

Medical personnel or other staff in a general medical care facility whose primary function is the provision of alcohol or drug abuse *Page 63 diagnosis, treatment or referral for treatment and who are identified as such providers.

42 CFR § 2.11. See also Center for Legal Advocacy v. Earnest,320 F.3d 1107 (10^th Cir. 2003) (definition of "program" in regulations does not include a hospital emergency room); United Statesv. Zamora, 408 F. Supp. 2d 295, 299-300 (S.D. Tex. 2006) (same).

Maryland Statute

The federal regulations concerning the disclosure and use of records of substance abuse treatment programs are incorporated into Maryland law by reference. HG § 8-601(c). Another part of the Maryland statute further restricts the use of such records by rendering them inadmissible in any proceeding against an individual who has sought treatment for substance abuse. HG § 8-601(a). The following types of evidence are specifically designated as inadmissible:

(1) oral or written statements of the person seeking treatment;

(2) observations and conclusions of a health professional or hospital; and

(3) results of tests to determine the presence of illegal substances in the person's body.

Id.²⁷ Thus, even if records relating to a treatment program can be *Page 64 obtained by law enforcement, a prosecutor could not introduce them into evidence in a prosecution.

Law Providing Greater Confidentiality Prevails

The federal regulations specifically provide that they are not intended to preempt State law. 42 CFR § 2.20. Thus, as with the HIPAA regulations, a disclosure permitted under the federal regulations may still be prohibited under State law.²⁸

E. Restrictions on Disclosure of Medical Information Held byGovernment Agencies

The federal Medical Assistance (Medicaid) law requires the State to provide safeguards that restrict the use or disclosure of information concerning applicants and recipients of medical benefits to purposes directly connected with the administration of the State Medicaid Plan.42 U.S.C. § 1396a(a)(7); 42 CFR § 431.300 et. seq. Maryland law prohibits the disclosure from State records of information regarding a recipient of medical assistance unless the disclosure is necessary for the administration of the program or is in accordance with a court order. Annotated Code of Maryland, Human Services Article, § 1-201;see also SG § 10-616(c) (PIA exemption for welfare records).

Process for Obtaining Medical Records for Criminal Cases

We also assume that neither the patient nor some other authorized person has consented to the disclosure of medical records or information to the prosecutor or police.³² Thus, we are concerned with situations in which a State's Attorney³³ is requesting or compelling production of medical records from a person that has an obligation under the law to protect their confidentiality.

A prosecutor in a State's Attorney's Office who seeks medical records for use in a criminal investigation or proceeding will have to satisfy requirements of both State and federal confidentiality laws. Regardless of the type of process used, for purposes of the State Medical Records Law, the State's Attorney's Office should have written procedures that govern how the confidentiality of medical records will be preserved. HG § 4-306(b)(7); Shady Grove Psychiatric Group v. State, 128 Md. App. 163,736 A.2d 1168 (1999). *Page 67

A. Obtaining Medical Records During Investigations

If the State's Attorney's Office has written procedures to protect the confidentiality of records, it may obtain medical records pursuant to a grand jury subpoena. Such a subpoena meets federal HIPAA and State standards for disclosure of medical records.45 CFR § 164.512(f)(1)(ii)(B); HG § 4-306(b)(7). Neither law specifies any special standard for the issuance of a grand jury subpoena for medical records. Thus, the usual standards would apply. A grand jury subpoena could be issued if the prosecutor reasonably believes that the records sought will further the investigation. The grand jury has the power to investigate and compel the production of records in connection with an investigation without any showing that a particular crime has been committed, that a particular person is suspected of a crime, or that the records subpoenaed are evidence of that crime. See In re SpecialInvestigation No. 244, 296 Md. 80, 91-94, 459 A.2d 1111 (1983).

Neither the State Medical Records Law nor HIPAA regulations require that the State's Attorney give notice to the person who is the subject of the subpoenaed records. See Gibson v. Texas, 225 S.W .3d 824 (Tex.Ct.App. 2007) (rejecting defendant's argument that prosecution should have notified him under HIPAA of grand jury subpoena for his medical records). Nor does the court rule governing grand jury subpoenas require notice to the subject of the records. See Maryland Rule 4-643. Records obtained by grand jury subpoena would be subject to the rules concerning grand jury secrecy. Maryland Rule 4-642; see also Maryland Rule 16-1006(e). Of course, a health care provider that has been served with a grand jury subpoena for medical records may itself choose to notify the patient unless a court orders otherwise.

If the records concern substance abuse treatment or mental health services, the State's Attorney may obtain the records through a grand jury subpoena only in very limited circumstances. Substance abuse treatment records are generally not disclosable in response to a grand jury subpoena alone unless the prosecutor obtains the consent of the patient or the information concerns a crime against the program or its personnel. 42 U.S.C. § 290dd-2(b); 42 CFR § 2.12(c)(5). A State's Attorney may use a grand jury subpoena to obtain records of mental health services w without patient consent only *Page 68 for investigation of a health care provider for certain specified offenses by the provider. HG § 4-307(k)(1)(v)2.

Search Warrant

A prosecutor may also obtain medical records by means of a search warrant in compliance with both the State Medical Records Law and HIPAA.45 CFR § 164.512(f)(1)(ii)(A); HG § 4-306(b)(7). There is no special standard for a search warrant for medical records. It may be issued upon a showing of probable cause to a judicial officer that a crime has been committed and that the particular records sought contain evidence related to that crime. CP § 1-203.

Notice would be given to the patient in connection with a warrant for medical records only if the patient had custody of the records and was served with the warrant. Maryland Rule 4-601. As is the case with a grand jury subpoena, a health care provider that has been served with a search warrant for medical records may itself choose to notify the patient unless a court orders otherwise. Court records related to a search warrant are sealed and confidential. Maryland Rules 4-601(e); 16-1006(e). With respect to search warrant for records of a substance abuse treatment program, the same limitations apply as with grand jury subpoenas.

The requirements for issuance of a search warrant are generally designed to take into account the privacy interest of the custodian of the place that is searched or the materials that are seized. In the case of a search and seizure of medical records, the privacy interests of the individual who is the subject of the records — who generally will not be the custodian — is also implicated. The United States Department of Justice has directed federal prosecutors not to use search warrants to obtain documentary materials such as medical records "in the private possession of a disinterested third party physician" unless the records are of "substantial importance" to an investigation and use of a less intrusive alternative, such as a grand jury subpoena, would substantially jeopardize the availability or usefulness of the records.28 CFR § 59.4(b); see also In re Subpoena *Page 69 Duces Tecum, 228 F.3d 341, 347-49 (4^th Cir. 2000) (comparing relative intrusiveness of search warrants and grand jury subpoenas).³⁴ A State's Attorney may wish to apply a similar standard in deciding whether to use a search warrant to obtain medical records.

Other Court Order or Judicially-Issued Subpoena

To the extent that such process may be authorized by the relevant statutes or rules, both the State Medical Records Law and the HIPAA regulations permit a prosecutor to obtain medical records by means of a court order or a subpoena issued by a judicial officer.45 CFR § 164.512(f)(1)(ii)(A); HG § 4-306(b)(7). Neither the State Medical Records Law nor HIPAA sets any particular criteria for the issuance of such a court order or judicially-issued subpoena; such criteria would have to be determined from the statute or rule under which the order or subpoena is issued. Cf. State v. Eichhorst, 879 N.E.2d 1144, 1150-55 (Ind.Ct.App. 2008) (court-authorized investigatory subpoena issued under Indiana law satisfied HIPAA; challenge to subpoena assessed under State law standards governing investigatory subpoenas). Similarly, any notice requirement would derive from the law authorizing the particular form of process. Access to records relating to substance abuse treatment would be limited in the same way as when a grand jury subpoena or search warrant is used.

As with records relating to grand jury subpoenas and search warrants, files and records of the court relating to criminal investigations are sealed and are open to inspection only by order of court. Maryland Rules 4-642(a), 16-1006(e). Proceedings relating to such investigations are to be "conducted out of the presence of all persons except whose presence is necessary." Maryland Rule 4-642(b). *Page 70 State's Attorney's Subpoena

You specifically asked whether medical records may be obtained pursuant to a subpoena issued under CP § 15-108.³⁵ That statute provides that a State's Attorney³⁶ may issue a subpoena "to a person to produce telephone, business, governmental, or corporate records or documents." CP § 15-108(a); see also CP § 14-110 (similar authority of State Prosecutor to issue subpoena). Medical records have routinely been considered to be business records under the statutory business records exception allowing business records to be received into evidence at trial. Annotated Code of Maryland, Courts and Judicial Proceedings ("CJ") Article § 10-101; see, e.g. Hall v. U. Md. Medical SystemCorp., 398 Md. 67, 86, 919 A.2d 1177 (2007).³⁷ There is no threshold requirement for issuance of a State's Attorney's subpoena other than it be "[f]or the limited purpose of furthering an ongoing investigation." CP § 15-108(a).

The statute provides that the State's Attorney must notify the person subpoenaed of the right to counsel in connection with any contacts with the State's Attorney's Office concerning the subpoena. CP § 15-108(b). In addition, the statute expressly recognizes that this investigatory tool "does not allow the contravention, denial, or abrogation of a privilege or right recognized by law." CP § 15-108(d). However, there is no requirement that the State's Attorney notify an individual who may be the subject of the subpoenaed records.

Under the State Medical Records Law, a prosecutor may use a State's Attorney's subpoena to obtain medical records to further an *Page 71 investigation, as HG § 4-306(b)(7) does not limit the term "subpoena" to court or grand jury subpoenas. See Shady Grove Psychiatric Group v.State, 128 Md. App. 163, 171, 736 A.2d 1168 (1999).³⁸ For purposes of the HIPAA regulations, a State's Attorney's subpoena under CP § 15-108 appears to fall within a category of compulsory process described as "an authorized investigative demand, or similar process authorized under law." 45 CFR § 164.512(f)(1)(ii)(C).³⁹ The HIPAA regulations authorize the disclosure of protected health information in response to such a subpoena if: (1) the information sought is relevant and material to the investigation, (2) the subpoena is specific and limited in scope, and (3) de-identified information⁴⁰ cannot be used. Id. HHS guidelines require that the subpoena be accompanied by a written statement affirming that these criteria are met. http://www.hhs.gov/ocr/privacy/hipaa/faq/permitted/law/505.html (last visited March 23, 2009).

Use of a State's Attorney's subpoena to access records relating to substance abuse treatment or mental health services would be limited in the same way as a grand jury subpoena.

Obtaining Information without Compulsory Process

As noted above, health care entities are permitted under HIPAA to disclose medical records to a State's Attorney's Office without compulsory process in a variety of circumstances related to criminal investigations — e.g., fugitive investigations, reports of child *Page 72 abuse, reporting crimes committed on the premises of the health care provider. However, to the extent that State law is more stringent and requires the use of compulsory process to obtain records, the State requirement will govern. Thus, in most investigations, unless a person in interest has authorized access to medical records, the State's Attorney will need to use a grand jury subpoena or other compulsory process to obtain them.

B. Obtaining Medical Records For Pending Criminal Cases

As noted above, the State Medical Records Law limits redisclosure of medical records, even if properly obtained under that law. HIPAA does not limit redisclosure. However, the limits under Maryland law likely still apply because they would be regarded as "more stringent" than HIPAA. 88 Opinions of the Attorney General at 216-17. Records obtained pursuant to compulsory process under HG § 4-306(b)(7) are obtained "for the sole purposes of investigating and prosecuting criminal activity." (emphasis added). A redisclosure by a prosecutor in the course of the investigation or a trial that results from that investigation is thus part of the purpose for which this exception exists and the records were disclosed. Thus, such redisclsoures are permissible as "otherwise permitted by [the Medical Records Act]." HG § 4-302(d)(2). The prosecutor should consider various ways of maintaining the privacy of patients, consistent with the needs of the case. For example, parties may stipulate to redaction of identifying information, or a protective order may limit access to the records. In addition, pursuant to the court rules, the clerk should be notified of medical records that remain confidential in the court files. See Maryland Rules 16-1006(h), 16-1010.

There are two forms of compulsory process available if the State's Attorney seeks production of medical records for use at a criminal trial when the records were not obtained during the course of the investigation.

Subpoena for Pre-Trial Production

In the context of a pending criminal case, a State's Attorney may seek a court order authorizing the issuance of a subpoena to compel the production in advance of trial of records that are "not *Page 73 privileged" and that may contain evidence. Maryland Rule 4-264.⁴¹ Issuance of such a subpoena is in the discretion of the trial judge and obviously excludes production of privileged material — for example, medical records that are covered by privileges governing patient communications w with mental health professionals. See Goldsmith v.State, 337 Md. 112, 122-23, 651 A.2d 866 (1995). In exercising its discretion to authorize a subpoena for pre-trial production of non-privileged records that are confidential, such as most medical records, the party seeking the records must demonstrate to the court that there is a likelihood that the records contain information relevant to an issue before the court. Id. at 127-29.⁴²

As outlined in Part I.B. of this opinion, under the State Medical Records Act, a State's Attorney may obtain medical records for a criminal prosecution by means of various forms of compulsory process. That law imposes no additional requirements in the context of a pending case, as opposed to an investigation. A court-approved subpoena for pre-trial production would also satisfy HIPAA. 45 CFR 164.512(f)(1)(A). Neither Maryland Rule 4-264 nor the medical confidentiality laws would require notice to the patient, unless the records concern mental health services. However, a court confronted with a request to issue such a subpoena might well insist on giving the patient notice and an opportunity to be heard on whether the court should order pre-trial production. *Page 74 Subpoena Duces Tecum for Hearing or Trial

A State's Attorney may cause the issuance of a trial subpoena that would require a custodian of medical records to bring them to a hearing or trial in a criminal case. Maryland Rule 4-265. Such a subpoena, which may require testimony as well as the production of records, is issued by the clerk and may be actually prepared by the prosecutor. Maryland Rule 4-265(b)-(c). A court order is not a prerequisite for the issuance of such a subpoena.

As indicated above, the State Medical Records Law would permit disclosure of medical records in response to a trial or hearing subpoena in a criminal prosecution. HG § 4-306(b)(7). However, the HIPAA regulations that authorize disclosure for a law enforcement purpose specify that the subpoena be issued by a "judicial officer."⁴³ For purposes of HIPAA, a court clerk is unlikely to be considered a "judicial officer." United States v. Zamora, 408 F. Supp. 2d 295, 298-99 (S.D. Tex. 2006);⁴⁴ cf. Harris v. State, 331 Md. 137, 160-61 n. 14, 626 A.2d 946 (1993) (criminal trial subpoena by itself does not satisfy the requirement of a "proper judicial order" for the disclosure of tax records by the Comptroller).

Alternatively, the HIPAA regulations permit disclosure of medical records in response to a subpoena "or other lawful process" without a court order if the prosecutor provides "satisfactory assurances" that the prosecutor has notified the individual who is the subject of the records or is seeking a protective order to preserve the confidentiality of the health information. 45 CFR § 164.512(e). In *Page 75 satisfying that requirement, a prosecutor might employ the forms and procedures set forth in HG § 4-306(b)(6) that are used in connection with various other types of compulsory process.⁴⁵

If the records sought relate to mental health services, a court order must be obtained and those records may only be used in the proceeding for limited purposes. In addition, privileged and irrelevant materials may be subject to objection or a motion to quash or for a protective order by the defendant, the witness, or the person who is the subject of the records. See Goldsmith v. State, 337 Md. 112, 129-30, 651 A.2d 866 (1995).

Protecting Confidentiality of Medical Records during CriminalProceedings

During a criminal proceeding, Maryland Rule 4-266(c) allows for the court to issue a protective order "for good cause shown" that may protect confidential information in medical records that subpoenaed for use at trial. A protective order may be fashioned to minimize the loss of confidentiality or embarrassment to the person whose records are disclosed, while still permitting appropriate use of the records as evidence. For example, in appropriate circumstances, such an order could restrict use of records in court; provide for the sealing of records, or portions of records; identify types of records that would be subject to further judicial scrutiny prior to their use; or require the return or destruction of records under certain conditions. During and after trial, Maryland Rule 16-1006(h) provides that medical records ordinarily remain confidential in the court files.⁴⁶ *Page 76

1 — Establish Written Confidentiality Procedures. A State's Attorney should have written procedures for protecting the confidentiality of medical records that are obtained for criminal cases. Such procedures are a prerequisite under State law for using compulsory process to obtain medical records for criminal matters.

2 — Determine Whether Compulsory Process is Required. In some circumstances, medical information may be provided to law enforcement officials, such as a State's Attorney, without patient authorization or compulsory process. For example, information may be provided about instances of suspected child abuse without compulsory process. "Directory information" may also be available. In most instances, however, a State's Attorney must use some form of compulsory process to obtain medical records.

3 — Determine Whether the General Confidentiality Laws Apply to theRecords. The application of various confidentiality laws generally depends on the nature and the origin of the records. Thus, to determine what laws apply, it is necessary to consider several questions:

• Are the records within the definitions of "medical records" under the State Medical Records Law and "protected health information" under the HIPAA regulations?

If the records relate to the health of an individual who is identifiable, the answer in both instances will be "yes" and both laws will likely apply. If the information sought is "directory information" — essentially, the presence and general health condition of the patient — both laws generally permit the release of such information without compulsory process.

• Is the person who has custody of the records a "health care provider" for purposes of the State Medical Records Law and a "covered entity" under the federal HIPAA regulations?

For most health care professionals and facilities, the answer to this question will be "yes"; in that case, both of those laws will restrict disclosure by the custodian. If the current custodian of the records is not a "covered entity", the HIPAA regulations will likely not apply. On the other hand, even if the current custodian of the records sought is not a "health care provider," State law may restrict their use or "redisclosure" if the custodian obtained them from a health care provider.

• Do the records relate to an individual's participation in a substance abuse treatment program?

If so, those records may not be used to prosecute that individual and other limitations will apply under both State and federal law. A State's Attorney will not be able to obtain records from a substance abuse treatment program for purposes of criminal prosecution unless the patient consents or the information relates to a crime against the program or its personnel.

• Do the records concern the provision of mental health services to one or more identifiable individuals?

If so, there are special restrictions under State law. Unless the patient consents to disclosure of records, a State's Attorney may obtain mental health services records without a court order only to investigate certain specified offenses by the provider of those services, if the State's Attorney has written confidentiality procedures and information identifying the patient is removed from the records. Otherwise, mental health records may be obtained for judicial proceedings only pursuant to a court order.

• Are the records in the custody of a government agency or do they relate to a government program such as the Maryland Medical Assistance Program?

If so, the Public Information Act or the statute governing the program may limit disclosure of the records. In that case, a court order may be required to obtain the records.

6 — Decide on the Appropriate Type of Compulsory Process. Different types of compulsory process are available to prosecutors to conduct investigations and to prosecute cases that have been charged. Under the medical record confidentiality laws, notice to the patient is not necessarily required, especially during the investigative phase.

Criminal Investigation:

• If the State's Attorney has written procedures to preserve the confidentiality of medical records, the State's Attorney may obtain such records by means of grand jury subpoena, search warrant, or court order without satisfying any criteria beyond that normally required for such process. Before using a search warrant, the prosecutor may wish to consider whether a less intrusive method, such as a grand jury subpoena, can be used instead without jeopardizing the availability or usefulness of the records.

• A State's Attorney may also use a State's Attorney's subpoena under Annotated Code of Maryland, Criminal Procedure ("CP"), § 15-108, to obtain medical records. However, with respect to a State's Attorney's subpoena, or any other process that could be characterized as administrative process, federal law requires that the State's Attorney be able to demonstrate that the information sought is relevant to a legitimate inquiry, that the amount of information sought is specific and limited in scope in light of the purpose for which it is sought, and *Page 79 that the need for the information cannot be satisfied by information not identified with a particular individual.

• When using investigative compulsory process, the State's Attorney is not required to give notice to the individual who is the subject of those records. However, the health care provider or entity that receives the subpoena may choose to notify the individual who is the subject of the records.

• A State's Attorney may use medical records obtained during the investigation in connection with a resulting prosecution. Protection of the confidentiality of individual patients may be accomplished through redaction, a protective order, and the designation under the Maryland Rules of confidential medical information in court filings.

• A State's Attorney may use a subpoena for pre-trial production under Maryland Rule 4-264 to obtain medical records in advance of trial if the State's Attorney obtains a court order by demonstrating to the court that there is a likelihood that the records contain information relevant to an issue in the case. Although there is no requirement of notice to the patient, a court might require such notice if the individual is not otherwise aware of the request.

• A State's Attorney may also use a subpoena duces tecum for a hearing or trial under Maryland Rule 4-265. This rule ordinarily does not require a court order for a subpoena to be issued. However, a recipient of a subpoena who is subject to the HIPAA regulations will need either a court order, "satisfactory assurances" from the State's Attorney that the prosecutor has notified the patient, or similar assurances that the prosecutor will seek a protective order from the court to preserve the confidentiality of the records. In considering whether to grant an order, the court may require a showing of the relevance and need for the records.

• The special limitations concerning the use of mental health records and records of substance abuse treatment programs also apply to subpoenas issued under Maryland Rules 4-264 and 4-265.

Douglas F. Gansler Attorney General

C. Frederick Ryland Assistant Attorney General

Robert N. McDonald Chief Counsel Opinions and Advice

¹ Some information or materials in a medical record may be covered by legal privileges, in addition to the statutory confidentiality restrictions. See Doe v. Maryland Board of Social Work Examiners,384 Md. 161, 168-71, 862 A.2d 996 (2004) (discussing State Medical Records Law in relation to privilege for communications related to mental health with licensed social worker). This opinion discusses the procedures for obtaining records consistent with the confidentiality statutes. It does not address various privileges that may pertain to specific records. This opinion also does not concern access to forensic reports or records concerning competency and criminal responsibility created under the procedures set forth in Annotated Code of Maryland, Criminal Procedure Article, § 3-101 et seq.

² In those contexts, the courts apply other statutes and court decisions must work out a similar balance between privacy interests and public need for records. See, e.g., Zaal v. State, 326 Md. 54,602 A.2d 1247 (1992) (educational records); Bond v. Slavin, 157 Md. App. 340,357-360, 851 A.2d 598 (2004) (financial records).

³ The Court of Special Appeals has described the Legislature's intent:

[The law] was enacted to provide for the confidentiality of medical records, to establish clear and certain rules for the disclosure of medical records, and generally to bolster the privacy rights of patients. The legislature recognized that, because of the personal and sensitive nature of one's medical records, a patient might experience emotional and financial harm if his medical records are improperly used or disclosed. It was further desired that the Act would enable health care providers to retain the full trust and confidence of their patients.

Warner v. Lerner, 115 Md. App. 428, 431-32, 693 A.2d 394 (1997),rev'd on other grounds, 348 Md. 733, 705 A.2d 1169 (1998).

⁴ The statute uses the term "person in interest" to encompass the patient or one of several individuals that would be authorized to consent to disclosure on behalf of the patient — e.g., a parent of a minor patient, a personal representative for the estate of a deceased patient, etc. HG § 4-301(k).

⁵ The statute provides:

(1) "Health care provider" means:

(i) A person who is licensed, certified, or otherwise authorized under the Health Occupations Article or § 13-516 of the Education Article to provide health care in the ordinary course of business or practice of a profession or in an approved education or training program; or

(ii) A facility where health care is provided to patients or recipients, including a facility as defined in § 10-101(e) of this article, a hospital as defined in § 19-301 of this article, a related institution as defined in § 19-301 of this article, a health maintenance organization as defined in § 19-701(g) of this article, an outpatient clinic, and a medical laboratory.

(2) "Health care provider" includes the agents, employees, officers, and directors of a facility and the agents and employees of a health care provider.

HG § 4-301(g).

⁶ The phrase is defined as follows:

(1) "Directory information" means information concerning the presence and general health condition of a patient who has been admitted to a health care facility or who is currently receiving emergency health care in a health care facility.

(2) "Directory information" does not include health care information developed primarily in connection with mental health services.

HG § 4-301(b).

⁷ Among the permissive exceptions are disclosures to the provider's staff, legal counsel, and insurer; to government agencies performing their duties; to persons conducting research, evaluation, or accreditation who agree not to redisclose patient identifying information; to other health care providers for treatment purposes; to third party payers from whom the patient is seeking payment; to provide for emergency health care needs; and for a variety of other carefully defined purposes. See HG § 4-305. Each of these exceptions requires that various conditions be met.

Arguably, information or records provided to law enforcement officers could be a disclosure "to a government agency performing its lawful duties as authorized by an act of the Maryland General Assembly . . ." HG § 4-305(b)(3). See Dorsey v. State, ___ Md. App. ___, 2009 WL 809451 (2009) at *19 (raising but not deciding the applicability of HG § 4-305(b)(3)). However, this exception appears to require more explicit authority under State law to obtain medical records; indeed, if it allowed routine disclosure to law enforcement officers, the limited authorization in HG § 4-306(b)(7) to disclose records in response to a criminal investigatory subpoena would be superfluous. None of the other exceptions in HG § 4-305 would authorize disclosure of records or information to law enforcement officers for prosecution purposes.

⁸ The statute provides for mandatory disclosures for purposes of child abuse investigations; to health professional licensing boards for licensing and disciplinary investigations; for purposes of defense of a civil action against a provider by a patient; in response to compulsory process; and for certain other limited purposes.

⁹ In Dorsey v. State, ___ Md. App. ___, 2009 WL 809451 (2009) at *14-18, the Court of Special Appeals held that this provision of the State Medical Records Law did not restrict the ability of the State Fire Marshal to obtain medical records by means of a subpoena under Annotated Code of Maryland, Public Safety Article, § 6-310(b)(2). The court explicitly did not decide whether production of the records in response to the subpoena complied with the HIPAA regulations. Id. at 19 n. 13.

¹⁰ Medical record information can be disclosed without a subpoena in connection with an investigation of a suspected case of child abuse or neglect or of vulnerable adult abuse. HG § 4-306(b)(1).

¹¹ Written procedures concerning mental health records are to be developed in consultation with the Director of the Mental Hygiene Administration. HG § 4-307(k)(1)(v)2.A.

¹² The statute specifically cross references certain exceptions in the statutes that define privileges for communications with mental health professionals. See Annotated Code of Maryland, Courts Judicial Proceedings ("CJ"), §§ 9-109 (psychiatrists and psychologists), 9-109.1 (professional counselors and psychiatric mental health nursing specialists), and 9-121 (licensed social workers). For example, one such exception relates to criminal proceedings where the defendant introduces his mental condition as an element of the defense. See, e.g., CJ § 9-109(d)(3)(i).

¹³ As noted above the confidentiality procedures are to be developed in consultation with the Director of the Mental Hygiene Administration. HG § 4-307(k)(1)(v)2.A.

¹⁴ Information obtained under this provision is disclosable, but may not be used in a proceeding against the patient. HG § 4-307(k)(3).

¹⁵ A health care provider is defined as a ". . . provider of medical or health services . . . and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." 45 CFR § 160.103.

¹⁶ The regulations spell out in some detail how information becomes "de-identified." See 45 CFR §§ 164.502(d)(2), 164.514(a), (b).

¹⁷ The regulations employ the term "law enforcement official," which is defined to include "an officer or employee of any agency or authority of . . . a State [or] a political subdivision of a State . . ., who is empowered by law to: (1) investigate or conduct an official inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law." 45 CFR § 164.501.

¹⁸ This regulation generally defines "required by law" to mean "a mandate contained in law that compels an entity to make a . . . disclosure of protected health information and that is enforceable in a court of law." The definition includes an illustrative list of such mandates, somewhat duplicative of the list in45 CFR § 164.512(f)(1).

¹⁹ The regulations do not define "judicial officer." Several courts have held that a court clerk is not a "judicial officer" in a variety of contexts, including at least one case interpreting the HIPAA regulations. See United States v. Zamora, 408 F. Supp. 2d 295, 298 (S.D. Tex. 2006).

²⁰ The HHS commentary explains:

In the limited circumstances where law enforcement interests are heightened, we allow disclosure of protected health information without prior legal process or agreement, but we impose procedural protections such as limits on the information that may lawfully be disclosed, limits on the circumstances in which the information may be disclosed, and requirements for verifying the identity and authority of the person requesting the disclosures.

65 Fed. Reg. at 82679. We note that the HHS Office of Civil Rights has indicated a willingness to provide technical assistance to covered entities to ensure compliance with the HIPAA regulations. See68 Fed. Reg. 18895, 18897 (April 17, 2003).

²¹ Such a disclosure may be made when necessary to alert law enforcement to the commission and nature of the crime, the location of the crime or its victims, and the identity, description, or location of the perpetrator of the crime. 45 CFR § 164.512(f)(6)(i). If the medical emergency appears to be the result of abuse, neglect, or domestic violence, a separate provision applies. 45 CFR § 164.512(c), (f)(6)(ii).

²² 45 CFR § 164.512(e)(1)(ii)(A). The regulations elaborate:

For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);

(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and

(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:

(1) No objections were filed; or

(2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures sought are consistent with such resolution.

45 CFR § 164.512(e)(1)(iii).

²³ 45 CFR § 164.512(e)(1)(ii)(B). The regulations further explain:

For purposes of paragraph (e)(1)(ii)(B) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or

(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.

45 CFR § 164.512(e)(1)(iv). The regulations also provide standards for what is a "qualified protective order." 45 CFR § 164.512(e)(1)(v).

²⁴ Two other recent opinions have also discussed the general interaction of State and federal health confidentiality laws. 89 Opinions of the Attorney General 81 (2004) (application of HIPAA rules in State guardianship proceedings); 92 Opinions of the AttorneyGeneral 107 (2007) (effect of confidentiality rules on development of health information exchange).

²⁵ In the early 1970s, Congress passed two laws designed to support alcohol and drug treatment, each of which provided for the confidentiality of patient records related to federally-assisted programs. See Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, Pub.L. 91-616,84 Stat. 1848, § 333 (December 31, 1970); Drug Abuse Office and Treatment Act of 1972, Pub.L. 92-255, 86 Stat. 65, § 408 (March 21, 1972). These two acts have been amended several times in the intervening years; the provisions that govern the confidentiality and disclosure of alcohol and drug abuse patient records have been combined and codified at 42 U.S.C. § 290dd-2.

²⁶ The prohibition does not apply to a report of suspected child abuse or neglect or to certain exchanges of information involving the armed forces. 42 U.S.C. § 290dd-2(e).

²⁷ The statute provides:

If any individual seeks counseling, treatment, or therapy, for any form of drug or alcohol abuse, from a health professional . . . or hospital . . . since the oral or written statements that the individual makes and the observations and conclusions that the health professional, hospital, or other person derives or the results of an examination to determine the existence of an illegal or prohibited drug in the body of an individual are not admissible in any proceeding against the individual. . . .

HG § 8-601(a). The statute contains exceptions for court-ordered evaluations under HG § 8-501 et seq. and examinations in connection with parole and probation proceedings. HG § 8-601(a)(1)-(2). The statute was originally passed in 1988 and underwent some technical changes in 1989.See Chapter 758, § 2, Laws of Maryland 1988; Chapter 782, § 3, Laws of Maryland 1989.

²⁸ Of course, a disclosure prohibited by federal law could not be authorized by State law. See 42 CFR § 2.20.

²⁹ Also specifically included within this provision are reports that local health departments receive from physicians who diagnose cases of HIV or AIDS. SG § 10-617(b)(2)(iii). Such records are also confidential, non-discoverable, and inadmissible pursuant to HG § 18-201.1.

³⁰ At least two courts have held that health information specifically obtained for law enforcement purposes — in these cases, the results of blood draws in DUI cases — are not "protected health information" for purposes of the HIPAA regulations. State v.Friedman, 735 N.W.2d 747, 2007 WL 1486085 (Wis.Ct.App. 2007) (unpub);State v. Neely, 2005 WL 3610426 (Ohio Ct.App. 2005). Neither decision is considered to have precedential value in the jurisdiction in which it was rendered.

³¹ A prosecutor may come into possession of protected health information in other ways — e.g., it may be given to law enforcement officials voluntarily as part of a complaint, provided in compliance with a mandatory reporting statute, obtained as part of routine police work from individuals not subject to the confidentiality laws, or contained in a statutorily required report to a court (for example, a report on a defendant's competency to stand trial, CP § 3-105(d)).

³² Consent by a person in interest eliminates most issues related to compulsory process. Authorization of disclosure would have to satisfy certain requirements of both State and federal law. See HG § 4-303(b);45 CFR § 164.508(c); see also 88 Opinions of the Attorney General 205, 218-19 (2003). Most health care practitioners and facilities have authorization forms available to deal with health information record requests.

³³ Somewhat different rules apply to specialized prosecution agencies such as the Medicaid Fraud Control Unit ("MFCU") of the Attorney General's Office, which was created pursuant to federal standards for such units. See 42 U.S.C. § 1396b(q); 42 CFR Part 1007. Such a unit is considered a "health oversight agency" under the HIPAA regulations. 45 CFR §§ 164.501, 164.512(d); see also Standards forPrivacy of Individually Identifiable Health Information, FinalRule, 65 Fed. Reg. 82461, 82492 (December 28, 2000).

³⁴ Although we are aware of no cases in Maryland, courts in some jurisdictions limit prosecutorial access to records obtained by search warrant until notice has been given to the individuals who are the subject of the records. See State v. Rattray, 903 So.2d 1015, 1018 (Fla.Ct.App. 2005).

³⁵ Until 2008, this statute was codified at Annotated Code of Maryland, Article 10, § 39A. See Chapter 15, Laws of Maryland 2008.

³⁶ Such a subpoena may also be issued by a deputy State's Attorney designated in writing by the State's Attorney. CP § 15-108(a).

³⁷ Such a subpoena presumably pertains only to records already in existence. In Shady Grove Psychiatric Group v. State, 128 Md. App. 163,167, 736 A.2d 1168 (1999), the Court of Special Appeals raised the question whether a State's Attorney subpoena requiring a hospital to generate a compilation of patients who had appointments at the hospital at particular times actually required the production of existing records. However, because the parties had not properly raised the issue, the court did not resolve it.

³⁸ In Shady Grove, a hospital served with a State's Attorney's subpoena refused to comply with it on the basis that compliance would violate the Medical Records Act and various statutes establishing privileges for communications between patients and mental health care providers. None of these objections was sustained. The Court held that the subpoena could not be enforced because the prosecution did not adequately demonstrate that it had written confidentiality procedures as required by HG § 4-307.

³⁹ When it adopted the HIPAA regulations, HHS considered, but rejected, arguments that no health information should be acquired for criminal investigations without a court order. See 65 Fed. Reg. 82461, 82679.

⁴⁰ Standards for whether information is considered "de-identified" are set forth in the regulations. See note 16 above.

⁴¹ The rule states:

On motion of a party, the circuit court may order the issuance of a subpoena commanding a person to produce for inspection and copying at a specified time and place before trial designated documents, recordings, photographs, or other tangible things, not privileged, which may constitute or contain evidence relevant to the action. Any response to the motion shall be filed within five days.

Maryland Rule 4-264. The rule provides an opportunity for a defendant to object to the motion. Presumably, the party subpoenaed may, once served with the subpoena, file a motion to quash the subpoena or for a protective order pursuant to Maryland Rule 4-266(c).

⁴² The Court of Appeals has indicated that a trial court's decision whether to issue a subpoena under Maryland Rule 4-264 is assessed under an abuse of discretion standard. Goldsmith, 337 Md. at 129.

⁴³ Note that the State Medical Records Law does not require that a subpoena be issued by a "judicial officer." See HG § 4-306(b)(7). However, the HIPAA requirement would preempt the more permissive State law in most instances. See Part I.B. above.

⁴⁴ In Zamora, the prosecution sought to obtain the defendant's medical records by means of a subpoena issued by a court clerk. In ruling on the defendant's motion to quash that subpoena, the court held that the subpoena was not a subpoena issued by a judicial officer, but that the government's response to the motion to quash was the equivalent of a motion for a court order. The court found that such an order would be justified under a probable cause standard, although it did not hold that probable cause was a prerequisite for the issuance of such an order. 408 F. Supp. 2d at 298-99.

⁴⁵ Those forms and procedures were added to the statute in 2005, apparently to help ensure compliance with the "satisfactory assurances" requirements of the HIPAA regulations. Chapter 503, Laws of Maryland 2005.

⁴⁶ Notice should be provided in written form to the clerk of the court that such materials are present in a court file. Maryland Rule 16-1010(a). *Page 81