Health information management (HIM) professionals must be prepared to address risks related to release of information (ROI) and protected health information (PHI) disclosure management when a lawsuit is involved. In the event of litigation, your organization can expect to receive requests for patient records regarding a specific encounter or incident.

If your facility is facing a lawsuit, crossover between HIM and risk management is inevitable. For example, risk management may have electronic health record (EHR) access, with the ability to pull information as needed to prepare for an investigation. The situation can be tricky when risk management has prepared information for the hospital’s attorney, while opposing attorneys have come through ROI. We’ve seen cases where there are two sets of records, from different print queues, presented in court. Ensuring consistent information is critical.

The following hypothetical case study emphasizes the importance of collaboration among all parties—including HIM, risk management, legal counsel, compliance, privacy, and data integrity—when release of information is required as part of a lawsuit.

Case Study Scenario

In response to a lawsuit filed against Hospital A, the facility’s risk management department has prepared patient health records for in-house counsel review. Risk managers have a print queue providing information from both the legal health record and portions of source systems that supply information to the legal health record. The information concerning “Patient Z” includes 1,989 pages for evaluation.

At the time, risk management was not aware of current open items for quality review. Because the record was not placed in legal hold, the updates to data integrity items were made in the legal health record. The in-house legal counsel was not aware that updates to the documentation, made at the request of the data integrity division, clinical documentation improvement (CDI), had been entered by the physician. Both the surgeon and the radiologist had used voice-activated transcription technology for their reports, which were authenticated without complete review for integrity.

Hospital A receives a request from the opposing attorney for patient health records in preparation for litigation. The subpoena for Patient Z’s health records is received by the HIM department, ROI division. The employees assigned to handle release of information have access to various print queues to perform their task. The ROI division view did include CDI queries and corresponding physician responses. The opposing attorney receives 2,035 pages of Patient Z’s legal record based on the appropriately assigned print queue provided in response to the subpoena.

When the two groups begin litigation, it is apparent that they are working with different sets of information. The opposing attorney questions why he did not receive all information according to the subpoena. Despite an explanation of the two health record views and the print queue assignment, the opposing counsel seems to suspect that Hospital A has attempted to suppress information. The resolution of the case is delayed, requiring sealed records submitted to the court and the case presented to a jury.

What went wrong in this case? Hospital A failed on two accounts: to issue a legal hold to preserve the view provided for legal evaluation, and to establish an e-discovery process to ensure proper response to the court system. Had the facility followed information governance policies and procedures—appointing one group to be the source of health information, along with thoughtful review regarding the contents of the defined legal health record for the patient—the case might have been resolved efficiently, outside of the court system.

Responding to e-Discovery Requests

The transition to EHRs and the advent of telemedicine require increased responsibility for responding to e-discovery requests. For example, consider communication between patients and physicians via email or portals. That information may or may not be in the patient’s health record, but it is part of the e-discovery process.

HIM experts suggest that all facilities, including small practices, take proactive measures to prepare for these requests. The most effective approach will align with an information governance plan that promotes prompt and accurate response to e-discovery requests. Knowing how to respond to an e-discovery request ensures HIM professionals are better prepared in the event of litigation. And learning to navigate the organization’s EHR system supports overall improved records management.

Four Steps for Responding to EHR Requests

Certifying records requested for the legal process requires that any copy provided is an exact duplicate of the original. When responding to requests for EHRs, four steps are recommended:

1. Determine if the request is valid—verify identity and authority of the requester.

2. Validate that the format of the request meets state legal requirements for a valid subpoena or court order. Check state law for specific requirements.

3. Determine the legal power of the document—such as what information may be disclosed, what authorizations are required, and what state laws apply.

4. Disclose the information to the designated recipient according to the patient or legal guardian, court, or lawyer designated on the subpoena or court order.

Best Practices Begin with Collaboration

If a facility faces litigation, the first step is to bring together everyone involved, with all pertinent documentation, to ensure one unified view of the information required to meet legal requirements. This tactic is aligned with centralized PHI disclosure management versus a siloed approach. Unfortunately, silos exist, which creates risk, slows processes, and prompts questions—especially if the risk management and HIM print queues produce inconsistent documentation. If that happens, the opposing attorney may suspect an attempt to suppress or skew evidence. Once questions arise, even the true story may seem unbelievable.

Failure to issue legal hold comes up often. Many organizations are not using legal hold, especially for electronic health records, as they should. Legal hold preserves all forms of relevant information to avoid evidence spoliation. Upon notification of intended litigation, a hold should be issued immediately. Once records are gone or tampered with, it is difficult if not impossible to reverse that action.

In response to subpoenas, HIM and risk management must work together to ensure proper disclosure of PHI according to the HIPAA Privacy Rule. Your legal counsel, both internal and external, is responsible for knowing the rules and handling subpoenas for patient records. Seek their direction throughout the legal process—collaboration is essential. Here is a summary of best practices to consider when lawsuits occur and records are requested:

  • Promote collaboration among all involved—HIM, risk management, legal counsel, compliance, privacy, and data integrity/CDI.
  • Ensure one unified view of the information required to meet legal requirements—consistency is critical.
  • Issue legal hold as soon as litigation is anticipated or initiated.
  • Use a proactive approach based on information governance policies and procedures for releasing patient records and protecting privacy.
  • Understand HIPAA rules and regulations, along with other state laws and regulations that apply.
  • Establish a process for responding to e-discovery requests.
  • Consult as needed with internal and outside legal counsel for guidance.


Rita Bowen is vice president of privacy, compliance and HIM policy at MRO.


  1. “Upon notification of intended litigation, a hold should be issued immediately.” While this is great in theory, my question is how to make this applicable in real life? If a patient had a bad experience, the family speaks to an attorney while the patient is in the hospital and notification of legal action occurs very soon after discharge, if the record is immediately on hold, how does important information get place in the chart such as pending test results, missing signatures (yes, this still happens with CPOE) and even discharge summaries that have not been dictated? Sounds like we then have a choice between providing incomplete information or delayed information – some choice.

  2. Constructive and practically applicable article. Appreciate the scenario along with the critical-thinking evaluation of the challenge. Helpful to both the workforce and students; brava, Rita!

    1. I agree with you, Madonna, this is an excellent article. The case study is very beneficial and takes me right back to your (Madonna) Medical Legal course. This provides practical application for true life scenarios rather than theoretical. Great job Rita!

  3. […] Journal of AHIMA Managing PHI Disclosure When a Lawsuit Is Involved—How to Prepare In a Journal of AHIMA article, MRO’s Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy, offers insight and tips on how Health Information Management (HIM) professionals can address risks related to handling PHI disclosure when faced with a lawsuit. […]

Comments are closed.