Subpoena vs. HIPAA Authorization for Medical Records

Choosing the wrong method for obtaining medical records can cost a case weeks of delay. A HIPAA authorization averages 30-45 days for provider response, while a subpoena typically compels production in 7-14 days. For attorneys managing active litigation, that gap can mean the difference between meeting a discovery deadline and filing for an extension.

The stakes are higher than usual right now. The 42 CFR Part 2 compliance deadline of February 16, 2026 has reshaped how substance use disorder treatment records are disclosed, and OCR resolved 21 HIPAA enforcement actions in 2025 alone. Getting the method wrong does not just slow a case down. It can trigger compliance violations for the provider and leave key evidence out of reach.

HIPAA Authorization: 45 CFR 164.508

A HIPAA authorization is a signed document in which the patient voluntarily consents to the release of protected health information. It is governed by 45 CFR 164.508 and is the standard method when an attorney needs records from a cooperative provider on behalf of their own client.

The process is straightforward in theory. The patient signs, the attorney sends the form to the provider, and the provider responds. In practice, turnaround averages 30-45 days because most providers batch-process authorization requests alongside hundreds of others. Some large health systems take even longer.

Authorizations work best in pre-litigation, when discovery has not yet begun and no adversarial dynamic exists with the provider. They also avoid the procedural overhead of a subpoena, since there is no need for patient notification or a qualified protective order.

One critical detail: the Privacy Rule prohibits providers from conditioning treatment on signing an authorization. An authorization that bundles consent for treatment with consent for disclosure is invalid on its face.

Subpoena: 45 CFR 164.512(e)

A subpoena is a legal instrument that compels a provider to produce records, governed under 45 CFR 164.512(e). Unlike an authorization, it does not require the patient's signature. It requires legal process.

Before a covered entity can release records in response to a subpoena, it must receive what HIPAA calls "satisfactory assurances" from the requesting party. That means one of two things: proof that the patient received adequate notice and did not object within the allowed period, or a qualified protective order that restricts how the records can be used.

A qualified protective order prohibits the parties from using PHI for any purpose other than the litigation at hand and requires its return or destruction at the end of the case. Attorneys can either negotiate one with opposing counsel or petition the court directly.

Subpoenas are faster. State subpoenas typically allow 7-14 days for response, and providers treat them with more urgency than authorization requests. But the procedural requirements are stricter. A subpoena missing proper patient notice can be quashed, leaving the requesting attorney back at square one.

When to Use Each Method

The decision is not always obvious. Here is how the two approaches compare across common litigation scenarios.

One scenario requires both methods at once: 42 CFR Part 2 substance use disorder records held by non-consenting patients need a court order in addition to the subpoena. A standard authorization or subpoena alone will not suffice.

Common Mistakes That Get Requests Rejected

Providers reject record requests more often than most attorneys realize. According to Holland & Hart's HIPAA analysis, "most of the authorizations attorneys see do not contain the required elements and are, therefore, invalid." The following errors account for the majority of rejections.

1. Overly Broad Authorizations. Requesting "any and all records" or "the entire medical record" invites objections. HIPAA requires a specific and meaningful description of the information to be disclosed. "Office visit notes from January 2024 through March 2025" passes. "All records" often does not.

2. Missing Required Elements. The six core elements under 45 CFR 164.508 are non-negotiable. The most commonly omitted: expiration date, revocation rights statement, and redisclosure notice. Any one missing element renders the authorization invalid.

3. No Patient Notice on Subpoenas. Under 45 CFR 164.512(e), the requesting party must demonstrate that the patient was notified and given time to object. Skipping this step gives the provider legal grounds to refuse production entirely.

4. Using Attorney-Drafted Forms. Many attorneys send their own authorization forms with subpoenas. The problem: attorney-drafted forms frequently omit HIPAA-compliant elements. Providers prefer, and sometimes insist on, their own forms.

5. Incomplete or Outdated Patient Information. Wrong name spellings, outdated addresses, or inverted date-of-birth fields cause providers to reject requests as unverifiable. This is especially common in mass tort cases where intake data may not be fully validated.

6. State-Specific Procedural Errors. California requires a Notice to Consumer with a 15-day objection period. Missing it invalidates the subpoena. New York requires requesters to qualify under Public Health Law Section 18. Each state adds its own layer of requirements on top of federal HIPAA rules.

Whether a firm handles requests in-house or through a retrieval partner, these six errors are the ones to audit first.

How LlamaLab Eliminates the Wait

The timelines above assume a firm is submitting requests manually, one provider at a time, and waiting for each to respond. LlamaLab's retrieval process works differently.

60% of records come back within 24 hours. The remaining requests typically resolve within 0-5 days. That is not a replacement for subpoenas, which remain the right tool when legal compulsion is required. But for authorization-based retrieval, the 30-45 day industry average does not have to be the default.

The speed comes from three things working together.

For firms handling personal injury or mass tort caseloads, the combination of accurate provider targeting, compliant submissions, and network access compresses what used to take weeks into days.

State Variations to Know

HIPAA sets a federal floor, not a ceiling. When state law provides greater privacy protections, state law controls. Four states stand out for practitioners handling multi-jurisdiction cases.

California layers the Confidentiality of Medical Information Act (CMIA) on top of HIPAA. Subpoenas for medical records require a Notice to Consumer and a 15-day window for the patient to object. California also requires an Evidence Code Section 1561 declaration from the records custodian.

New York restricts who can request records. Under Public Health Law Section 18, a requester must qualify as a "qualified person," and additional protections apply to mental health records under the Mental Hygiene Law.

Florida is more permissive. Under Florida law, medical records may be furnished without written authorization when a court issues a subpoena to a party in a lawsuit requiring them to provide their records. This simplifies the process compared to most other states.

Texas has enacted stricter healthcare privacy safeguards beyond federal requirements, including comprehensive AI-related laws affecting how health data is processed and disclosed.

The Part 2/HIPAA alignment rule adds another dimension. As of February 16, 2026, HIPAA-covered entities that receive Part 2 substance use disorder records can re-disclose them under HIPAA rules, but Notices of Privacy Practices must be updated to reflect this change. Firms requesting SUD records should confirm that provider NPPs have been updated before assuming standard HIPAA disclosure applies.

What This Means for 2026

The overall trend is clear: compliance requirements are increasing from both federal and state directions. Firms that treat record retrieval as a purely administrative task risk delays, rejections, and regulatory exposure. Those that build compliance into every request, whether through internal protocols or retrieval partners like LlamaLab, will avoid the most common pitfalls.

The Bottom Line

Authorization and subpoena are not interchangeable tools. Authorization is the right choice for a cooperative provider releasing a client's own records in pre-litigation. Subpoena is the right choice when speed matters, when the provider is non-responsive, or when the records belong to an opposing party.

The cost of choosing wrong is measured in weeks. Getting it right starts with knowing which federal and state rules apply, including the six required HIPAA authorization elements and the satisfactory assurance requirements for subpoenas. The regulatory environment is getting more complex, not less. Building compliance into the request process from the start is the only reliable way to keep cases moving.

Sources: 45 CFR 164.508, 45 CFR 164.512, HHS.gov Court Orders and Subpoenas, HHS.gov Authorizations FAQ, HHS.gov Part 2, Holland & Hart HIPAA Checklist, Nixon Peabody 2025 HIPAA Enforcement, HIPAA Journal, MedSafe HIPAA Enforcement 2025, California Civil Code Section 56.10.