Yundra
← All articlesRisk & Audit

You Got a Subpoena for Client Records. Now What?

12 min read

You open the mail, or someone hands you an envelope at the door, and there it is: an official-looking document with a case caption, a court's name, and a demand for "any and all records" relating to one of your clients. Your heart rate jumps. There's a deadline. There's legal language. And you have exactly zero training in what to do next, because graduate school never covered this.

First, breathe. You almost certainly do not have to do anything today, and you very likely should not just photocopy the file and send it. Responding correctly is a process, and rushing it is how therapists get into trouble.

Let's walk through it.

A subpoena is not a court order — this distinction matters enormously

This is the single most important thing to understand, and it's the thing most therapists get wrong.

A subpoena is typically a document issued by an attorney or a court clerk demanding documents or testimony. In many cases it has not been reviewed by a judge at all. An attorney in a civil case can generate one with their own signature.

A court order is signed by a judge or magistrate. It reflects a judicial decision that you must do the thing it says.

Why does the difference matter so much? Because under HIPAA, your obligations are different, and your ability to push back is different.

If you receive a genuine court order, HIPAA permits you to disclose the PHI expressly authorized by that order under 45 CFR § 164.512(e)(1)(i) — though you still disclose only what the order specifies, and you must still consider whether other protections (like psychotherapy notes rules and state law) apply.

If you receive a subpoena, discovery request, or other lawful process that is NOT accompanied by a court order, HIPAA does not let you simply hand over the records. Under § 164.512(e)(1)(ii), you may only disclose if you receive "satisfactory assurances" that certain protections are in place. In other words, a bare subpoena triggers obligations to protect the client — not a duty to comply on the spot.

So before anything else: figure out which one you're holding. Look for a judge's signature. If a judge didn't sign it, treat it as a subpoena, not a command.

What "satisfactory assurances" actually means

Under § 164.512(e)(1)(ii), when there's no court order, you may release records in response to a subpoena only if you get satisfactory assurances that one of these is true:

  • The client has been notified. The party seeking the records has made reasonable efforts to give the client notice of the request, including enough information for the client to object — and the time to object has passed without a successful objection. (§ 164.512(e)(1)(iii))
  • A qualified protective order is in place. The parties have agreed to, or the requesting party has sought, a qualified protective order — an order that limits use of the PHI to the litigation and requires the records to be returned or destroyed at the end. (§ 164.512(e)(1)(iv) and (v))

If you don't have satisfactory assurances of one of these, the safe and compliant move is to not release, and to communicate that you cannot release without proper assurances or a court order. You can even take reasonable steps to seek a qualified protective order yourself.

This is genuinely protective of your client, and it's also protective of you. Releasing records you weren't authorized to release is itself a HIPAA violation and can expose you to a licensing complaint or a lawsuit.

Psychotherapy notes get even higher protection

If the records being sought include psychotherapy notes, the bar goes up further.

HIPAA defines psychotherapy notes narrowly — they are the notes you record during a counseling session that are kept separate from the rest of the medical record, documenting or analyzing the contents of conversation. They explicitly do not include things like medication management, session start and stop times, diagnoses, treatment plans, symptoms, prognosis, or progress to date. Those belong to the general record.

The crucial point: under § 164.508(a)(2), most disclosures of psychotherapy notes require a specific, separate authorization from the client. A general records release or a standard subpoena typically does not reach properly maintained, separated psychotherapy notes. They sit behind a higher wall.

So if you keep true psychotherapy notes separate from your progress notes — and you should — a subpoena for "treatment records" generally should not sweep them in without specific authorization or a court order directed at them. This is one of the strongest reasons to physically and procedurally separate those notes in the first place.

Your step-by-step response

Here is the sequence to follow when a subpoena lands. Don't skip steps, and don't reorder them in a way that has you releasing first and asking questions later.

  1. Note the deadline and do NOT panic-comply. Find the date by which a response is due. Calendar it. But understand that "respond" does not mean "send the records." It may mean object, or seek assurances, or have your attorney respond on your behalf.

  2. Determine what you're holding. Is it signed by a judge (court order) or by an attorney or clerk (subpoena)? This drives everything that follows.

  3. Do NOT confirm or deny the client relationship to anyone outside the proper process. Even acknowledging that the person is your client is PHI. Don't discuss the matter with the requesting attorney casually.

  4. Contact your malpractice carrier. Most professional liability policies include free or low-cost legal consultation, and responding to subpoenas is a classic covered scenario. Call them early. This is one of the best uses of that coverage.

  5. Notify your client. Reach out to the client (or their attorney, if they have one) to let them know a request has been made. The client has the right to object, and they may want to file a motion to quash or seek a protective order. Often the client's own lawyer will take the lead on protecting the records. Notifying the client is both ethically expected and practically how the § 164.512(e) protections get triggered.

  6. Assess whether adequate protections are in place. Has the client been properly notified with a chance to object? Is there a qualified protective order? If neither, you generally should not release, and you can say so in writing — or seek a qualified protective order yourself.

  7. Apply the minimum necessary principle. If and when you are cleared to disclose, release only the specific records requested and authorized — not the entire file by reflex. A subpoena for records relating to a specific date range or issue does not entitle anyone to your complete chart. The minimum necessary standard (§ 164.502(b)) still applies to disclosures like these.

  8. Protect psychotherapy notes separately. Confirm whether the request reaches your separately maintained psychotherapy notes. If it doesn't include the specific authorization or order required under § 164.508, do not include them.

  9. Respond in writing, on time. Whether you're producing limited records, objecting, or asking for assurances, do it formally and before the deadline. Keep a copy of everything.

  10. Document the entire process. What you received, when, what you did, who you consulted, what you released and why. If this is ever questioned later, that paper trail is your protection.

When to get a lawyer

You don't need to lawyer up for every piece of mail, but here's when you genuinely should bring in counsel — usually starting with your malpractice carrier's free consultation:

  • The subpoena involves a custody dispute or contentious litigation. These get messy fast, and records are weaponized.
  • Psychotherapy notes are being demanded.
  • You receive a court order and you have concerns about its scope or about clinical harm from disclosure.
  • The client has objected or wants to fight the request, and you need to know your role.
  • You're subpoenaed to testify, not just to produce records. Testifying about a client raises its own thicket of privilege issues.
  • You simply aren't sure which protections apply. The cost of a short consult is trivial next to the cost of a wrongful disclosure.

An attorney can help you object, move to quash, narrow the scope, or insist on a protective order — and they can communicate with the requesting party so you're not navigating it alone.

A few things NOT to do

  • Don't ignore it. A subpoena you don't respond to can carry consequences, including being held in contempt. Silence is not an option; a written objection is.
  • Don't call the requesting attorney and chat. Anything you say can become part of the record, and you might disclose PHI without realizing it.
  • Don't release the full file because it's easier. Over-disclosure is a violation in its own right.
  • Don't let a deadline pass without acting. If you need more time, that's a request your attorney can make — but make it before the clock runs out.

The mindset that keeps you safe

Reframe the whole thing. A subpoena is not an order to obey, it's a request you are obligated to evaluate and respond to thoughtfully. Your job is to protect your client's confidentiality to the full extent the law allows, release only what you're genuinely required to release, and document every step.

Therapists who get burned almost always do so because they treated a subpoena like a command and shipped the records the same week. Therapists who handle it well slow down, identify what they're holding, loop in their carrier and their client, and respond in writing. You can be the second kind, and now you know how.

Not sure if your practice is covered?

Situations like these are exactly why having documented HIPAA policies matters. Yundra's free risk assessment identifies the specific gaps in your compliance — so you're prepared before something unexpected happens.

Check your compliance score →

Need these documents for your practice?

Yundra generates all 7 HIPAA documents — personalised to your practice, your vendors, your EHR. Starting at $399, ready in minutes.

Free · See your score instantly