Subpoenas and Court Orders for Dental Records: What HIPAA Requires (2026)

Here is the rule in one line. If a judge signed it, you generally comply and you release only what it names. If a lawyer signed it and no court order is attached, the subpoena by itself is not permission to open a patient's chart. You can release the records only if the patient was given notice and a chance to object, or a protective order is in place or being sought. A request from the police follows its own separate track.

Getting this wrong is not a paperwork foot-fault. A Connecticut OB-GYN practice once received a subpoena from a lawyer in a paternity case, with no court order, asking for a patient's records. The patient had told the practice not to release anything to her former boyfriend. The practice mailed the chart to the court anyway, without telling her. He read it, and a jury later found the practice liable for the harm that followed. Dental records get subpoenaed all the time, in custody fights, injury claims, and insurance disputes, and the rule that tripped up that practice is the same one that applies to you.

This article explains how a dental practice should handle a subpoena, a court order, or a law-enforcement request for a patient's records. It is general information, not legal advice for your specific situation. For that, consult a healthcare attorney or a qualified HIPAA compliance professional.

The one question that decides everything: who signed it

Almost every records demand a dental office sees falls into one of a few buckets, and the right move depends entirely on which bucket it is. Read the document before you do anything else, and look first for a judge's signature or an attached court order. That single fact changes your obligations.

A lawyer's subpoena, by itself, is not a green light

This is the part practices get wrong most often. A subpoena that a lawyer issued in a lawsuit feels official, and it is, but under 45 CFR 164.512(e) it does not, on its own, let you hand over a patient's chart. When the subpoena is not signed by a judge and no court order comes with it, you may disclose only after you receive what the rule calls satisfactory assurances.

Satisfactory assurance means one of two things in writing. Either the party who wants the records shows you that the patient was given notice of the request and enough time to object, and that the time has passed with no objection left unresolved. Or it shows you that a qualified protective order is in place or has been asked for, meaning an order that bars anyone from using the records outside the case and requires them to be returned or destroyed when the case ends. HHS spells this out: without a court order, you need one of those two things before the records leave your office. Sometimes the subpoena itself shows this on its face, that the patient was notified and the time to object has passed with none filed, and when it clearly does, no separate paperwork is needed.

What the Connecticut case actually cost

The practice in the story above is the defendant in Byrne v. Avery Center, and the numbers are worth sitting with. After the practice mailed the records to the court without notifying the patient, and her ex-boyfriend read them in the public file, she sued. A jury awarded her $853,000, and the Connecticut Appellate Court upheld that award in 2022 (AC 43413). The court also made a point that matters for every practice: the fact that the court clerk mishandled the records after they arrived did not let the practice off the hook. The practice was liable for sending them in the first place.

There is a twist here that surprises people. HIPAA gives patients no right to sue you directly; that is true everywhere, and the practice argued exactly that. It did not save them. The Connecticut Supreme Court held that state law can still give a patient a negligence claim, and that HIPAA's rules for responding to a subpoena can help define the standard of care a careful practice owes. Not every state has recognized that kind of claim the way Connecticut did, so your exposure depends on your state's law. But Byrne is the warning: where such a claim exists, the patient whose records you mishandled can come after you directly, and it can cost far more than a typical federal penalty.

When the police or a government agency asks

Law enforcement runs on a different set of rules, in 45 CFR 164.512(f). A court order, a court-ordered warrant, a subpoena or summons signed by a judge, or a grand jury subpoena all let you disclose what they name. A written administrative request from an agency is narrower: it has to be relevant and material to a real investigation, limited in scope, and used only where de-identified data would not do.

One rule is worth memorizing because it is specific to your office. When the police ask for help to identify or locate someone, the law lets you share only a short list of basic facts, and it specifically excludes dental records, along with DNA and body-fluid analysis, from what you can hand over under that provision. Under that provision, dental records sit on the other side of the line: the rule keeps them out of the quick identify-or-locate request and pushes them back to a court order, a warrant, or a formal written demand.

If officers show up in person with no court order, warrant, or other process, you generally do not have to hand over a patient's chart on the spot, and you should not pretend a record does not exist or destroy anything. A few narrow exceptions exist, such as a crime committed on your premises or a genuine emergency, but those are exactly the situations to slow down for, not to rush. A calm script works: tell them you take it seriously and are contacting your attorney, and let your lawyer sort out what the law actually requires.

One footnote on a rule you may have read about. A 2024 federal rule briefly added an extra attestation step for requests tied to reproductive health care. A federal court vacated most of that rule, including the attestation step, in June 2025, the government did not appeal, and the remaining appeal was dismissed that September, so the attestation step does not apply today. You may still see it referenced in older guidance and in the regulation text.

Your state can require more, and some records get extra shields

HIPAA is a floor, not a ceiling. Under 45 CFR 160.203, a state law that protects patient privacy more strictly than HIPAA is not overridden; the stricter rule wins. Depending on where you practice, your state may require a court order where HIPAA would accept a notified subpoena, or give certain sensitive records extra protection a standard subpoena cannot reach. These rules vary from state to state, so confirm your own state's requirements with your dental board or a healthcare attorney rather than assuming the federal floor is the whole story.

What a dental practice should actually have ready

None of this requires a law degree. It requires a short, written routine that the front desk can follow on the day a subpoena lands, so the decision is not made under pressure by whoever opened the mail. The same routine keeps you out of the Byrne trap.

• Read it and route it. Note what kind of legal demand it is, write down the date it arrived and the response deadline, and hand it to whoever owns compliance decisions, the owner or your privacy point person. The front desk catches it and passes it up; it does not decide what to release.
• Verify who is asking. Confirm the requester's identity before you discuss or send anything, so you are not handing records to someone posing as a party.
• Release the minimum. Send only the records the request names, never the full chart by default.
• Write it down. Keep a record of what you disclose, to whom, and why. A subpoena response is generally something a patient can later ask you to account for, so the log matters.
• Know when to call counsel. A bare subpoena with no court order, a police request with no process, or anything touching records your state protects more tightly is a moment to pause and ask your attorney.

Handling a subpoena well is one piece of HIPAA compliance, and the gaps that draw OCR's largest fines usually sit elsewhere, in the security controls underneath. The free HIPAA Scorecard checks the ten core Security Rule controls OCR cites most, like your risk analysis, your vendor agreements, and your breach-response plan, then scores your practice and names your biggest gap in about three minutes. It is a starting point, not a full audit, but it is the fastest way to see whether the rest of your compliance is on solid ground. If you want the broader picture, the related guide on handling a patient's own records request covers the other side of this, where the patient is the one asking for their chart, and the guide on responding to a data breach covers what happens if records go out that should not have.

This is general information about HIPAA and is not legal advice, and the rules for subpoenas, court orders, and law-enforcement requests interact with state law and court procedure that vary by state and change over time. Before you release records in response to any legal demand, confirm your current state requirements and, for anything beyond a routine notified subpoena, check with a healthcare attorney or a qualified HIPAA compliance professional.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. Regulatory claims trace back to those sources, and figures name where they come from; anything that can't be verified is labeled rather than asserted. More about Hipsana →

Sources

• 45 CFR § 164.512(e) (disclosures for judicial and administrative proceedings): a covered entity may disclose in response to a court order (only what the order authorizes), or in response to a subpoena or other lawful process without a court order only with satisfactory assurances of notice to the individual or a qualified protective order, defined at § 164.512(e)(1)(iii) through (v) (eCFR, current as of June 2026).
• 45 CFR § 164.512(f) (disclosures for law enforcement purposes), including the limited identification-and-location data at § 164.512(f)(2) and its exclusion of dental records, DNA, and body-fluid analysis from what may be disclosed under that provision (eCFR, current as of June 2026).
• 45 CFR § 164.508 (authorization), § 164.502(b) and § 164.514(d) (minimum necessary), and § 164.528 (accounting of disclosures) (eCFR, current as of June 2026).
• 45 CFR § 160.203 (preemption): a provision of State law that is more stringent than HIPAA regarding the privacy of health information is not preempted (eCFR, current as of June 2026).
• HHS Office for Civil Rights, "When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?" (FAQ 505), "What satisfactory assurances must a covered entity receive before it responds to a subpoena without a court order?" (FAQ 706), and "For disclosures for judicial proceedings, when is a copy of the subpoena sufficient?" (FAQ 708): a subpoena can satisfy the assurances when its face shows the individual was notified and the time to object has passed (hhs.gov, accessed June 2026).
• HHS Office for Civil Rights, "When must a covered entity account for disclosures of protected health information made during the course of litigation?" (FAQ 710): disclosures in response to a subpoena or other lawful process under § 164.512(e) are subject to the accounting-of-disclosures requirement (hhs.gov, accessed June 2026).
• HHS Office for Civil Rights, HIPAA Privacy Rule and reproductive-health disclosures, and the Reproductive Health Rule fact sheet: most of the 2024 rule, including the attestation requirement, was declared unlawful and vacated nationwide in Carmen Purl v. U.S. Department of Health and Human Services, No. 2:24-cv-00228-Z (N.D. Tex. June 18, 2025); HHS did not appeal, and the Fifth Circuit dismissed the remaining appeal on September 10, 2025, so the attestation step is not in force (hhs.gov, accessed June 2026).
• Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540 (Connecticut Supreme Court, 2018): HIPAA has no private right of action but does not preempt a state negligence claim, and its regulations may inform the standard of care for disclosing records in response to a subpoena; the opinion cites 45 CFR 164.512(e)(1)(iv) and the practice's admitted noncompliance (Connecticut Judicial Branch, jud.ct.gov, accessed June 2026).
• Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 212 Conn. App. 339, AC 43413 (officially released May 10, 2022): affirming the jury's $853,000 noneconomic-damages award and holding the practice liable even though the court clerk later placed the records in a public file (Connecticut Judicial Branch, accessed June 2026).
• American Dental Association, "How HIPAA Can Apply to You and How to Comply if it Does" and "HIPAA: 20 Questions for Dentists": a subpoena not accompanied by a court order is not, by itself, a valid basis to disclose records, unless it has the force of a court order under state law (ada.org, accessed June 2026).