As All Who Have Attended My HIPAA Seminars for Lawyers and Paralegals, This is Exactly Right:Physician practices can't simply respond to subpoenas for medical records. Other elements are required: court order, (HIPAA compliant) authorization, qualified protective order, or proof that the individual knows about the requested disclosure and doesn't object.