HIPAA Privacy & Security Compliance: Disclosures to Law Enforcement

This article will discuss disclosures for law enforcement purposes permitted under HIPAA. Various scenarios will be introduced, with relevant HIPAA regulations integrated in the responses.

There is often considerable confusion about the type of protected health information (PHI) healthcare providers can legally release to law enforcement, in part because state laws govern the release of patient information in addition to HIPAA regulations. HIPAA establishes a “floor” of privacy protection, but state law may be more strict regarding disclosures to law enforcement, resulting in situations where the disclosure of PHI to law enforcement for the use in an investigation may be allowed under HIPAA but not permitted by state law. For example, state law may more strictly limit disclosures to law enforcement for sensitive topics such as HIV/AIDS, mental health, and substance abuse. This article will discuss disclosures for law enforcement purposes permitted under HIPAA. Various scenarios will be introduced, with relevant HIPAA regulations integrated in the responses. Again, state laws may vary on privacy protections and must be individually evaluated, so be sure to use the information here only as a guide and introduction. 

Scenario 1: “I’ve received a subpoena in the mail asking for a patient’s PHI, and I don’t know what I should do. Do I release the information, or does HIPAA prohibit me from releasing information in response to a subpoena?”  

Response: Yes, clinicians may provide PHI to comply with a court order or court-ordered warrant, subpoena, or summons issued by a judicial officer, as well as a grand jury subpoena [Code of Federal Regulations (CFR) 45 164.512(f)(1)(ii)(A)-(B)], after having met certain requirements. First, confirm the document is a subpoena or court order. A court order allows for PHI to be shared as specifically stated in the order. For subpoenas, determine their validity through an attorney and follow the notification requirements of the HIPAA Privacy Rule. Before responding to a subpoena, there needs to be evidence that the clinician made reasonable effort to notify the person who’s the subject of the subpoena so that the individual has a chance to object to the disclosure or seek a qualified protective order for the information from a court of law. A qualified protective order prohibits parties from using or disclosing health information for purposes other than litigation and requires either return of the PHI to the covered entity (CE), or destruction of the PHI at the end of the litigation or proceeding.¹ CEs should not provide more information than what the warrant or subpoena requires. Important to remember, state laws may have additional requirements.

Scenario 2: “An investigator asked our agency for PHI on a person suspected of illegal drug use. Can they obtain this information just by asking for it?”  

Response:  Yes, CEs must respond to administrative requests such as an administrative subpoena, investigative demand, or other written request from a law enforcement official. Because courts are not necessarily directly involved in these situations, HIPAA requires all requests of this type to include or be accompanied by a written statement that the information requested is relevant and material, specific, and limited in scope. Additionally, the document must note that de-identified information is not available for use [45 CFR 164.512(f)(1)(ii)(C)].

Scenario 3:  “The police were trying to locate a missing elderly man, who they knew to be a patient of ours. They asked for information about the man, and we had recently treated him for a fall that resulted in a concussion. Am I allowed to give out patient information for this type of request?”  

Response:  Yes, HIPAA allows clinicians to respond to requests for PHI for purposes of identifying or locating a missing person (as well as suspects, fugitives, and material witnesses). In these situations, the CE must limit disclosure of PHI to the following pieces of information: name and address, date and place of birth, social security number, blood type and Rh factor, type of injury, date and time of treatment, date and time of death, and description of distinguishing physical characteristics. This same limited information may be reported to law enforcement about a suspected perpetrator of a crime when the report is made by the victim who is a member of the CE’s workforce [45 CFR 164.502(j)(2)]. This information may also be used to identify or apprehend an individual who has admitted to participation in a violent crime that the CE reasonably believes may have caused serious physical harm to a victim, provided the admission was not made in court or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act [45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)]. 

Other information related to the individual’s DNA, dental records, and body fluid or tissue typing, samples, and analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request [45 CFR 164.512(f)(2)].  

Scenario 4: “The police came to our clinic, asking about the injuries suffered by a patient who had been robbed and beaten. May I give them this information?”  

Response: Clinicians may respond to requests for PHI about victim(s) of a crime, if the victim(s) agree. If the victim of the crime is incapacitated, the CE may opt to disclose the PHI to law enforcement if the law enforcer does not intend to use the information against the victim (and the info is needed to determine whether another person broke the law). Consent from the victim can be oral, but should be documented. This can occur only if the investigation would be materially and adversely affected by waiting until the victim could agree and the CE believes divulging the information is in the best interest of the individual whose PHI is requested [45 CFR 164.512(f)(3)].  

Scenario 5: “A woman showed up at our clinic with a broken arm and bruises, stating her boyfriend had gotten drunk and become abusive. She did not want us to report the incident because she feared she and her child would not have a place to live. Does HIPAA require me to report this incident?”  

Response: No. Adult abuse, neglect, or domestic violence can be reported to a law enforcement official, if the individual agrees, if it’s required or authorized by law, and if (based on professional judgment) the report is necessary to prevent serious harm to the individual or others [45 CFR 164.512(c)(1)(iii)(B)]. 

However, state law may require the reporting of domestic violence. If so, follow state law. If reporting the abuse, under HIPAA regulations the CE must notify the individual of the report if the CE believes the report may put the individual at risk of harm or if the CE would be informing a personal representative and that person is the individual believed to be responsible for the abuse, neglect, or other injury [45 CFR 164.512(c)]. 

Scenario 6:  “A woman presented at our facility intoxicated, with her two small children in tow.  When she could not be seen immediately, she drove off with the children. I was not sure if I was legally allowed to give her identity to the police, but was concerned for the children and others. Could I have alerted police?”  

Response: Yes, if you believe there’s a threat to the health or safety of the patient or others, calling the police is permissible. HIPAA allows a CE to divulge PHI to a law enforcement official who’s reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public [45 CFR 164.512(j)(1)(i)]. It’s wise for CEs to have clear policies and procedures established that cover these potential types of disclosures. Additionally, the actions may fall under state child-abuse-reporting law requiring the reporting of suspected child abuse to authorities.

Scenario 7: “We had an emergency drill at work, and we were unclear if we could alert family members of a patient’s identity and status without violating HIPAA. If there is an emergency or disaster, what can we disclose?”

Response: There are several instances in which a provider can release PHI to family or friends of an individual. The first is when the patient does not object. Second, when the person or persons requesting information are involved in the individual’s healthcare or payment of the healthcare. Third, when the patient consents to the provider sharing information. Lastly of relevance here, is when a provider (using professional judgment) believes it’s in the best interest of the patient to release PHI  [45 CFR 164.510(b)]. If family members are seeking information in the event of an emergency or disaster, it falls within HIPAA regulations to be able to share limited PHI.  

Scenario 8: “A solo practitioner I know had records confiscated by the National Security Agency. This person was not apprised of what was being taken and why. Is this legal?”

Response: Technically, yes. While unnerving, this does occasionally happen. PHI may be released to federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act [45 CFR 164.512(k)(2)], or to provide protective services to the president and others and to conduct related investigations [45 CFR 164.512(k)(3)]. This is not always done in the manner in which healthcare professionals would like.  

Scenario 9: “If members of the sheriff’s department bring inmates into our facility for treatment, are the officers privy to inmate PHI?”  

Response: Yes, in certain situations. CEs must respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody of an inmate or others if they represent such PHI is needed to provide healthcare to the individual; for the health and safety of the individual, other inmates, officers, employees, or others at a correctional institution responsible for the transporting/transferring of inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement, on the premises of the facility [45 CFR164.512(k)(5)].

Scenario 10: “I heard providers must now report patients who are living with a mental health diagnosis to the federal government. Our clinic’s patients are not seen for mental health conditions, but may have mental health diagnoses in their charts. Am I required to report this?”  

Response: No. In the wake of numerous mass shootings in the United States, on Jan. 6, 2016, the Department of Health and Human Services modified the privacy rule to allow certain CEs to disclose identities of certain individuals who are subject to a federal “mental health inhibitor” limited PHI to the National Instant Criminal Background Check System (NICS). This rule does not apply to most CEs. It applies to CEs who either make the mental health determinations that disqualify individuals from having a firearm or are designated by their states to report this information to NICS. Reports to NICS are to occur for persons who meet the criteria for a “federal mental health prohibitor” (to buying a gun). The law specifically disallows diagnostic or clinical information from being reported. CEs may disclose limited demographic information for the purpose of reporting the identity of an individual who is prohibited from possessing a firearm. The PHI that may be disclosed is: 1) name of the ineligible individual; 2) date of birth; 3) sex; and 4) codes indicating the applicable prohibitor, the submitting entity, and the agency record supporting the prohibition (eg, an order for involuntary commitment). The reporting is limited to state agencies or other entities designated by the state to report or collect information for reporting on behalf of the state to NICS or a court, board, commission, or other lawful authority that makes the commitment or adjudication decisions [45 CFR 164.512 (k)(7)].  

Only CEs with lawful authority to make the adjudications or commitment decisions that make an individual subject to the federal mental health inhibitor, or that serve as repositories of information for NCIS reporting purposes, are permitted to disclose the information needed for these purposes. In the U.S., 47 states authorize or require reporting of mental health information to NICS.² Federal law cannot require states to compel disclosure of this information, so some states require this disclosure while others don’t. 

Additional PHI Reporting

In addition to the scenarios presented here, HIPAA allows reporting of PHI to law enforcement for the following reasons:  

• To alert of the death of the individual when there’s suspicion the death resulted from criminal conduct [45 CFR164.512(f)(4].
• Information about a decedent may be shared with medical examiners or coroners to assist in identifying the decedent, determining the cause of death, or to carry out other authorized duties [45 CFR164.512(g)(1)].
• To report PHI the CE (in good faith) believes to be evidence of a crime that occurred on the CE’s premises [45 CFR164.512(f)(5)].
• To identify or apprehend an individual who appears to have escaped from lawful custody [45 CFR164.512(j)(1)(ii)(B)].  
• When required by law to do so [45 CFR 164.512(f)(1)(i)]. Examples of these state laws typically include things such as reporting violent injuries (eg, gunshots, stabbings) and deaths, and reporting of child abuse and neglect, among others. 

Addressing Policies & Procedures

CEs must have privacy policies and procedures that address how to respond to inquiries from law enforcement. Policies and procedures should include:

• requirements for identifying the law enforcement official, such as the official’s name, badge number, agency;
• procedure that allows staff members to determine the authority of the person making the request (eg, written statement on letterhead, warrant, court order, subpoena, etc.);
• policy identifying who should be consulted among facility staff when requests by law enforcement are made (eg, privacy officer, director, agency attorney);
• policy for disclosing the “minimum necessary” information to meet the request; and
• requirement that information released to law enforcement must be recorded in a CE’s accounting of disclosures, if the information is released without patient authorization. 

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindel@carosh.com.

References

1. Bryniczka PM. Trial Practice: The HIPAA Hurdle. 2009. Accessed online: www.americanbar.org/content/newsletter/publications/gp_solo_magazine_home/gp_solo_magazine_index/trialprac_HIPAA.html

2. Law Center to Prevent Gun Violence. Mental Health Reporting. 2016. Accessed online: https://smartgunlaws.org/gun-laws/policy-areas/background-checks/mental-health-reporting