HIPAA LAW ENFORCEMENT INFORMATION
Legal Counsel/HR Manager
Kansas Highway Patrol
122 SW 7th
Topeka, KS 66612
HIPAA permits the disclosure of Protected Health Information (“PHI”) to law enforcement officials in specified circumstances:
“Law enforcement” is broadly conceived by HIPAA. It includes any governmental agency or official authorized to investigate, prosecute or conduct an inquiry into a potential violation of law.
NOTE about the relationship of HIPAA and state law: HIPAA does not require the disclosure of PHI without an individual’s consent or authorization in any circumstance. Rather, HIPAA permits nonconsensual or unauthorized disclosures in specified circumstances.
Moreover, HIPAA establishes minimum, not maximum, protections for PHI. State law that prohibits or restricts the disclosure of PHI will control even if such disclosure is permitted by HIPAA. Thus, if state law limits the manner or circumstances in which a disclosure permitted by HIPAA may be made, then these state law provisions must be followed.
Legal Process: In the law enforcement context, “legal process” means a formal written demand or request from a judicial or enforcement agency. Disclosure must be strictly limited to the scope of the request. Legal process involves documents like:
“Legal process” in the law enforcement context does not mean a subpoena from a lawyer. Subpoenas in civil cases are discussed below.
Administrative Subpoenas, Summons, or Demands: Covered entities have additional responsibility when responding to requests for information from administrative agencies other than “health oversight agencies”: Covered entities must determine what PHI is minimally necessary to fulfill the purpose of the agency request.
A “health oversight agency” is a state or federal agency, or their contractors, authorized by law to oversee the health care system or government health care programs. A covered entity may disclose PHI to a health oversight agency in accordance with its request without determining the minimal necessity of the disclosure. Examples of health oversight agencies include the Centers for Medicare and Medicaid Services, the Oregon Medical Assistance Program and state licensure agencies.
Disclosure of PHI to an enforcement agency that is not a “health oversight agency” is permitted only to the extent that the request meets a three-part test: (1) de-identified information will not suffice, (2) the information sought is relevant to a stated and legitimate law enforcement inquiry, and (3) the scope of the request is no more than is necessary to fulfill the purpose of the request.
The covered entity must obtain the agency’s affirmative representation that the PHI sought is the minimum necessary for its stated purpose. The covered entity’s reliance on the agency’s representation of minimum necessity must be reasonable in light of all the circumstances. If you have any doubts about whether a formal law enforcement request meets the criteria for disclosure, then consult your supervisor or an attorney.
Example: Or-OSHA. Or-OSHA makes a request for the medical records of an employee injured on the job. Since Or-OSHA is not a “health oversight agency,” a covered entity must insist that the agency’s purpose be stated and that the agency represent its request is limited to the minimum information necessary to fulfill that purpose. The covered entity must then evaluate the request in light of all the circumstances to determine in good faith whether the purpose is legitimate and the request minimally necessary. In this example, there is no question that the identity of the individual is central to the purpose of the request, and therefore de-identified information would be inadequate.
Required by Law: HIPAA accommodates state and federal laws that compel the disclosure of PHI to assist law enforcement. HIPAA does not permit disclosure of PHI to law enforcement officials when such disclosures are discretionary. HIPAA’s relationship to mandatory reporting for public health purposes, including reports of abuse or neglect, is discussed in the Consent section and the Mandatory and Discretionary Releases section of these guidelines.
Example: Intoxicated Drivers. ORS 676.260 permits, but does not require, reports to law enforcement agencies when, following a motor vehicle accident, health care facility personnel have blood test results indicating that an intoxicated person was driving an involved vehicle. Because the report is discretionary, the requirement of individual authorization would not be waived by HIPAA, and a voluntary disclosure by facility personnel would be illegal under the privacy rules.
Example: Suspicious Wounds or Injuries. Physicians, including residents and interns, are required by law to report to the appropriate Medical Examiner injuries apparently made by a deadly weapon. ORS 146.750. In these circumstances state law requires disclosure, and therefore HIPAA permits it.
Identification and Location. HIPAA permits disclosure of limited identifying information in response to a request from law enforcement for assistance in identifying or locating fugitives, suspects, witnesses, or missing persons. This exception requires a request from law enforcement; it does not authorize self-initiated disclosures. Unless PHI is within the definition of “limited identifying information,” a covered entity may not disclose an individual’s DNA or a DNA analysis, dental records, or typing, samples or analysis of body fluids or tissues.
“Limited identifying information” is specifically defined as:
Example: Blood type. Even though an individual’s blood type is learned through “typing” the individual’s bodily fluids, the definition of “limited identifying information” specifically includes blood type information. An individual’s blood type therefore may be disclosed in response to a law enforcement request for PHI to identify or locate a suspect, fugitive, witness or missing person.
Implementation Tip: Get it in writing; documentation.. HIPAA generally does not require law enforcement officials to make requests or representations in writing. However, it is in the covered entity’s interest to obtain written law enforcement requests and representations about requests in writing. At a minimum, requests and representations should be documented by the covered entity.
Implementation Tip: Verify credentials, really. The covered entity must establish the bona fides of law enforcement officials before disclosing PHI for any reason. HIPAA permits reasonable reliance on agency ID badges or other official credentials when requests are made in person. If, however, the covered entity has no knowledge of what such credentials look like, then further steps to verify identity should be pursued. Similarly, written requests should be on official governmental letterhead and substantiate reasonable reliance.
Crime Victims. A covered entity may disclose PHI concerning an actual or suspected victim of a crime in response to a law enforcement request in two circumstances. Either:
Note that disclosures regarding crime victims may be made only in response to a law enforcement request, unless otherwise required by law. Note also that disclosures concerning victims of abuse, neglect or domestic violence are governed by different provisions of the HIPAA rules, which are discussed in the Consent section and the Mandatory and Discretionary Releases section of these guidelines.
Implementation Tip. Again, ideally law enforcement representations about the need for and use of PHI should be made in writing. At a minimum, the covered entity should document them. In addition, the factual basis and rationale for a professional judgment that disclosure is in the individual’s best interests also should be documented.
Decedents. A covered entity may contact law enforcement officials about the death of an individual, and provide PHI concerning such individual, if it suspects death may have resulted from criminal conduct. In addition to homicide, criminal conduct potentially includes negligent homicides and deaths from overdoses of narcotics or illegal drugs. It would not include suicides absent suspicions of foul play or, in the case of physician-assisted suicide, violation of applicable state law. Self-initiated disclosures are permitted in this instance; no request from law enforcement is necessary.
Crime on the Premises. A covered entity may disclose to law enforcement PHI that it believes in good faith to be evidence of a crime committed on its premises. Self-initiated disclosures are permitted in this instance; no request from law enforcement is necessary.
Off-site Emergencies. If a health care provider is rendering emergency services off its premises, then it may disclose PHI to the extent necessary to alert law enforcement to the commission, nature, or location of a crime or a crime victim, and the identity, description and location of the perpetrator. If, however, the provider believes the emergency is the result of abuse, neglect or domestic violence, then disclosure is permitted only in accordance with the rules specifically applicable to those situations. See Mandatory and Discretionary Releases section of these guidelines.