New OCR Guidance: The HIPAA Guide for Law Enforcement
The Office for Civil Rights recently published new guidance to assist law enforcement and covered entities when addressing information sharing situations where the HIPAA Privacy Rule may be at issue. The HIPAA Guide for Law Enforcement contains an overview of the Privacy Rule and describes permitted disclosures of health information to law enforcement. Presumably, this guidance is intended to provide some clarity to questions about the amount and type of information law enforcement are entitled to obtain from hospitals, clinics, and other covered entities. The following provides a summary of the contents of the new guidance.
HIPAA provides federal privacy protection for individually identifiable health information (protected health information or “PHI”) and applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. Many entities, however, are not subject to the Privacy Rule, including employers, most state and local police or other law enforcement agencies, many state agencies, and most schools and school districts (although student health records maintained by schools and school districts are, in most cases, protected by the Family Educational Rights and Privacy Act).
A covered entity may disclose PHI to law enforcement (1) with the individual’s signed HIPAA authorization or (2) without the individual’s signed HIPAA authorization in certain situations, including:
To report PHI to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public, pursuant to 45 CFR § 164.512(j);
To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity, pursuant to § 164.512(f)(5);
To alert law enforcement to the death of the individual when there is a suspicion that death resulted from criminal conduct, pursuant to § 164.512(f)(4);
When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity, pursuant to § 164.512(f)(6);
To report PHI to law enforcement when required by law to do so (such as reporting gunshots or stab wounds), pursuant to § 164.512(f)(1)(i);
To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or an administrative request from a law enforcement official (the administrative request must include a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used), pursuant to § 164.512(f)(1)(ii);
To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person, but the information must be limited to basic demographic and health information about the person pursuant to § 164.512(f)(2); and
To respond to a request for PHI about an adult victim of a crime when the victim agrees (or in limited circumstances if the individual is unable to agree). Child abuse or neglect may be reported, without a parent’s agreement, to any law enforcement official authorized by law to receive such reports pursuant to § 164.512(c), (f)(3).
Although not specifically addressed in the new guidance, a covered entity may also disclose PHI to law enforcement authorities when necessary to identify or apprehend an individual when the individual has admitted to participation in a violent crime that may have caused serious physical harm to the victim, pursuant to § 164.512(j)(1)(ii)(A). In this case, the covered entity may only disclose basic demographic and health information, and may not make any disclosure if the information was obtained in the course of or requests for treatment, counseling, or therapy related to the criminal conduct at issue. Disclosure of PHI to law enforcement is also permitted where it appears that the individual has escaped from a correctional institution or from lawful custody, under § 164.512(j)(1)(ii)(B). Finally, a covered entity may disclose PHI to a law enforcement officer having lawful custody over an individual, if the information is necessary for the provision of health care to the individual; to protect the health and safety of the individual, other inmates, officers, or correctional staff; or for the maintenance of the correctional institution, under § 164.512(k)(5).
It is important to remember that providers and health plans covered by the HIPAA Privacy Rule can share patient information for several additional purposes that can assist in emergency or disaster relief situations. Patient information can be shared for treatment, including sharing information with other providers, referring patients for treatment, coordinating patient care with others, and seeking payment for health care services; and notification, including identifying, locating, and notifying family members, guardians, or anyone else responsible for the individual’s care of the individual’s location, general condition, or death.
Organizations with law enforcement disclosure policies and procedures should ensure that these documents reflect the new guidance and current regulations. Establishing clear guidelines in this area will help promote exchange of information while abiding by HIPAA requirements.
(Admittance to Nebraska Bar, pending)