HIPAA Disclosures to Law Enforcement

As with others, the HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers ("Providers") from disclosing protected health information to police or other law enforcement officials without the patient's written authorization unless certain conditions are met. HIPAA allows disclosures to law enforcement in the following cases:

1. Court Order, Warrant, Subpoena, or Administrative Process. A Provider may disclose information in response to a court order, warrant, subpoena or other administrative process if certain conditions are satisfied. (45 CFR § 164.512(f)(1)(ii)). These situations are discussed more fully in our separate Healthcare Update.
    
2. Avert Harm. A Provider may disclose information to law enforcement to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. (45 CFR § 164.512(j)(1)(i)).
    
3. Required by Law. A Provider may disclose information to law enforcement when a law requires the disclosure, e.g., to report child or adult abuse or neglect, injuries from gunshots or criminal activity, etc. Comply with the strict terms of the law, and do not disclose more than is required by the law. (45 CFR § 164.512(a), (f)(1)(i); see also § 164.512(b)(1)(ii) (child abuse) and § 164.512(c) (adult abuse)).
    
4. Identify Person. If law enforcement requests information to help identify or locate a suspect, fugitive, material witness or missing person, a Provider may disclose the following limited information: (a) name and address, (b) date and place of birth, (c) social security number, (d) ABO blood type and rh factor, (e) type of injury, (f) date and time of treatment, (g) date and time of death, and (h) a description of distinguishing physical characteristics. Other information related to the individual's DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request. (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a "wanted" poster or bulletin.
    
5. Victim of a Crime. If law enforcement requests information about a person who is suspected of being a victim of a crime, a Provider may disclose information if: (a) the individual agrees to the disclosure, or (b) the officer represents that the information is necessary to determine whether someone other than the victim has committed a crime, the information will not be used against the victim, the information is needed immediately and the law enforcement activity would be adversely affected by waiting to obtain the victim's agreement, and the Provider determines it is in the victim's best interest to disclose the information. (45 CFR § 164.512(f)(3)).
    
6. Death. A Provider may disclose information to notify law enforcement about the death of an individual if the Provider believes the death may have resulted from a crime.
    
7. Crime on Premises. A Provider may disclose information to law enforcement if the Provider believes the information evidences criminal conduct on the Provider's premises. (45 CFR § 164.512(f)(5)).
    
8. Crime Away from Premises. If, in the course of responding to an off-site medical emergency, Provider personnel become aware of criminal activity, they may disclose certain information to law enforcement as necessary to alert law enforcement to the criminal activity, including information about the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime. (45 CFR § 164.512(f)(6)).
    
9. Report by Victim. If a person affiliated with the Provider is the victim of a crime, the person may disclose information necessary to report the crime to the police; however, the person may only disclose the limited information listed in 45 CFR § 164.512(f)(2)(i). (45 CFR § 164.502(j)(2)).
    
10. Admission of Violent Crime. If a person has admitted participation in a violent crime that a Provider reasonably believes may have caused serious physical harm to a victim, a Provider may disclose information to law enforcement necessary to identify or apprehend the person, provided that the admission was not made in the course of or based on the individual's request for therapy, counseling, or treatment related to the propensity to commit this type of violent act. (45 CFR § 164.512(j)(1)(ii)(A), (j)(2)-(3)).
     
11. Fugitive. A Provider may disclose information to law enforcement to identify or apprehend an individual who appears to have escaped from lawful custody. (45 CFR § 164.512(j)(1)(ii)(B)).
     
12. Prisoners. If law enforcement or a correctional institution requests protected health information about an inmate or person in lawful custody, a Provider may disclose information if law enforcement represents such information is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement on the premises of the facility. (45 CFR § 164.512(k)(5)).
     
13. Medical Examiners And Coroners. A Provider may disclose information about a decedent to medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties. (45 CFR § 164.512(g)(1)).

Before considering disclosures to law enforcement, Providers should consider the following:

1. If the law enforcement official making the request for information is not known to the Provider, the Provider must verify the identity and authority of such person prior to disclosing the information, e.g., by requesting identification. (45 CFR § 164.514(h)).
    
2. Except when required by law, a Provider should limit disclosures to the minimum necessary. (45 CFR §§ 164.502(b), 164.514(d)). When reasonable to do so, the Provider may rely upon the representations of the law enforcement official (as a public officer) as to what information is the minimum necessary for their lawful purpose. (45 CFR § 164.514(d)(3)(iii)(A)).
    
3. If law enforcement does not fit within one of the exceptions allowing disclosures, the Provider should explain the limits to law enforcement; however, the Provider should not physically interfere with or impede law enforcement if they insist on accessing information over the Provider's objection. Instead, the Provider should attempt to take the matter to the officer's supervisor. In appropriate cases, the Provider may want to contact their own attorney. The Provider should not be penalized if the Police demand access despite the Provider's attempt to assert the HIPAA objection so long as the Provider documents its objections and the officer's response.
    
4. The HHS Office of Civil Rights published a helpful Guide for Law Enforcement, which may be accessed here. Providers may want to give a copy of the Guide to law enforcement officers seeking information. In addition, several state and federal law enforcement agencies have published guidance on this issue. If a Provider is dealing with a difficult officer, it is sometimes helpful to give them a copy of these guides to educate them concerning the rules.
    
5. In all cases, a Provider should document the circumstances surrounding the disclosure to law enforcement in the log for accounting of disclosures as required by 45 CFR § 164.528.

OTHER LIMITATIONS. When evaluating the foregoing disclosures, Providers should consider whether other laws in addition to HIPAA limit disclosures, e.g., limits on disclosures for drug or alcohol treatment records (e.g., 42 CFR part 2), attorney-client privilege; peer review privilege; etc. Remember: to the extent a state law is more restrictive than HIPAA, Providers are generally required to comply with the more restrictive law.

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.