By Jackie M. Ni Mhairtin
Neil, Dymott, Frank, McFall & Trexler APLC
San Diego, CA
Youve received a telephone call from a police officer requesting a physical description of one of your patients believed to be a fugitive. Or you suspect that one of your minor patients is a victim of child abuse. To what extent does the law permit you to disclose patient information to the police? This article will explore the role of the HIPAA Privacy Rule in the disclosure of protected health information for law enforcement purposes.
THE HIPAA PRIVACY RULE
The U.S. Department of Health Human services instituted the Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Effective since April 2003, the Privacy Rule seeks to protect the confidentiality of health information, called protected health information (PHI) by regulating its use and disclosure by covered entities. Covered entities are health plans, healthcare clearinghouses and healthcare providers that transmit health information in electronic form in connection with a standard transaction.
The Privacy Rule is balanced to protect an individuals privacy while allowing important law enforcement functions to continue. A covered entity may disclose PHI to law enforcement officials, without written authorization to do so, under certain specified situations.
Nonconsensual, unauthorized disclosures are permitted in the following situations:
? Legal Process
PHI may be divulged to comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. Disclosure must be strictly limited to the scope of the request.
? Administrative Requests
Release of PHI is permitted in response to an administrative request, such as an administrative subpoena, an investigative demand, or other written request from a law enforcement official. Because an administrative request may be made without judicial involvement, it must be accompanied by a written statement that the requested information is relevant and material, specific and limited in scope, and de-identified information cannot be used.
? Identification and Location
Limited identifying information may be disclosed in response to a request from law enforcement for assistance in identifying or locating fugitives, suspects, witnesses or missing persons. Self-initiated disclosures are not authorized. HIPAA does not require the request to be in writing. It is in the covered entitys interest to obtain a written request or, at a minimum, to document an oral request. Disclosures are limited to name and address, date and place of birth, social security number, ABO bloody type and Rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics including weight, gender, race, hair and eye color, presence or absence of facial hair, scars and tattoos.
A covered entity may contact law enforcement officials about the death of an individual where there is suspicion it resulted from criminal conduct. Information regarding a decedent can also be shared with medical examiners or coroners to assist them in identifying the decedent, determining cause of death or to carry out other authorized duties.
? When Required by State Law
HIPAA accommodates state and other federal laws that compel dissemination of PHI to assist law enforcement. For example, many state laws commonly require health care providers to report incidents of gunshot or stab wounds and HIPAA permits such compulsory disclosures. However, it does not permit merely discretionary disclosures of PHI to law enforcement.
? Crime on the Premises
A covered entity may reveal to law enforcement officials PHI that it believes in good faith to be evidence of a crime committed on the premises. No request from law enforcement is necessary.
? Abuse, Neglect or Domestic Violence
Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports. By contrast, adult abuse, neglect or domestic violence may be reported only if the individual agrees or if mandated by a state or federal law. Transmission of PHI is also permitted where reporting is not mandated but authorized by law but only if, in the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or to others.
? Crime Victims
Impartment of PHI concerning an actual or suspected victim of a crime in response to a request from law enforcement can be made only if that individual agrees. If, because of an emergency or the incapacity, the individual cannot agree, the covered entity may nevertheless disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, and the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in the best interests of the individual whose information is requested. Self-initiated disclosures are not permitted. If law enforcement representations about the need and use of PHI are not in writing, they should be documented by the covering entity. The factual basis and rationale for professional judgment that disclosure is in the individuals best interest should also be documented.
? Off-Site Medical Emergencies
A health care provider rendering emergency off-site health care may relay PHI to law enforcement, if disclosure appears necessary to alert law enforcement to the commission and nature of a crime, the location of the crime or the victim of the crime, and the identity, description, and location of the perpetrator. This provision does not apply if the covered health care provider believes that the individual in need of the emergency medical care is the victim of abuse, neglect or domestic violence.
PREPARING TO MAKE THE PERMITTED DISCLOSURES
HIPAA calls for both civil and criminal penalties for privacy violations. Therefore, a covered entity should verify the identity of the law enforcement official(s) before providing access to PHI. HIPAA permits reasonable reliance on agency identification badges or other official credentials when requests are made in person. If the covered entity has no knowledge of what these look like, further steps to verify identify should be pursued.
HIPAA generally does not require law enforcement to make requests or representations in writing. However, it is in the covered entitys interest to secure a written request. If law enforcement representations about the need and use of PHI are not in writing, they should be documented by the covered entity. Similarly, where the covered entity is required to exercise professional judgment in making disclosures, the factual basis and rationale for that judgment should be documented.
Finally, a covered entity must limit the disclosure of PHI to that which is minimally necessary to accomplish the intended purpose for the use or disclosure of information. When reasonable to do so, it may rely upon the representations of law enforcement as to what information is the minimum necessary for the lawful purpose.
ACCOUNTING OF DISCLOSURES
The disclosures to law enforcement discussed in this article, whether requested by law enforcement officials or reported by covered entities, must generally be reported to a patient upon request. Disclosure may be suspended, but never permanently denied. A covered entity may suspend an individuals access to an accounting of disclosures only if law enforcement requests the suspension, specifies the time for which the suspension is required, and represents the disclosure would be reasonably likely to impede the law enforcement activities. The accounting of disclosures and any representations from law enforcement regarding suspension should be reduced to writing.
Jackie Ni Mhairtin is an associate at Neil Dymott. Her areas of practice include civil litigation, professional liability and the defense of healthcare professionals. For further information, Ms. Ni Mhairtin can be reached at (619) 238-1712 or email@example.com