Jump to content

Law Enforcement And Hipaa

Recommended Posts

A covered entity may disclose protected health information (PHI) for a law enforcement purpose, to a law enforcement official, under several sets of circumstances.


A law enforcement official, is defined as "an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe," who is empowered by law to:


* investigate or conduct an official inquiry into a potential violation of law; or


* prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.


First, PHI may be disclosed as required by specific laws, such as those that require the reporting of certain types of wounds or injuries (e.g., gunshots), of child abuse or neglect, and so forth.


Second, PHI may be released in compliance with (and as limited by) the relevant requirements of


* a court order or court-ordered warrant;


* a subpoena or summons issued by a judicial officer;


* a grand jury subpoena; or


* an administrative request, including an administrative subpoena or summons, a civil or authorized investigative demand, or similar process authorized under law.


The information sought in such circumstances must be


* relevant and material to a legitimate law enforcement inquiry;


* specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and


* for a purpose for which de-identified information could not reasonably be used.


Third, PHI may be disclosed for "identification and location" purposes, in response to a law enforcement officer's official request. Purposes would include identifying or locating a suspect, fugitive, material witness, or missing person.


The covered entity may disclose only the following information for identification and location:


* name and address;


* date and place of birth;


* social security number;


* ABO blood type and rh factor;


* type of injury;


* date and time of treatment;


* date and time of death, if applicable; and


* a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.


Perhaps surprisingly, the regulations specifically exclude any PHI related to the individual’s DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue (unless it is one of the items listed above). Given the increasing use of DNA typing in criminal investigations, this restriction may not last long.


Fourth, a covered entity may disclose PHI in response to a law enforcement official’s request for such information about an individual who is, or is suspected to be, a victim of a crime, if the individual agrees to the disclosure. It may also disclose even without the individual's agreement, in the case of incapacity or other emergency circumstances, provided that:


* the law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;


* the law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and


* the disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.


Fifth, a covered entity may disclose PHI about an individual who has died to a law enforcement official for the purpose of alerting them to the suspicion that the death may have resulted from criminal conduct.


Sixth, PHI may be disclosed to a law enforcement official if the covered entity believes in good faith that it constitutes evidence of criminal conduct that occurred on the premises of the covered entity.


Seventh, a health care provider providing emergency health care in response to a medical emergency, off the premises of the covered health care provider or covered entity, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to the:


* commission and nature of a crime;


* location of such crime or of the victim(s) of such crime; and


* identity, description, and location of the perpetrator of such crime.


If a covered health care provider believes that the medical emergency is the result of abuse, neglect, or domestic violence, the legal rules governing reporting of such crimes govern (see first item above).


Note that recent federal changes, such as the USA Patriot Act (USAPA) and the enabling legislation for the Department of Homeland Security, have made the dividing line between national security and law enforcement activities much less clear-cut.


See also:


* 45 CFR 164.512(f)


Last modified: 14-May-2005 [RC]


Law Enforcement and HIPAA

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...