HIPAA Disclosures for Law Enforcement Purposes

Description

The HIPAA Privacy Rule protects the privacy of individuals’ protected health information (PHI) while also recognizing that there are legitimate circumstances in which PHI must be disclosed to law enforcement officials or public authorities, even without the individual’s written authorization.

One example is that the Privacy Rule allows covered entities to disclose PHI to public officials responding to bioterrorism threats or public health crises. In these situations, healthcare organizations may share needed information with public health authorities or officials to help prevent or lessen a serious threat to public health or safety without requiring patient authorization. This recognizes that effective emergency response sometimes depends on timely access to health information.

Under the law enforcement provisions detailed in 45 CFR §164.512(f), HIPAA permits covered entities to disclose PHI to law enforcement officials in a number of circumstances. These include disclosures: to comply with a court order, warrant, subpoena, or other lawful process; to assist in identifying or locating a suspect, fugitive, material witness, or missing person; and to respond to administrative requests as long as the information is relevant to a legitimate investigation. When identifying or locating individuals, the HIPAA Privacy Rule limits the PHI that may be disclosed to specified categories such as name, address, date of birth, and date/time of treatment.

HIPAA also permits disclosures when a victim of a crime consents, or if a person is incapacitated and law enforcement represents that waiting for agreement would materially hinder an investigation and that disclosure is in the victim’s best interest. Additionally, covered entities may report PHI if they believe in good faith it constitutes evidence of criminal conduct on the provider’s premises or where there is a death suspected to be from criminal activity. Some disclosures may extend to alert law enforcement about a crime during an off-site medical emergency.

In all cases where disclosures occur but are not required by law, HIPAA’s minimum necessary standard still applies, meaning covered entities must limit PHI shared to what is reasonably needed for the law enforcement purpose. Covered entities must also verify the identity and authority of law enforcement requestors when appropriate.

Areas Covered in the Session

• General HIPAA Disclosure Guidelines
• Disclosures to Law Enforcement for Specific Situations
• What is Permitted vs. What is Required to be Disclosed to Law Enforcement
• Law Enforcement Coordination for Public Health and Emergency Circumstances
• Victims of Crime, Criminal Activity and Death, Locating and Identifying Individuals
• Minimum Necessary Standard to Protect Privacy

Who will Benefit?

Any healthcare practitioner who may, at one point or another, need to cooperate with law enforcement.

Why should you Attend?

One should attend so that they are prepared for and know both their duty and rights if law enforcement ever requests an individual’s PHI.