Client Alert: The Government May Actually Be Here to Help – Health Insurance Portability and Accountability Act of 1996 (HIPAA) Part II | Shumaker, Loop & Kendrick, LLP

The United States Department of Health and Human Services (HHS) provides a helpful set of questions and answers on its website regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health care professionals should note that this guidance is informal and may be updated or withdrawn. In addition, state laws may differ on these issues. Below, we highlight two questions and answers from the HHS website. When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?

The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials without the individual’s written authorization under specific circumstances summarized below. For a complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the citations provided. Disclosures for law enforcement purposes are permitted as follows:

  • To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that the legal process in obtaining a court order and the secrecy of the grand jury process provide protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)-(B)).
  • To respond to an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: the information sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought, and de-identified information could not reasonably be used (45 CFR 164.512(f)(1)(ii)(C)).
  • To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person. However, the covered entity must limit disclosures of PHI to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision but may be disclosed in response to a court order, warrant, or written administrative request (45 CFR 164.512(f)(2)).

This same limited information may be reported to law enforcement:

  • Regarding a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 CFR 164.502(j)(2)).
  • To identify or apprehend an individual who has admitted participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)).
  • To respond to a request for PHI about a victim of a crime if the victim agrees. If, because of an emergency or the person’s incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in the best interests of the individual whose information is requested (45 CFR 164.512(f)(3)).
See also  High levels of albumin in the urine linked to increased risk of dementia

Where child abuse victims or adult victims of abuse, neglect, or domestic violence are concerned, other provisions of the Rule apply:

  • Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports, and the agreement of the individual is not required (45 CFR 164.512(b)(1)(ii)).
  • Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)):
    • If the individual agrees;
    • If the report is required by law; or
    • If expressly authorized by law, and based on the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations (see 45 CFR 164.512(c)(1)(iii)(B)).
    • Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2)).
    • To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)). For example, state laws commonly require health care providers to report incidents of gunshot or stab wounds or other violent injuries, and the Rule permits disclosures of PHI as necessary to comply with these laws.
    • To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)).
    • Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or carrying out their other authorized duties (45 CFR 164.512(g)(1)).
    • To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
    • When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity—specifically, the commission and nature of the crime; the location of the crime or any victims; and the identity, description, and location of the perpetrator of the crime (45 CFR 164.512(f)(6)). This provision does not apply if the covered health care provider believes that the individual in need of the emergency medical care is the victim of abuse, neglect, or domestic violence; see above adult abuse, neglect, or domestic violence for when reports to law enforcement are allowed under 45 CFR 164.512(c).
See also  WELL Health Technologies Corp (WHTCF) Q3 2025 Earnings Call Highlights: Record Revenue and ...

When consistent with applicable law and ethical standards:

  • To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public (45 CFR 164.512(j)(1)(i)); or
  • To identify or apprehend an individual who appears to have escaped from lawful custody (45 CFR 164.512(j)(1)(ii)(B)).

For certain other specialized governmental law enforcement purposes, such as:

  • To federal officials authorized to conduct intelligence, counter intelligence, and other national security activities under the National Security Act (45 CFR 164.512(k)(2)) or to provide protective services to the President and others and conduct related investigations (45 CFR 164.512(k)(3)).
  • To respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody of an inmate or others if they represent such PHI is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers, employees, or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement on the premises of the facility (45 CFR 164.512(k)(5)).

Except when required by law, the disclosures to law enforcement summarized above are subject to a minimum necessary determination by the covered entity (45 CFR 164.502(b), 164.514(d)). When reasonable to do so, the covered entity may rely upon the representations of the law enforcement official (as a public officer) as to what information is the minimum necessary for their lawful purpose (45 CFR 164.514(d)(3)(iii)(A)). Moreover, if the law enforcement official making the request for information is not known to the covered entity, the covered entity must verify the identity and authority of such person prior to disclosing the information (45 CFR 164.514(h)).

Created 7.23.04

Content reviewed last December 28, 2022

Does the HIPAA Privacy Rule permit covered entities to disclose PHI, without individuals’ authorization, to public officials responding to a bioterrorism threat or other public health emergency?

See also  Hulk Hogan's ex-friend claims he's been 'right' about wrestler's health

Yes. The Rule recognizes that various agencies and public officials will need PHI to deal effectively with a bioterrorism threat or emergency. To facilitate the communications essential to a quick and effective response to such events, the Rule permits covered entities to disclose needed information to public officials in a variety of ways.

Covered entities may disclose PHI, without the individual’s authorization, to a public health authority acting as authorized by law in response to a bioterrorism threat or public health emergency (see 45 CFR 164.512(b)), public health activities). The Privacy Rule also permits a covered entity to disclose protected health information to public officials who are reasonably able to prevent or lessen a serious and imminent threat to public health or safety related to bioterrorism (see 45 CFR 164.512(j)), to avert a serious threat to health or safety). In addition, disclosure of protected health information, without the individual’s authorization, is permitted where the circumstances of the emergency implicate law enforcement activities (see 45 CFR 164.512(f)); national security and intelligence activities (see 45 CFR 164.512(k)(2)); or judicial and administrative proceedings (see 45 CFR 164.512(e)).

Created 3.6.03

Content reviewed last January 9, 2023

For compliance purposes, interactions with state agencies and law enforcement should be documented. This should include reasonable steps to ensure that the individual actually represents the agency that he or she is purported to represent. Any court orders, subpoenas, and other similar documents should be retained in the patient’s file. Any disclosure should be tracked as a disclosure that may need to be accounted for if a patient requests an accounting. Additionally, documentation should detail what was disclosed. Regardless of whether the request originated from an agency, court, or is related to an emergency, the relevant actions should be documented in a location that is retrievable by the health care entity. Finally, health care entities should have policies and training that educate and guide relevant staff on these matters.


Source link
Related Articles

Related posts:

  1. VT Small Businesses Need More Affordable Health Insurance Options – Part I
  2. Emergency Alert! HHS Restricts Care for Immigrants—Health Centers Must Act Now | Hinshaw & Culbertson – Health Care
  3. Three health insurance companies drop out of Affordable Care Act marketplace in Michigan
  4. The Health Insurance Dilemma of Early Retirement
Exit mobile version