By Andy Baer, MD
Healthcare providers are well-versed in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and the broad protection it offers to patient information held by healthcare providers and plans.
However, they might not be as aware of key exceptions to the rule — one of them being requests for protected health information (PHI) from state and local police and other law enforcement agencies.
A healthcare professional or practice may receive a verbal or written request for PHI or copies of medical records from law enforcement officials as part of an investigation. For example, they may be following up on suspected child abuse or investigating an altercation that resulted in a crime. It’s important that healthcare organizations understand how to appropriately respond to such a request to avoid a HIPAA violation and the associated fines.
HIPAA Law Enforcement Exception Defined
The HIPAA Privacy Rule exception for law enforcement purposes, 45 CFR § 164.512(f), permits a covered entity (generally, healthcare providers, health plans and their business associates) to disclose PHI to law enforcement officials without patient authorization under certain circumstances:
- If a court order, court-ordered warrant, subpoena or administrative request has been issued
- To identify or locate a suspect, fugitive, material witness or missing person
- To answer a law enforcement official’s request for information about a victim or suspected victim of a crime
- To alert law enforcement of a person’s death if the organization suspects that criminal activity caused the death
- When an organization believes that PHI is evidence of a crime that occurred on its premises
- In a medical emergency not occurring on the organization’s premises, when it’s necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
The definition of law enforcement official is broad and applies to an officer or employee (state or federal) who investigates or conducts an official inquiry into a potential violation of law. It also applies to law enforcement officials who prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law. Examples of law enforcement officials include officers, investigators or detectives from a sheriff’s office, the FBI, and state detectives or investigators.
Responding to a Records Request
If a law enforcement official sends a letter requesting records, the letter will likely describe where to send the requested records in addition to providing the law enforcement official’s contact information. Many times, the cover letter or request will not copy the other party because the investigation is sensitive or confidential.
Law enforcement officials also may verbally request PHI or copies of medical records from a healthcare organization either over the phone or in person. If a law enforcement official comes to an organization’s office in uniform and provides proper identification, then it is appropriate to produce the PHI.
However, if the request is made over the phone, a healthcare organization is required to obtain further verification before releasing PHI. Ask the caller to provide a formal request in writing and cite the requestor’s source of statutory authority under state or federal law. The request can be made on official letterhead or by email if the message includes the source of authority and is sent from the official’s work email address.
Healthcare organizations generally do not have to obtain an individual’s written authorization before disclosing PHI if they receive an appropriate written or verbal request from a law enforcement official. However, if the official is requesting the PHI of an adult patient who is a victim of abuse, an organization usually must obtain authorization from the patient before disclosing anything to law enforcement.
Preparing Your Practice to Comply
Communication and training are key to making sure a healthcare practice complies with the law enforcement exception (and all other HIPAA requirements). The following actions can help an organization remain compliant.
- Conduct annual HIPAA training for staff members that includes information regarding Privacy Rule exceptions.
- Establish a process for flagging and handling medical record requests from law enforcement.
- Implement a checklist with the steps necessary to respond to medical record requests from law enforcement.
- When unsure about the legitimacy of a request, contact the law enforcement office involved, ensure that it made the request and clarify the reason for it.
- Share only the patient records requested and nothing more.
- Transmit records in a HIPAA-compliant manner.
The wrongful release of patient health information to law enforcement doesn’t happen often. However, if a healthcare organization inappropriately discloses PHI, it could face a HIPAA violation and the associated fines. Understanding the law enforcement exception to the HIPAA Privacy Rule and implementing processes to answer requests are key to responding appropriately and avoiding penalties.
Disclaimer: The information provided in this article does not constitute legal, medical or any other professional advice. No attorney-client relationship is created and you should not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice.
Andy Baer, MD serves as the Chief Medical Officer of MagMutual.