HIPAA for law enforcement

While healthcare providers can share protected health information (PHI) with law enforcement in certain situations, they must do so while balancing the need for public safety and law enforcement activities with the privacy and security of patient health information.

HIPAA Privacy and law enforcement

The HIPAA Privacy Rule establishes a framework for the protection and management of individually identifiable health information. While primarily governing the practices of healthcare providers, health plans, and their business associates, it also intersects with law enforcement activities under specific circumstances.

These circumstances involve instances where law enforcement requires access to health information for purposes related to public safety, investigations, or legal proceedings. The Privacy Rule ensures that such disclosures, when permitted, are carried out in compliance with the rights and regulations that safeguard individuals' sensitive health data.

See also: Disclosures of PHI that occur during litigation

Can PHI be shared with law enforcement? 

Yes, PHI can be shared with law enforcement under certain circumstances, as outlined in the HIPAA Privacy Rule. However, such sharing is subject to specific conditions to ensure the privacy and security of individuals' health information.

The types of PHI that could potentially be shared with law enforcement include: 

1. Basic demographic information: This includes details such as the individual's name, address, date of birth, and gender.
2. Medical information related to the incident: Relevant health information directly related to the incident under investigation, such as injuries sustained or medical conditions observed.
3. Information about criminal conduct: PHI that indicates potential criminal activity, injuries resulting from criminal conduct, or other health-related details pertinent to the investigation.
4. Information about victims: PHI about victims of crimes, including health information that assists in identifying and understanding their condition.
5. Information about suspects: Basic health-related information about suspects, such as their physical description or medical conditions, that could aid in identification or apprehension.
6. Information related to cause of death: In cases where law enforcement is investigating a death suspected to be due to criminal conduct, PHI that helps understand the cause of death may be shared.

See also: How to handle PHI when subpoenaed

Circumstances where PHI can be shared with law enforcement

1. Serious and imminent threat to health or safety: PHI may be shared if there is a belief that disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
2. Evidence of crime on premises: If a covered entity in good faith believes that the PHI is evidence of a crime that occurred on its premises, it can disclose this information to law enforcement.
3. Death resulting from criminal conduct: If there's a suspicion that an individual's death resulted from criminal conduct, PHI can be shared with law enforcement to aid in their investigation.
4. Off-site medical emergency involving criminal activity: In cases of off-site medical emergencies involving criminal activity, PHI can be shared with law enforcement to address the situation.
5. Legal orders and requests: PHI can be disclosed in response to court orders, court-ordered warrants, subpoenas, or administrative requests from law enforcement officials, provided that certain conditions are met.
6. Identifying suspects, victims, or missing persons: Basic demographic and health information about suspects, victims, or missing persons can be shared to aid in identification or location efforts.
7. Reporting child abuse or neglect: Child abuse or neglect may be reported to authorized law enforcement officials even without a parent's agreement.

Requirements for PHI to be shared 

1. Authorization: Generally, PHI can be shared with law enforcement if the individual provides a signed authorization explicitly allowing the disclosure of their health information for a specified purpose.
2. Serious and imminent threat: PHI can be shared without authorization if there's a belief that disclosing the information is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
3. Satisfactory assurances in cases of legal order or request: This refers to a provision within the HIPAA Privacy Rule that outlines conditions under which PHI can be shared with law enforcement in response to a court order, court-ordered warrant, subpoena, or administrative request. 
4. Minimum necessary standard: Regardless of the circumstance, PHI shared with law enforcement should adhere to the "minimum necessary" principle. This means only the information necessary for the purpose should be disclosed.

See also: HIPAA Compliant Email: The Definitive Guide

Case Study: Vanderbilt University Medical Center

In a cautionary example of when the minimum necessary principle should have been adhered to, Vanderbilt University Medical Center faced federal investigation and lawsuits for releasing transgender patients' medical records to the Attorney General's Office.

Initially part of a medical billing investigation, the disclosure led to significant public outcry and legal repercussions. The case highlights the complexities and potential pitfalls of sharing PHI with law enforcement, even when entities believe they are complying with the law.

This incident serves as a reminder that PHI disclosures must be handled carefully to balance law enforcement needs with individual privacy rights.