The U.S. federal Health Insurance Portability and Accountability Act (HIPAA) went into effect in April 2003. Since then, questions have abounded about the extent to which HIPAA impacts law enforcement’s acquisition or dissemination of health information.
This article seeks to clarify the mysteries of HIPAA and to simplify interpretations by examining three circumstances in which questions about HIPAA might arise: (1) where health or medical information would assist law enforcement in locating or apprehending a suspect; (2) under circumstances of a catastrophic health emergency, such as an influenza pandemic; and (3) when dealing with employee medical issues.
HIPAA is a statute enacted by the U.S. Congress governing privacy of patient health information. Rules interpreting the statute are found in Title 45 of the Code of Federal Regulations (CFR).1Generally, this privacy rule prohibits the wrongful disclosure of health information relating to an identifiable patient, otherwise known as protected health information (PHI).2
HIPAA regulates persons who have access to individually identifiable medical information and those who conduct certain electronic health care transactions, otherwise known as “covered entities,” which are defined as (1) group health plans; (2) health clearinghouses, such as billing services; and (3) health care providers who bill for services.3The government is not a covered entity unless it is acting in one of these capacities, such as an administrator for employee health insurance plans or as a medical provider at a jail or prison that bills for those services.
Accordingly, while the privacy rule may affect how law enforcement obtains health information or records, it does not govern an agency’s ability to maintain, use, or disclose information it receives in the course of law enforcement activities.
The HIPAA regulations are enforced by the secretary of Health and Human Services. Thus, even if HIPAA did apply to health information possessed by law enforcement agencies, no individual could file suit against an agency based on an alleged HIPAA violation since there is no private right of action under the statute.4
Exceptions for Disclosure to Law Enforcement
The HIPAA privacy rule has numerous exceptions through which it seeks to balance the privacy of health information with the legitimate public need for disclosure. Specifically of interest to law enforcement are the exceptions for law enforcement access and for threats to public health.5
If a covered entity declines to provide information to law enforcement officers, officers should inform the person speaking on behalf of the covered entity of the exceptions for law enforcement. The U.S. Department of Justice provides the following summary of the exceptions.
Required by law: When the laws of the state require reporting of certain types of wounds or other physical injuries to law enforcement agencies.6
Court order, or warrant, subpoena, or summons issued by a judicial officer: When serving a court-ordered subpoena, the provider can (and must) produce the medical records.7
Grand jury subpoena: When serving a grand jury subpoena, the provider can (and must) produce the medical records.8
Administrative subpoena or request: Three specific requirements must be met: (1) the information sought is material to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope to the purpose for which it is being sought; and (3) de-identified information could not reasonably be used (i.e., without social security number or name, the information would be useless as evidence).9
To locate or identify: This exception permits access to eight types of individually identifiable information (but excludes DNA, dental records, body fluid, or tissue; a subpoena would be necessary).10
Information about a victim of a crime: Information needed about a person who is suspected of being a victim of a crime… or to determine if someone else committed a crime… that cannot be delayed until the victim approves the disclosure.11
Crime on premises: When the information is evidence of a crime that occurred on the premises (e.g., a nursing home, hospital).12
Reporting crime in emergencies: When an emergency health care worker responded to a medical emergency outside the hospital, he may disclose to law enforcement information about the commission and nature of the crime; location of the crime and victims; the identity, description, or location of the perpetrator.13
Victims of abuse, neglect, domestic violence: This exception is limited to specific scenarios; if possible, it is advisable to get a subpoena or the individual’s agreement to use his or her medical information instead of relying on this exception.14
Coroners and medical examiners: When the medical examiner or coroner needs the information to identify a deceased person, determine the cause of death, or perform her or his other duties.15
To avert a serious threat to health or safety: When the disclosure “is necessary to prevent or lessen a serious and imminent threat to the health or safety a person or the public…; or… to identify or apprehend an individual… because of a statement by an individual admitted participation in a violent crime that… may have caused serious physical harm to the victim; or… the individual has escaped from a correctional institution or from lawful custody.”16
Other important miscellaneous exceptions: Including national security and intelligence; protective services for the president and others; and jails, prisons, law enforcement custody to safeguard the persons in custody or corrections employees who are in proximity to the persons in custody.
Thus, it is clear that a covered entity is permitted to disclose PHI about a person for the purpose of identifying or locating a suspect. Under HIPAA, the covered entity may disclose so-called “limited identifying information,” including name, address, date and place of birth, social security number, blood type, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics.
Exceptions for Public Health
A covered entity is also permitted to disclose PHI to public health authorities and their authorized representatives for public health surveillance, investigations, and interventions. The following are specifically listed as permissible PHI disclosures for public health: child abuse or neglect; quality, safety, or effectiveness of a product or activity regulated by the Food and Drug Administration; persons at risk for contracting or spreading a disease; and workplace medical surveillance.17
The HIPAA regulations permit a covered entity to make disclosures of PHI to avert a serious threat to health or safety without the consent of the individual.18 The public health exemption provides that a covered entity may disclose PHI without individual consent to a,
public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including… the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public heath investigations and public health interventions.19
A “public health authority” is a public agency or entity “that is responsible for public health matters as part of its official mandate.”20 Because HIPAA does not regulate re-disclosure of information, the public health authority is not precluded from sharing PHI with law enforcement authorities.
Records Related to Employee Health
Since law enforcement agencies are not covered entities under HIPAA, the HIPAA privacy rules have no impact on internal operations relating to employee health and wellness. However, state medical privacy laws and provisions of the Americans With Disabilities Act may apply, and managers should consult with legal counsel when dealing with medical records. In every case, agencies should use care and discretion when dealing with an individual’s medical records, but not be deterred from legitimate employment or law enforcement actions based on a misunderstanding of the scope of HIPAA.
Karen Kruger, Executive Director, Maryland Police and Correctional Training Commission
145 C.F.R. §§164.102-164.534.
245 C.F.R. §162.103.
345 C.F.R. §162.103.
4Atkinson-Bush v. Balt. Wash. Med. Ctr., Inc., No. L-10-2350, 2011 WL 2216669, at *3 (D. Md. May 25, 2011), aff’d, 585 F. Appx. 161 (4th Cir. 2014).
5Covered entities also may disclose PHI without consent when national security or intelligence activities are implicated, 45 C.F.R. §164.512(k)(2) or when judicial or administrative proceedings are involved, 45 C.F.R. §164.512(e).
645 C.F.R. 164.512(f)(1)(i).
745 C.F.R. 164.512(f)(1)(ii)(A).
845 C.F.R. 164.512(f)(1)(ii)(B).
945 C.F.R. 164.512(f)(1)(ii)(C).
1045 C.F.R. 164.512(f)(2).
1145 C.F.R. 164.512(f)(3).
1245 C.F.R. 164.512(f)(5).
1345 C.F.R. 164.512(f)(6).
1445 C.F.R. 164.512(c).
1545 C.F.R. 164.512(g)(1).
1645 C.F.R. 164.512(j).
1745 C.F.R. §164.512(b).
1845 C.F.R. §164.512(j)(i)(A).
1945 C.F.R. §164.512(b)(1)(i).
2045 C.F.R. §164.501.