HIPAA: Responding to Law Enforcement and Administrative Requests and Demands Part I

August 1, 2018

The Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule attempts to strike a balance between the protection of a patient's privacy and the performance of important law enforcement functions.

This article, Part I of two articles addressing this topic, discusses the various law enforcement-related exceptions to the general rule that the patient's written authorization is required prior to a covered entity's disclosure of protected health information ("PHI"). Part II will address various exceptions specifically related to subpoenas, court orders, warrants, and administrative demands issued by courts, agencies, and attorneys.

Who is a Law Enforcement Official?

Under HIPAA, a "law enforcement official" is defined as an officer or employee of any agency or authority of the United States, a state, territory, political subdivision of a state or territory, or an Indian tribe, who is empowered by law to:

• Investigate or conduct an official inquiry into a potential violation of law; or,
• Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

HIPAA permits covered entities to disclose PHI to a law enforcement official, without the patient's written authorization, for the following purposes:

To Avert Harm

A covered entity may disclose PHI to a law enforcement official to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.

When Required by Law

A covered entity must disclose PHI to a law enforcement official when a law requires the disclosure.

For example, North Carolina law requires a physician to report to law enforcement each case of:

• A bullet wound, gunshot wound, powder burn, or any other injury appearing to arise from or be caused by the discharge of a gun or firearm;
• An illness apparently caused by poisoning;
• A wound or injury apparently caused by a knife or sharp or pointed instrument if it appears to the physician treating the case that a criminal act was involved; and,
• A wound, injury, or illness in which there is grave bodily harm or grave illness if it appears to the physician that the wound, injury, or illness resulted from a criminal act of violence.

Each such report must state the name of the wounded, ill, or injured person, if known; the age, sex, race, residence or present location, if known; and the character and extent of the injuries.

North Carolina law also requires physicians to report to a law enforcement official cases involving recurrent illness or serious physical injury to any child under the age of 18 where the illness or injury appears, in the physician's professional judgment, to be the result of non-accidental trauma.

Further, North Carolina law provides that any person or institution having cause to suspect that any juvenile is abused, neglected, or has died as the result of maltreatment, must report the matter to the director of the department of social services in the county where the juvenile resides or is found. The report must include information known to the person making it including:

• The name and address of the juvenile;
• The name and address of the juvenile's parent, guardian, or caretaker;
• The age of the juvenile; the names and ages of other juveniles in the home;
• The present whereabouts of the juvenile if not at the home address;
• The nature and extent of any injury or condition resulting from abuse or neglect; and,
• Any other information which the person making the report believes might be helpful in establishing the need for protective services or court intervention.

A covered entity should comply with the strict terms of the law and not disclose more than is required by the law.

To Identify or Locate a Suspect, Fugitive, Material Witness, or Missing Person

If a law enforcement official requests PHI to help identify or locate a suspect, fugitive, material witness, or missing person, a covered entity will not violate HIPAA if it discloses the following limited information about the person sought:

• Name and address;
• Date and place of birth;
• Social security number;
• ABO blood type and rh factor;
• Type of injury;
• Date and time of treatment;
• Date and time of death, if applicable; and,
• A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.

Other information related to the individual's DNA, dental records, body fluid or tissue typing, samples, or analysis may not be disclosed under this exception, but such information may be disclosed in response to a court order, warrant, or written administrative request.

Information Regarding a Victim of a Crime

If a law enforcement official requests PHI about a patient who is suspected of being a victim of a crime, a covered entity is not in violation of HIPAA if it discloses PHI if:

• The patient agrees to the disclosure; or,
• The covered entity is unable to obtain the patient's agreement because of incapacity or other emergency circumstance, and:
  • The law enforcement official represents that:
    • The PHI is necessary to determine whether someone other than the patient has committed a crime,
    • The PHI will not be used against the patient,
    • The PHI is needed immediately and the law enforcement activity would be adversely affected by waiting to obtain the patient's agreement, and,

    Information Regarding Death from a Crime

    A covered entity may disclose PHI to notify a law enforcement official about the death of an individual if the covered entity believes the death may have resulted from a crime.

    Information Regarding a Crime Committed on the Covered Entity's Premises

    A covered entity may disclose PHI to law enforcement if the covered entity in good faith believes the PHI evidences criminal conduct on the covered entity's premises.

    Information Regarding a Crime Committed Away from the Covered Entity's Premises

    If, in the course of responding to an off-site medical emergency, covered entity personnel become aware of criminal activity, they may disclose certain PHI to a law enforcement official as necessary to alert such law enforcement official to the criminal activity, including:

    • Information about the commission and nature of the crime;
    • The location of the crime or any victims; and,
    • The identity, description, and location of the perpetrator of the crime.

    Report by a Victim Who is a Member of the Covered Entity's Workforce

    If a person affiliated with the covered entity is the victim of a crime, the victim may disclose PHI about the alleged criminal necessary to report the crime to law enforcement. However, the victim may only disclose the following limited information regarding the person alleged to have committed the crime:

    • Name and address;
    • Date and place of birth;
    • Social security number;
    • ABO blood type and rh factor;
    • Type of injury;
    • Date and time of treatment;
    • Date and time of death (if applicable, of the alleged criminal) and,
    • A description of distinguishing physical characteristics.

    Under HIPAA, the term "workforce" means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or a business associate of a covered entity, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

    Information Regarding an Admission of a Violent Crime

    If a person has admitted participation in a violent crime where a covered entity reasonably believes serious physical harm may have been caused to a victim, the covered entity may disclose PHI to a law enforcement official necessary to identify or apprehend the person, provided that the admission was not made in the course of, or based on, the individual's request for therapy, counseling, or treatment related to the propensity to commit this type of violent act.

    The PHI that may be disclosed is limited to the following:

    • Name and address;
    • Date and place of birth;
    • Social security number;
    • ABO blood type and rh factor;
    • Type of injury;
    • Date and time of treatment;
    • Date and time of death (if applicable, of the person admitting to participation in the crime,); and,
    • A description of distinguishing physical characteristics.

    Identification or Apprehension of a Fugitive

    A covered entity may disclose PHI to a law enforcement official to identify or apprehend an individual who appears to have escaped from lawful custody.

    Information Regarding Prisoners

    If a law enforcement official or a correctional institution requests PHI about an inmate or person in lawful custody, a covered entity may disclose such PHI if a law enforcement official represents such PHI is needed:

    • To provide health care to the individual;
    • For the health and safety of the individual; other inmates; officers or employees of, or others at, a correctional institution; or responsible for the transporting or transferring inmates; or,
    • For the administration and maintenance of the safety, security, and good order of the correctional facility, including a law enforcement official on the premises of the facility.

    Disclosure of PHI to Medical Examiners and Coroners

    A covered entity may disclose PHI about a decedent to medical examiners or coroners to assist them in:

    • Identifying the decedent;
    • Determining the cause of death; or,
    • Carrying out their other authorized duties.

    Disclosure of PHI Pursuant to Subpoenas, Court Orders, Warrants, and Administrative Demands

    The disclosures covered in this Part I deal only with voluntary disclosures, generally as a result of a request by a law enforcement official. A covered entity may, or may be required to, disclose PHI to law enforcement in response to a court order, warrant, subpoena, or other administrative process if certain conditions are satisfied. Those exceptions will be discussed more fully in Part II of this series.

    --
    © 2024 Ward and Smith, P.A. For further information regarding the issues described above, please contact J. Michael Fields .

    This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.

    We are your established legal network with offices in Asheville, Greenville, New Bern, Raleigh, and Wilmington, NC.