I recently was told about how a covered entity reacted to a crime committed at its clinic. Apparently, a nurse had left her purse at her desk, with the door open, and had gone to another room to treat a child with the child’s family present. At one point, the father excused himself to use the restroom. After the nurse had finished the session and the family had left, the nurse noticed that her wallet was missing from her purse (which should have been locked up if she was going to leave the room). She called her credit card companies and learned that her credit card had already been used twice to charge things. The child was the only patient that she had treated all day. She notified law enforcement but did not provide the identity of the parent who had been in the room because the practice’s lawyer said that to do so would be a HIPAA violation—disclosing that the child was a patient.

I wish that the covered entity had contacted me. It did not receive good legal advice. HIPAA, in the Privacy Rule, permits disclosures of protected health information (“PHI”) without patient consent or authorization in situations involving crime on the premises. The relevant part of the Rule provides for such disclosures to respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness, or missing person. But the covered entity must limit disclosures of PHI to name and address, date and place of birth, Social Security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request (45 C.F.R. 164.512(f)(2)). In addition, this same limited information may be reported to law enforcement about a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 C.F.R. 164.502(j)(2)). Thus, HIPAA was no barrier to the nurse identifying the suspect/suspected perpetrator to law enforcement. One would hope that her credit card company blocked further transactions that the perpetrator may have made because law enforcement could not investigate the suspected perpetrator.

Even if the child had been a substance abuse patient and even assuming that notifying law enforcement of the identity of her father was a “communication” concerning substance abuse treatment under 42 C.F.R. Part 2, that regulation would permit the disclosure. Part 2 permits programs to disclose limited information to law enforcement officers. Such disclosures must be directly related to crimes and threats to commit crimes on program premises or against program personnel and must be limited to the circumstances of the incident and the patient’s status, name, address, and last known whereabouts. See 42 C.F.R. § 2.12(c)(5). The crime was clearly against program personnel. Nor would this disclosure appear to be a confidential communication protected by any other state law in this particular jurisdiction.

In such situations, assess the following:

• Was it a crime?
• Was it on the premises or against workforce personnel?
• Does HIPAA, 42 C.F.R. Part 2, or relevant state law permit the disclosure to law enforcement?
• If it permits disclosure, is the disclosure limited to that permitted to be disclosed?
• Have you verified the identity of the law enforcement officer and his or her authority to obtain the information?
• Have you documented the disclosure?

In conclusion, neither HIPAA nor other confidentiality laws make the premises of covered entities into sanctuaries where perpetrators may commit crimes with impunity.