Jon Tomes and I are wrapping up a delightful weekend in Oklahoma City, OK, attending the Rose State College Writers Conference, where Jon won Honorable Mention in the writing contest for the following article, which he had entered in the Nonfiction Category, “Law Enforcement and HIPAA: Everything a Law Enforcement Officer Needs to Know”:

The purpose of this article is to help police officers, the front-line troops, when they investigate “workplace violence,” “domestic terrorism,” and the like rather, than being allowed to call it what it really is, criminal assault, by giving some help on how to obtain health information that is relevant to their investigations. So I am writing this article to help law enforcement understand where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) allows them to obtain individually identifiable health information for law enforcement purposes and where it is an impediment to obtaining such information. Overall, HIPAA permits law enforcement more access than it prohibits, but overreaction to HIPAA’s criminal and civil penalties often causes those subject to HIPAA to make a knee-jerk reaction and deny access when HIPAA clearly allows it. Part of this fear comes from HIPAA’s criminal penalties, which include up to ten years’ imprisonment and a $250,000 fine and civil money penalties, the largest of which to date has been $4.8 million.

So what’s the beef? Even though most law enforcement agencies do not have to comply with HIPAA because the law does not apply to them as a so-called “covered entity”—that is, a health care provider, a health plan, a health care clearinghouse, or a Medicare prescription drug sponsor. Those covered entities cannot disclose individually identifiable health information (called protected health information (“PHI”)) in violation of HIPAA. What makes HIPAA difficult for law enforcement are these HIPAA criminal and civil penalties, which scare the you-know-what out of those in the health care industry, thinking that, if they disclose PHI in violation of HIPAA’s somewhat incomprehensible rules, they are going straight to HIPAA jail or will be hit with a seven-figure HIPAA civil money penalty, what DHHS calls a fine.

The author could recount dozens of horror stories of refusals to provide PHI to law enforcement that seriously endangered citizens out of an overreaction to potential HIPAA liability but will just mention one. An inmate at North Alabama Regional Hospital escaped, climbed over the barbwire fence, and ran away in late January in a sleet storm dressed only in his pajamas. His attending physician, the clinical director of the hospital, went to the medical records department and asked for his parent’s contact information, believing that he was going home to mommy, and he wanted to alert law enforcement to pick him up. The medical records employee, citing HIPAA, refused to give it to him. He ultimately got the information, which was releasable under two of the grounds: PHI needed to locate a suspect or missing person, or PHI to prevent a serious and imminent threat to a named individual (the patient) or the public. I’m not a clinician, but I have tried enough cases as a malpractice attorney and have been on the raw edge of hypothermia myself and, consequently, believe that I can opine that it is a serious and imminent threat. This case had a happy ending. The patient quickly decided that it was not all that much fun to wander around the Northern Alabama Mountains in his pajamas in a sleet storm, saw a police car, and surrendered himself in order to get warm.

Now that we have a handle on the problem, let’s focus now on the Privacy Rule exceptions that do not require patient consent, authorization, or an opportunity to object. 45 C.F.R. § 164.512 specifies uses and disclosures that do not require individual consent, an authorization, or an opportunity to agree or consent. These uses and disclosures are generally permissive, as opposed to mandatory. The ones relevant to law enforcement follow.

Uses and disclosures to avert a serious threat to health or safety.

A covered entity may, consistent with applicable laws and ethical standards, use or disclose PHI if the covered entity believes, in good faith, that the use or disclosure is necessary in either of the following situations:

• To prevent or lessen a serious and imminent threat to the health or safety of a person or of the public and the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
• For law enforcement authorities to identify or apprehend an individual in either of the following cases:
• Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes caused serious physical harm to the victim.
• Where it appears from all of the circumstances that the individual has escaped from a correctional institution or from lawful custody.
• The covered entity may not use or disclose PHI to prevent or lessen a serious and imminent harm if the entity learned of the information in either of the following situations:
• In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure, counseling, or therapy. In other words, if a psychologist was treating a client for anger management issues and learned that he had committed domestic violence on his spouse the night before, he could not release that information under this ground.
• Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described immediately above.

A disclosure to prevent such a serious and imminent threat may contain only the information in § 164.512(j)(1)(ii)(A) (the statement of an individual admitting participation in a violent crime) and (f)(2)(i) (limited information for identification and location purposes, see below).

A covered entity that uses or discloses PHI to prevent or lessen a serious and imminent threat is presumed to have acted in good faith with regard to its belief justifying use or disclosure under this subsection if the belief is based upon the covered entity’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority. Thus, a covered entity has little, if any, potential liability for making such a disclosure but could face significant liability for failure to make such a disclosure and serious harm results. With this presumption of good faith, it is unlikely that a covered entity will face any liability for a disclosure to law enforcement in these circumstances.

Identification and location Purposes

45 C.F.R. § 164.512 (f)(2)(i) permits a covered entity to disclose PHI (except for disclosures required by law, see below), in response to a law enforcement official’s request for such information for the purpose of identifying and finding a suspect, fugitive, material witness, or missing person, provided that the covered entity may disclose only the following information:

• Name and address.
• Date and place of birth.
• Social Security number.
• ABO blood type and rh factor.
• Type of injury.
• Date and time of treatment.
• Date and time of death, if applicable.
• Description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, and tattoos.

The covered entity may not, except as permitted by 45 C.F.R. § 164.512 (f)(2)(i), disclose for the purposes of identification or location any PHI related to the individual’s DNA or DNA analysis, dental records, or typing, samples, or analysis of bodily fluids or tissue. Of course, law enforcement could obtain such information through legal process, such as a subpoena (see below).

With respect to workforce members who are crime victims, DHHS will not consider a covered entity to have violated the privacy regulations if such victim discloses PHI to a law enforcement official provided that both of the following two conditions apply:

• PHI disclosed is about the suspected perpetrator of the criminal act.
• PHI is limited to the following information listed in § 164.512(f)(2)(i):
  • Name and address.
  • Date and place of birth.
  • Social Security number.
  • ABO blood type and rh factor.
  • Type of injury.
  • Date and time of treatment.
  • Date and time of death, if applicable.
  • Description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, and tattoos.

A recent, true-life situation illustrates another overreaction to HIPAA. A nurse left a patient alone in her office, which doubled as an examining room. And she left her handbag in the room. When she returned, she discovered that her wallet was missing from her purse. She contacted the facility’s privacy officer, who contacted their lawyer who (erroneously) said that they could not report the crime because it would be a HIPAA violation. By the time that they cleared up this erroneous legal advice, the perpetrator had run up large amounts on the nurse’s credit cards.

Uses and disclosures required by law

        Under § 164.512(a), a covered entity may use or disclose PHI when required by law. The use or disclosure must be required by a state or federal law, and the use or disclosure must comply with and be limited to the relevant requirements of the law. The covered entity must meet the requirements of § 165.512(c) (disclosures about victims of abuse, neglect, or domestic violence, see below), § 165.512(e) (disclosures for judicial or administrative proceedings, see below), or § 165.512(f) (disclosures for law enforcement purposes, see above) for uses or disclosures required by law.

In other words, PHI to be provided for mandatory reporting of child abuse, elder abuse, and the like may be disclosed without violating HIPAA as follows:

Disclosures about victims of abuse, neglect, or domestic violence

With respect to victims of crime or abuse, except for reports of child abuse under uses and disclosures required by law, above, a covered entity may disclose PHI about an individual who the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive such reports as follows:

• To the extent that the disclosure is required by law and the disclosure complies with and is limited to the requirements of that law.
• If the individual agrees to the disclosure.
• To the extent that the disclosure is expressly authorized by statute or regulation and either of the two following conditions applies:
• The covered entity, in the exercise of professional judgment, believes that the disclosure is necessary to prevent serious harm to the individual or other potential victim.
• If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI is not intended to be used against the individual and that an immediate enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

This portion of the Privacy Rule does not, however, end the inquiry whether the covered entity may disclose PHI in response, for example, to a subpoena or a search warrant or an arrest warrant. Some statutes, those that contain more privacy protection than HIPAA does, require more than a HIPAA compliant subpoena. Again, a subpoena or a court-issued warrant is not sufficient to obtain PHI relating to a subpoena, a search warrant, or an arrest warrant for substance abuse treatment information, which has extra privacy protection under 42 C.F.R. Part 2. That federal statute forbids the disclosure of information relating to substance abuse treatment information except in circumstances that are much more stringent than HIPAA. For example, a search warrant or an arrest warrant will not work for substance abuse treatment information. It must be a court order. Thus, the HIPAA authorized disclosure for PHI concerning victims of crime and abuse will not work for substance abuse treatment patients because 42 C.F.R. Part 2 requires a court order. Other than this federal requirement, which many states have adopted or simply follow the federal law, there may be other statutes and regulations that give more protection to individually identifiable health information. A compendium of such laws is beyond the scope of this article, but law enforcement officers should determine whether such laws require them to go beyond the HIPAA requirements, such as by obtaining a court order.

Other possible law enforcement authorized disclosures

Three other authorized disclosures could come up involving law enforcement: Information about decedents where the covered entity suspects that the death may have resulted from criminal conduct, disclosures to authorized federal officials providing protective services for the President or other person authorized by 18 U.C.C. § 3056 (high-ranking government officials, foreign heads of states, and other secret service protectees), and disclosures by correctional institutions and other law enforcement custodial institutions.

Methodology

HIPAA requires covered entities to not just roll over and play dead when law enforcement or anyone else asserts that HIPAA allows them access to PHI. They must go through a four-step process to ensure that the disclosure is proper.

First, the covered entity must verify the requester’s identity and authority to access the PHI. Thus, a covered entity should ask a plainclothes officer to see his or her badge or other credentials and, if I were advising them, to make a Xerox, digital, or other copy of the credentials or other documents.

Second, HIPAA requires the covered entity to compare the facts and circumstances to the detailed criteria of the category, such as, for example, workplace crime disclosures, that the officer is relying on to permit disclosure under HIPAA, and more than one set of criteria could be applicable, but the facts must meet all of the criteria of at least one category before the covered entity may release the information.

Third, and finally, if all the criteria of at least one relevant category are met, the covered entity must determine whether any other state or federal law that affords more privacy protection than HIPAA either prohibits the disclosure completely or adds additional criteria. For example, a disclosure that HIPAA would permit of substance abuse PHI would have the additional criterion of requiring a court order.

Now, many health care workers will roll over and play dead if a uniformed officer comes in and makes a colorable argument that HIPAA authorizes him or her access to the chart of a murder suspect. But many won’t. Directors of health information management at hospital and large physician practices take their HIPAA responsibilities and patient privacy issues very seriously and will stand up to a “if I don’t get access to that chart now, I’m arresting you for obstruction of justice.” And don’t think that such a response hasn’t happened, although it has not resulted in any convictions because it is not obstruction of justice. And the author has defended and judged obstruction of justice cases and knows whereof he speaks. And in the HIPAA cases, all that the threat did was slow down getting access. It’s far better to have your facts straight, use the write-up in this article, and ask to speak to the Privacy Officer, a compliance officer, or in-house counsel as opposed to brow-beating a low-level nurse’s aide who may be so panicked at ending up in HIPAA jail that she is barely willing to give the patient access to his or her own chart. Covered entities train their staffs to avoid HIPAA violations by pointing out the maximum criminal penalty of $25,000 and ten years’ imprisonment (per count) and a seven-figure fine that they are almost afraid to even look at a patient file. No, a respectful, non-threatening approach that demonstrates why HIPAA authorizes this disclosure is far more likely to work. And if it doesn’t work with the low-level worker bee, go upstairs.

Conclusion

HIPAA is actually quite friendly to law enforcement uses and disclosures of PHI. You just have to know the rules, demonstrate your identity and authority to receive the information, fit the facts and circumstances into the criteria for that authorized disclosure, and request the PHI in a professional, respectful manner. This process will work in the vast majority of the cases. Threatening the health care worker with immediate arrest for obstruction of justice will not be likely to help obtain the necessary information quickly because the panicked worker will simply shut down. Rather, ask to speak with the Privacy Officer or, in a larger organization, such as a hospital, the Compliance Officer or in-house counsel. And if doing so doesn’t work because the staff is experiencing what the author calls HIPAA hysteria, shutting down at any HIPAA disclosure that they are not intimately familiar with, either kicking it upstairs or simply going to get, say a court order, will likely get you the information that you need more quickly without giving defense counsel a potential objection to your getting the information.

Alice McCart here again. We hope that Jon’s article helps you if you get requests from law enforcement officers for information protected under HIPAA or if you have family or friends who are in law enforcement and could benefit from the information in Jon’s article. If you need a template in this regard, we have one for you in our Premium Member section on www.veteranspress.com, Request from Law Enforcement for Release of Protected Health Information. Feel free to adapt it to your facility. If you bought our HIPAA Compliance Library, you received with it a one-year subscription to the Premium Member section. If you are having trouble getting into our Premium Member section, please contact our It/order department, brent@wccit.com or maggy@wccit.com.