Law Enforcement and HIPAA: What You Need to Know About Disclosing PHI


When law enforcement enters your organization demanding patient information, it can be intimidating. You know that the Health Insurance Portability and Accountability Act (HIPAA) requires you to keep patients’ protected health information (PHI) private. Ordinarily, HIPAA only allows you to disclose PHI for treatment, payment, and healthcare operations or after first getting the patient’s signed authorization. But the urgency of law enforcement requests can pressure healthcare employees into saying “no” or, even worse, making mistakes that violate patients’ rights under HIPAA.

But what should you say when law enforcement comes knocking on your door? Sometimes “no” is the right answer. However, there are many situations in which you can – and should – disclose PHI to law enforcement. This article will clarify:

  • When you may disclose PHI and when to limit the disclosures
  • When reporting to law enforcement is mandatory
  • When you must not disclose PHI

When You May Disclose PHI to Law Enforcement

Warrant, subpoena, or summons. You may disclose PHI without patient authorization when law enforcement provides you with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or grand jury subpoena. You should confirm that the document is valid and then only disclose the requested information.

Administrative request, subpoena, or investigation. You may disclose PHI in response to an administrative request, such as an administrative subpoena, investigative demand, or other written request from a law enforcement official. However, the request must meet three requirements:

  1. The requested information must be relevant and material to a legitimate investigation;
  2. The requested information must be specific and limited in scope to only what is necessary; and
  3. De-identified information could not reasonably be used.

The patient is a victim of a crime. You may also disclose PHI to law enforcement when the patient is a victim of a crime and agrees to the disclosure. If the person is incapacitated and can’t agree, you should not disclose their PHI unless law enforcement confirms that:

  • They do not intend to use the PHI against the victim;
  • They need the PHI to determine whether another person broke the law;
  • The investigation would be materially and adversely affected by waiting until the victim could agree; and
  • You believe in your professional judgment the disclosure is in the best interest of the patient.

Death of a patient. If a patient dies, and the death is suspected to be the result of a crime, it is permissible to alert law enforcement about the death.

Cases of abuse, neglect, or domestic violence. In cases of adult abuse, neglect, or domestic violence, it is permissible to disclose PHI to law enforcement, as long as:

  • The individual consents;
  • The law requires the report (check with your State law); and
  • You believe in your professional judgment the disclosure is necessary to prevent serious harm to the person or other victims.

Crime on your premises. You may disclose PHI that you believe, in good faith, is evidence of a crime that occurred on your premises.

When to Limit the Disclosures

In some situations, you may disclose limited PHI to law enforcement. In each of the following situations, you should only disclose the PHI that law enforcement needs.

Locating a person. Healthcare employees are permitted to disclose limited PHI to help identify or locate a suspect, fugitive, material witness, or missing person.

The patient is a suspect. You may disclose limited PHI when the patient is a suspected perpetrator of a crime when a member of your workforce is the victim of the crime and makes the report.

Identifying or apprehending a person. You may disclose limited PHI to help identify or apprehend an individual who has admitted to participating in a violent crime that may have caused serious physical harm to a victim. However, the admission must be outside of therapy, counseling, or treatment related to the propensity to commit violent acts.

In each of these situations, your organization should only disclose the following information, as needed, to law enforcement:

  • Name and address
  • Date and place of birth
  • Social Security Number
  • ABO blood type and rh factor
  • Type of injury
  • Date and time of treatment
  • Date and time of death
  • Description of distinguishing physical characteristics

Unless law enforcement provides a court order, warrant, or administrative request, you cannot disclose:

  • DNA information
  • Dental records
  • Body fluid or tissue typing, samples, or analysis

When Reporting to Law Enforcement is Mandatory

The federal HIPAA law rarely requires you to disclose patient information. You only have to disclose PHI when:

  1. You are communicating with the patient themselves;
  2. The secretary of the Department of Health and Human Services requests PHI; or
  3. State law requires certain disclosures.

In many States, healthcare organizations must notify law enforcement about any victim that suffers a gunshot wound, knife wound, or other non-accidental injury.

See this state-by-state guide to mandatory reporting of non-accidental injuries.

When You Must Not Disclose PHI to Law Enforcement

In a 2017 incident at the University of Utah Hospital, a law enforcement officer requested a blood draw from an unconscious car crash victim. However, the officer didn’t have a warrant. The charge nurse explained why she couldn’t draw blood without a warrant, the patient’s consent, or the patient being in custody. She also presented the hospital policy to the officer. Still, the officer roughly forced her outside and handcuffed her, but she was soon released without a charge. This shocking incident shows how crucial it is for healthcare employees to know and stand up for patients’ HIPAA rights.

If a law enforcement officer requests PHI without a valid need (as in the Utah case), you and your team must not disclose PHI. In any situation, except those mentioned in this blog, you should not disclose PHI without patient authorization or legal counsel.

In Conclusion

It is your organization’s duty to protect patient information. However, the framers of HIPAA recognized that disclosures are sometimes in a patient’s best interest. So, in some situations, federal and State law allow – or even require – disclosures to law enforcement. Be prepared to give an answer next time a law enforcement official or member of your workforce approaches you about disclosing a patient’s PHI.

Need More Guidance? Grab Our PHI Decision Tree!

This simple cheat sheet makes it easy to recognize every time you’re interacting with protected health information.

Decision Tree Preview

READ MORE: Target Trouble Areas with HIPAA Training

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Is the Telehealth you’ve adopted secure?

Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure.

Read More »