Law Enforcement and HIPAA: What You Need to Know About Disclosing PHI

Graphic that says Law Enforcement and HIPAA with image of a police badge
Share on facebook
Share on twitter
Share on pinterest

When law enforcement enters your organization demanding patient information, it can be intimidating. You know that the Health Insurance Portability and Accountability Act (HIPAA) requires you to keep patients’ protected health information (PHI) private. Ordinarily, HIPAA only allows you to disclose PHI for treatment, payment, and healthcare operations or after first getting the patient’s signed authorization. But the urgency of law enforcement requests can pressure healthcare employees into saying “no” or, even worse, making mistakes that violate patients’ rights under HIPAA.

But what should you say when law enforcement comes knocking on your door? Sometimes “no” is the right answer. However, there are many situations in which you can – and should – disclose PHI to law enforcement. This article will clarify:

  • When you may disclose PHI and when to limit the disclosures
  • When reporting to law enforcement is mandatory
  • When you must not disclose PHI

Table containing the situations in which you can disclose PHI to law enforcement, including limited disclosures, mandatory reporting, and impermissible disclosures.

When You May Disclose PHI to Law Enforcement

Warrant, subpoena, or summons. You may disclose PHI without patient authorization when law enforcement provides you with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or grand jury subpoena. You should confirm that the document is valid and then only disclose the requested information.

Administrative request, subpoena, or investigation. You may disclose PHI in response to an administrative request, such as an administrative subpoena, investigative demand, or other written request from a law enforcement official. However, the request must meet three requirements:

  1. The requested information must be relevant and material to a legitimate investigation;
  2. The requested information must be specific and limited in scope to only what is necessary; and
  3. De-identified information could not reasonably be used.

The patient is a victim of a crime. You may also disclose PHI to law enforcement when the patient is a victim of a crime and agrees to the disclosure. If the person is incapacitated and can’t agree, you should not disclose their PHI unless law enforcement confirms that:

  • They do not intend to use the PHI against the victim;
  • They need the PHI to determine whether another person broke the law;
  • The investigation would be materially and adversely affected by waiting until the victim could agree; and
  • You believe in your professional judgment the disclosure is in the best interest of the patient.

Death of a patient. If a patient dies, and the death is suspected to be the result of a crime, it is permissible to alert law enforcement about the death.

Cases of abuse, neglect, or domestic violence. In cases of adult abuse, neglect, or domestic violence, it is permissible to disclose PHI to law enforcement, as long as:

  • The individual consents;
  • The law requires the report (check with your State law); and
  • You believe in your professional judgment the disclosure is necessary to prevent serious harm to the person or other victims.

Crime on your premises. You may disclose PHI that you believe, in good faith, is evidence of a crime that occurred on your premises.A doctor and nurse speaking to law enforcement

When to Limit the Disclosures

In some situations, you may disclose limited PHI to law enforcement. In each of the following situations, you should only disclose the PHI that law enforcement needs.

Locating a person. Healthcare employees are permitted to disclose limited PHI to help identify or locate a suspect, fugitive, material witness, or missing person.

The patient is a suspect. You may disclose limited PHI when the patient is a suspected perpetrator of a crime when a member of your workforce is the victim of the crime and makes the report.

Identifying or apprehending a person. You may disclose limited PHI to help identify or apprehend an individual who has admitted to participating in a violent crime that may have caused serious physical harm to a victim. However, the admission must be outside of therapy, counseling, or treatment related to the propensity to commit violent acts.

In each of these situations, your organization should only disclose the following information, as needed, to law enforcement:

  • Name and address
  • Date and place of birth
  • Social Security Number
  • ABO blood type and rh factor
  • Type of injury
  • Date and time of treatment
  • Date and time of death
  • Description of distinguishing physical characteristics

Unless law enforcement provides a court order, warrant, or administrative request, you cannot disclose:

  • DNA information
  • Dental records
  • Body fluid or tissue typing, samples, or analysis

Image of a nurse making a phone call

When Reporting to Law Enforcement is Mandatory

The federal HIPAA law rarely requires you to disclose patient information. You only have to disclose PHI when:

  1. You are communicating with the patient themselves;
  2. The secretary of the Department of Health and Human Services requests PHI; or
  3. State law requires certain disclosures.

In many States, healthcare organizations must notify law enforcement about any victim that suffers a gunshot wound, knife wound, or other non-accidental injury.

See this state-by-state guide to mandatory reporting of non-accidental injuries.

When You Must Not Disclose PHI to Law Enforcement

In a 2017 incident at the University of Utah Hospital, a law enforcement officer requested a blood draw from an unconscious car crash victim. However, the officer didn’t have a warrant. The charge nurse explained why she couldn’t draw blood without a warrant, the patient’s consent, or the patient being in custody. She also presented the hospital policy to the officer. Still, the officer roughly forced her outside and handcuffed her, but she was soon released without a charge. This shocking incident shows how crucial it is for healthcare employees to know and stand up for patients’ HIPAA rights.

If a law enforcement officer requests PHI without a valid need (as in the Utah case), you and your team must not disclose PHI. In any situation, except those mentioned in this blog, you should not disclose PHI without patient authorization or legal counsel.

In Conclusion

It is your organization’s duty to protect patient information. However, the framers of HIPAA recognized that disclosures are sometimes in a patient’s best interest. So, in some situations, federal and State law allow – or even require – disclosures to law enforcement. Be prepared to give an answer next time a law enforcement official or member of your workforce approaches you about disclosing a patient’s PHI.

READ MORE: Target Trouble Areas with HIPAA Training

Please share to your communities

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!
Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.