Law Enforcement Exception to HIPAA: What Providers Need to Know

Mar 20, 2023 at 10:30 am by steve


By Andy Baer, MD

Healthcare providers are well-versed in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and the broad protection it offers to patient information held by healthcare providers and plans.

However, they might not be as aware of key exceptions to the rule — one of them being requests for protected health information (PHI) from state and local police and other law enforcement agencies.

A healthcare professional or practice may receive a verbal or written request for PHI or copies of medical records from law enforcement officials as part of an investigation. For example, they may be following up on suspected child abuse or investigating an altercation that resulted in a crime. It’s important that healthcare organizations understand how to appropriately respond to such a request to avoid a HIPAA violation and the associated fines.

HIPAA Law Enforcement Exception Defined

The HIPAA Privacy Rule exception for law enforcement purposes, 45 CFR § 164.512(f), permits a covered entity (generally, healthcare providers, health plans and their business associates) to disclose PHI to law enforcement officials without patient authorization under certain circumstances:

The definition of law enforcement official is broad and applies to an officer or employee (state or federal) who investigates or conducts an official inquiry into a potential violation of law. It also applies to law enforcement officials who prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law. Examples of law enforcement officials include officers, investigators or detectives from a sheriff’s office, the FBI, and state detectives or investigators.

Responding to a Records Request

If a law enforcement official sends a letter requesting records, the letter will likely describe where to send the requested records in addition to providing the law enforcement official’s contact information. Many times, the cover letter or request will not copy the other party because the investigation is sensitive or confidential.

Law enforcement officials also may verbally request PHI or copies of medical records from a healthcare organization either over the phone or in person. If a law enforcement official comes to an organization’s office in uniform and provides proper identification, then it is appropriate to produce the PHI.

However, if the request is made over the phone, a healthcare organization is required to obtain further verification before releasing PHI. Ask the caller to provide a formal request in writing and cite the requestor’s source of statutory authority under state or federal law. The request can be made on official letterhead or by email if the message includes the source of authority and is sent from the official’s work email address.

Healthcare organizations generally do not have to obtain an individual’s written authorization before disclosing PHI if they receive an appropriate written or verbal request from a law enforcement official. However, if the official is requesting the PHI of an adult patient who is a victim of abuse, an organization usually must obtain authorization from the patient before disclosing anything to law enforcement.

Preparing Your Practice to Comply

Communication and training are key to making sure a healthcare practice complies with the law enforcement exception (and all other HIPAA requirements). The following actions can help an organization remain compliant.

The wrongful release of patient health information to law enforcement doesn’t happen often. However, if a healthcare organization inappropriately discloses PHI, it could face a HIPAA violation and the associated fines. Understanding the law enforcement exception to the HIPAA Privacy Rule and implementing processes to answer requests are key to responding appropriately and avoiding penalties.

Disclaimer: The information provided in this article does not constitute legal, medical or any other professional advice. No attorney-client relationship is created and you should not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice.

Andy Baer, MD serves as the Chief Medical Officer of MagMutual.

 

 

Tags: HIPAA law enforcement exception to HIPAA Mag Mutual protected health information
Sections: Blog