EXECUTIVE SUMMARY. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule: A Guide for Law Enforcement

(1)

EXECUTIVE SUMMARY

Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule: A Guide for

Law Enforcement

The HIPAA Privacy Rule provides Federal privacy protections for individually identifiable health

information, called protected health information (“PHI”). The Rule sets out how and with whom

PHI may be shared. HIPAA applies to health plans, health care clearinghouses, and health care

providers that conduct certain health care transactions electronically (e.g., billing a health plan).

These are known as covered entities. Hospitals, and most clinics, physicians, and other health

care practitioners are HIPAA covered entities.

Circumstances under which a HIPAA covered entity may disclose PHI to law enforcement:

A: When the covered entity has obtained the individual’s signed HIPAA authorization, or

B: If the covered entity has not obtained the individual’s signed HIPAA authorization, the entity

may disclose PHI in certain incidents, including:

i.

To report PHI to a law enforcement official reasonably able to prevent or lessen a

serious and imminent threat to the health or safety of an individual or the public.

ii.

To report PHI that the covered entity in good faith believes to be evidence of a

crime that occurred on the premises of the covered entity.

iii.

To alert law enforcement to the death of the individual, when there is a suspicion

that death resulted from criminal conduct.

iv.

When responding to an off-site medical emergency, as necessary to alert law

enforcement to criminal activity.

v.

To report PHI to law enforcement when required by law to do so (such as

reporting gunshots or stab wounds).

vi.

To comply with a court order or court-ordered warrant, a subpoena or summons

issued by a judicial officer, or an administrative request from a law enforcement

official

vii.

To respond to a request for PHI for purposes of identifying or locating a suspect,

fugitive, material witness or missing person, but the information must be limited

to basic demographic and health information about the person.

viii.

To respond to a request for PHI about an adult victim of a crime when the victim

agrees. Child abuse or neglect may be reported, without a parent’s agreement, to

any law enforcement official authorized by law to receive such reports.

*This is a summary of relevant provisions and does not include all requirements under the

HIPAA Privacy Rule.

For more information, please see the attached guide, which provides more detailed scenarios and

requirements.

(2)

DISCLOSURE OF PROTECTED HEALTH INFORMATION (PHI) TO LAW ENFORCEMENT

1 2

Question/Scenario-PHI

General Acute Patient Information

Mental Health Patient Information

Substance Abuse Patient

Information

Accountable

Disclosure

1. Not Arrested – Discharge Date.

Patient has not been arrested. Can health care provider notify police of patient’s discharge date?

Disclosure Permitted: No - unless the patient gives authorization (verbal permission is OK) or police provide a court order.

Health care provider can disclose the location of the patient (e.g., room number) to the police (even if the patient has opted out of the directory), and the police may serve the arrest warrant. If arrest occurs, see No. 2 below. Documentation: Maintain documentation of patient authorization or court order in patient’s chart.

Disclosure Permitted: See below.

General Rule: No – unless the patient gives authorization (verbal permission is OK) or police provide a court order. If presented

with a court order, contact IHS Law Dept. for assistance in determining whether the order complies with state law.

If presented with an arrest warrant, health care provider cannot acknowledge the patient is on the premises unless the patient gives authorization.

Law Enforcement Emergency Mental Health: Yes if patient was brought to hospital for emergency mental health treatment by law enforcement and court order or law enforcement request is in place requiring notification to law enforcement of discharge. If presented with a court order or

written law enforcement request, consult IHS Law Dept. for assistance in determining whether the order/request complies with state law.

Documentation: Maintain documentation of patient authorization, court order, or law enforcement request in patient’s chart.

Disclosure Permitted: No - unless the patient gives written authorization or police provide a court order. If presented

with a court order, contact IHS Law Dept. for assistance in determining whether the order complies with 42 CFR Part 2.

If presented with an arrest warrant, health care provider cannot acknowledge the patient is on the premises unless the patient gives authorization.

Documentation: Maintain authorization or court order in patient’s chart.

Accountable unless disclosed per written patient authorization.

1

This matrix does not cover disclosure of information to law enforcement in mandatory reporting situations, such as violent wounds, nor does it cover child or dependent adult abuse situations. 2

(3)

Question/Scenario-PHI

General Acute Patient Information

Mental Health Patient Information

Substance Abuse Patient

Information

Accountable

Disclosure

2. Arrested/Prisoner—Discharge Date.

Patient has been arrested or is a prisoner. Can health care provider notify the police of patient’s discharge date?

Disclosure Permitted: Yes – a health care provider may disclose that an arrestee or prisoner is ready for discharge for purpose of coordinating the patient’s return to jail/prison. Documentation: Police to fill out Form 1, which should be maintained with patient’s chart.

Disclosure Permitted: Yes – a health care provider may disclose that an arrestee or prisoner is ready for discharge for purpose of coordinating the patient’s return to jail/prison.

Documentation: Police to fill out Form 1, which should be maintained with patient’s chart.

Disclosure Permitted: No – unless the patient gives written authorization or police provide a court order. If presented

Documentation: Maintain authorization or court order in patient’s chart.

3. Arrested/Prisoner—PHI. Patient has been arrested or is a prisoner. May health care provider provide information about the patient to the police/correctional institution?

Disclosure Permitted: Yes, if the police/jail represent that the PHI is necessary for (1) the provision of health care to the patient; (2) the administration and maintenance of the correctional institution; or (3) the health and safety of the patient, other

inmates/officers/employees of the correctional institution or those responsible for the

transportation of the patient.

Disclosure Limitations: Disclose only the PHI that police represent is needed.

Documentation: Police to fill out Form 2, which should be maintained with patient’s chart.

Disclosure Permitted: Health care provider may give limited information necessary for the care and treatment of the patient (i.e. discharge instructions). Documentation: Document information released in patient’s chart.

Disclosure Permitted: Substance abuse information may not be disclosed to the police/correctional institution unless patient gives written authorization or police provide a court order. If presented

4. Crime Investigation. Police are conducting an investigation into a crime. Police want certain information for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. What information may be given?

Disclosure Permitted: The following PHI may be released: (1) patient name and address; (2) date and place of birth; (3) SSN; (4) blood type; (5) type of injury; (6) date and time of treatment; (7) date and time of death; and (8) distinguishing characteristics. Health care provider may not disclose the patient’s DNA, dental records, or typing, samples or analysis of body fluids. Disclosure Limitations: Disclose only the above-listed PHI that police represent is needed.

Documentation: Police to fill out Form 3, which should be maintained with patient’s chart.

Disclosure Permitted: No – unless patient gives written authorization or police provide a court order. If presented with a court

order, contact IHS Law Dept. for assistance in determining whether the order complies with state law.

Documentation: Maintain authorization or court order in patient’s chart.

Disclosure Permitted: No – unless patient gives written authorization or police provide a court order. If presented

(4)

Disclosure

5. Court Order, Search Warrant, Grand Jury Subpoena. What information may a health care provider provide in response to a valid court order, court ordered search warrant or grand jury subpoena?

Disclosure Permitted: Yes.

Disclosure Limitations: Health care provider may produce only that information authorized by the court order, court ordered warrant or grand jury subpoena.

Documentation: Maintain copy of the court order, search warrant or subpoena in patient’s chart.

Disclosure Permitted: Mental health information may only be provided pursuant to a court order. If presented with a court

order, contact IHS Law Dept. for assistance in determining whether the order complies with state law.

Disclosure Limitations: Mental health information may not be provided pursuant to a search warrant or subpoena.

Documentation: Maintain a copy of the court order in patient’s chart.

Disclosure Permitted: Substance abuse information may only be provided

pursuant to a court order. If presented

Disclosure Limitations: Substance abuse information may not be provided pursuant to a subpoena or search warrant.

Documentation: Maintain a copy of the court order in patient’s chart.

6. Patient Crime Victim. When may a health care provider release information about a patient who may be the victim of a crime (other than child, dependent adult or domestic abuse)?

Disclosure Permitted: A health care provider may disclose information about a patient that may be the victim of a crime in response to a law enforcement request if (1) the police provide a court order, search warrant, or grand jury subpoena; (2) the patient agrees to the

disclosure (verbal agreement is ok), or (3) all of the following are true:

(i) the health care provider is unable to obtain the patient’s agreement because of incapacity or emergency situation; (ii) the patient’s personal representative is unavailable; (iii) the health care provider believes the disclosure is in the best interest of the patient; and (iv) the police make the representations set forth in Form 4.

Disclosure Limitations: Disclose only the PHI that is authorized by the court documents or patient authorization or that police represent in Form 4 is needed.

Documentation: Maintain copy of court documents or Form 4 in patient’s chart or document patient’s permission in patient’s chart.

Disclosure Permitted: A health care provider may not provide the police with mental health information about a patient who may be the victim of a crime unless the patient gives written authorization or the police provide a court order. If presented

with a court order, contact IHS Law Dept. for assistance in determining whether the order complies with state law.

Documentation: Maintain copy of patient authorization or court order in patient’s chart.

Disclosure Permitted: A health care provider may not provide the police with information about a substance abuse patient who may be the victim of a crime unless the patient gives written

authorization or the police provide a court order. If presented with a court order,

contact IHS Law Dept. for assistance in determining whether the order complies with 42 CFR Part 2.

Health care provider may not

acknowledge that the patient is a patient in the facility.

Documentation: Maintain copy of patient authorization or court order in patient’s chart.

(5)

Question/Scenario-PHI

General Acute Patient Information

Mental Health Patient Information

Substance Abuse Patient

Information

Accountable

Disclosure

7. Interview/Photograph. May police ask a patient for an interview or photograph?

If patient’s condition permits visitors, allow police to see patient.

If police ask to see a mental health patient, ask to check with a supervisor and ask the patient if he/she would like to speak with police. If the patient says “no”, health care provider may not acknowledge that the patient is a patient in the facility.

If police ask to see a substance abuse patient, ask to check with a supervisor and ask the patient if he/she would like to speak with police. If the patient says “no”, health care provider may not acknowledge that the patient is a patient in the facility. 8. Participation in Violent Crime.

A patient admits participating in a violent crime that the health care provider believes may have caused serious physical harm to the victim. Can the health care provider contact the police and what information may be disclosed?

Disclosure Permitted: The health care provider may contact the police unless the information was obtained (1) in the course of treatment/counseling to affect the propensity to commit the criminal conduct that is the basis for the disclosure, or (2) due to a request by the patient to initiate/be referred for treatment or counseling. Contact IHS Law Dept. for

assistance in these situations.

Disclosure Limitations: Disclose only the patient’s statement admitting participation in the violent crime and the information set forth in No. 4 above.

Documentation: Document facts in patient’s chart.

Contact IHS Law Dept. for assistance. Contact IHS Law Dept. for assistance. Accountable unless

disclosed per written patient authorization.

9. Crime on Premises. Health care provider believes that the patient may have committed a crime on its premises. Can it contact the police, and what information may it release?

Disclosure Permitted: Health care provider may contact police if patient has committed or threatens to commit a crime on its premises or against its staff.

Disclosure Limitations: Disclose only the patient’s name and any PHI that constitutes evidence of the crime.

Documentation: Document facts in patient’s chart.

Disclosure Permitted: Health care provider may contact police if patient has committed or threatens to commit a crime on its premises or against its staff. Disclosure Limitations: The health care provider may only disclose information relating to the crime, not that the patient is a mental health patient.

Documentation: Document facts in patient’s chart.

Disclosure Permitted: Health care provider may contact police if patient has committed or threatens to commit a crime on its premises or against its staff. Disclosure Limitations: The health care provider may only disclose information relating to the crime, not that the patient is a substance abuse patient.

Documentation: Document facts in patient’s chart.

(6)

Disclosure

10. Health Care Provider Believes Patient Dangerous.

Patient is a serious danger to himself or others. May it contact the police and what information may it release?

Disclosure Permitted: Health care provider should contact the police and disclose to them that information which is relevant to lessen the threat to the safety of the patient or others.

Contact the IHS Law Dept. for assistance in these situations.

Documentation: Health care provider should document the basis for its determination that the patient is a threat.

Disclosure Permitted: Health care provider should contact the police and disclose to them that information which is relevant to lessen the threat to the safety of the patient or others. Contact IHS Law

Dept. for assistance in these situations.

Documentation: Health care provider should document the basis for its determination that the patient is a threat.

Disclosure Permitted: Health care provider should contact the police and disclose to them that information which is relevant to lessen the threat to the safety of the patient or others. Contact IHS Law

Dept. for assistance in these situations.

Documentation: Health care provider should document the basis for its determination that the patient is a threat.

11. Police Believe Patient Dangerous.

Police contact health care provider requesting information about a patient/former patient. The police represent that disclosure of the information will avert a serious threat to health or safety. What information may the health care provider release to police?

Disclosure Permitted: Health care provider may disclose to the police that information which is relevant to lessen the serious threat to health or safety.

Documentation: Document facts, officer name and badge number in patient’s chart. Must verify identity of police officer by seeing badge, request on letterhead, etc.

Contact IHS Law Dept. for assistance. Contact IHS Law Dept. for assistance. Accountable unless

(7)

Reports to Law Enforcement

1

HIPAA permits a Covered Entity to use or disclose PHI without authorization to the extent that the use or disclosure is required by law and complies with and is limited to the relevant requirements of such law.

2

A “serious injury” means any of the following: (a) disabling mental illness; (b) bodily injury which creates a substantial risk of death; (c) bodily injury which causes serious permanent disfigurement; (d) bodily injury which causes protracted loss or impairment of the function of any bodily member or organ; and (e) any injury to a child that requires surgical repair and necessitates the administration of general anesthesia. A “serious injury” includes but is not limited to skull fractures, rib fractures, and metaphyseal fractures of the long bones of children under the age of four years. See Iowa Code Section 702.18.Long bones have a tubular shaft and articular surface at each end. The major bones of the arms (humerus, radius and ulna) and the legs (femur, tibia and fibula) are all considered long bones. Metaphyseal fractures typically result from jerking or swinging a child while grasping the child’s ankle or wrist.

3

HIPAA permits a Covered Entity to, disclose certain PHI, without authorization, to government authorities authorized by law to receive reports of abuse, neglect or domestic violence when the Covered Entity reasonably believes an individual is a victim.

4

HIPAA permits a Covered Entity to disclose PHI for a law enforcement purpose (i.e. pursuant to legal process, crime investigation (Identify or locate suspect, fugitive, material witness or missing person), victims of crime, deceased individuals, crime on premises, emergencies) to a law enforcement official without an authorization if certain conditions are met, as applicable.

What to Report

(Required by Law)1 Relevant Iowa Law

Gunshot wound received in connection with commission of a

criminal offence Iowa Code Section 147.111 (12 hours)

Stab wound received in connection with commission of a criminal

offense Iowa Code Section 147.111 (12 hours)

Serious injury received in connection with commission of a

criminal offense2 Iowa Code Section 147.111 (12 hours)

Serious injury received in connection with a motor vehicle accident

or crash Iowa Code Section 147.111 (12 hours)

Burn, burn injury or laryngeal edema received in connection with

commission of a criminal offense Iowa Code Section 147.113A (12 hours)

Animal bites Iowa Code Section 351.36

Assaults against health care provider(s) Iowa Code Section 708.3A

Suspected dependent adult abuse of child under age 12 Iowa Code Section 232.69-70 (24 hours)

Suspected dependent adult abuse Iowa Code Section 235B.3

Discharge of certain mental health patients Iowa Code Section 229.22

(Recommended)

Serious injuries or death from sexual asault / domestic violence3

Homicide or suspected homicide4

Unidentified bodies

Death of child under age of 2 (i.e. possible SIDS)

Drowning death

Death due to poisoning

Death from suicide or suspected suicide

Fatalities from pedestrian, bicycle, motorcycle, snowmobile,

boating, watercraft, 4-wheeler or all-terrain vehicles

Death due to drug or alcohol abuse or overdose

Electrical and lightening related deaths

Death related to exposure (hypothermia and hyperthermia)

(8)

A Guide for Law Enforcement

What is the HIPAA Privacy Rule?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides Federal privacy protections for individually identifiable health information, called protected health information or PHI, held by most health care providers and health plans and their business associates. The HIPAA Privacy Rule sets out how and with whom PHI may be shared. The Privacy Rule also gives individuals certain rights regarding their health information, such as the rights to access or request corrections to their information.

Who must comply with the HIPAA Privacy Rule?

HIPAA applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (e.g., billing a health plan). These are known as covered entities. Hospitals, and most clinics, physicians and other health care practitioners are HIPAA covered entities. In addition, HIPAA protects PHI held by business associates, such as billing services and

Who is not required to comply with the HIPAA Privacy Rule?

Many entities that may have health information are not subject to the HIPAA Privacy Rule, including:

• employers,

• most state and local police or other law enforcement agencies,

• many state agencies like child protective services, and

• most schools and school districts.

(9)

Under what circumstances may a HIPAA covered

entity disclose PHI to law enforcement?

A HIPAA covered entity may disclose PHI to law enforcement with the individual’s signed HIPAA authorization.

A HIPAA covered entity also may disclose PHI to law enforcement without the individual’s signed HIPAA authorization in certain incidents, including:

• To report PHI to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. • To report PHI that the covered entity in good faith

believes to be evidence of a crime that occurred on the premises of the covered entity.

• To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.

• When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity. • To report PHI to law enforcement when required by law

• To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or an administrative request from a law enforcement official (the administrative request must include a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used).

• To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person, but the information must be limited to basic demographic and health information about the person.

• To respond to a request for PHI about an adult victim of a crime when the victim agrees (or in limited circumstances if the individual is unable to agree). Child abuse or neglect may be reported, without a parent’s agreement, to any law enforcement official authorized by law to receive such reports.

For More Information