By Lieutenant Kim Wilson, J.D., Portsmouth, Virginia, Police Department
he Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. 1320d and the following sections, protects an individual’s private health information from release to unauthorized persons. The act’s Privacy Rule is designed to balance the interests of patient care against the patient’s right to confidentiality, and protects all "individually identifiable health information" held or transmitted by a covered entity in any form.1 This rule is applicable only to covered entities, which include health-care providers, health plans, and health-care clearinghouses.2 A covered entity that violates HIPAA’s Privacy Rule may face civil or criminal penalties, depending on the circumstances of the disclosure.
What do HIPAA and the Privacy Rule mean to law enforcement officials who are investigating crimes that involve injury to victims and who cannot obtain victim consent for the release of protected health-care information? Due to legitimate investigative concerns, HIPAA carves out very specific exceptions for law enforcement access to medical information, and agency personnel must be aware of them and their requirements to access confidential patient information when consent cannot be obtained.
Law Enforcement Disclosure Exceptions
Under HIPAA’s general rules, a covered entity is authorized to release protected health information if it meets specific requirements established by the code and if the entity provides the individual an opportunity to agree or object to the authorization.3 The rules further allow covered entities to disclose protected health information to law enforcement officials, without the patient’s written consent, when the information is released under any one of the following conditions:
- The disclosure is required by state law, including the reporting of injuries such as gunshots or stab wounds.4
- The disclosure is necessary to comply with a court order or a court-ordered warrant, a subpoena, or a summons issued by a judicial officer or a grand jury.5
- The disclosure is in response to an administrative request, such as an administrative subpoena, investigative demand, or other written request from a law enforcement official. Law enforcement officials can make this request without judicial involvement but must include a written statement that the information is relevant and material to a legitimate law enforcement inquiry, that it is specific and limited in scope, and that information is stripped of personal identifiers that cannot be used.6
- The disclosure is in response to a request for information to identify or locate a suspect, fugitive, witness, or missing person.7 The information released is limited to pedigree information, injury type and date of treatment, date and time of death, and any distinguishing physical characteristics. The covered entity is not authorized to release an individual’s DNA or dental records in these circumstances. A covered entity may also release such information if an individual admitted to committing a violent crime and the entity believes that this person may have caused serious physical harm to the victim.8
- The disclosure is required by law enforcement to investigate a possible violation of law, and the victim cannot consent due to emergency or incapacity. In this instance, law enforcement agencies cannot use the information against the victim and must show that waiting for victim consent will materially and adversely affect the investigation (the covered entity must judge that it is in the victim’s best interest to release the information).9
- The situation involves child abuse or neglect,10 adult abuse, neglect, or domestic violence as required by law,11 or where law enforcement officials are notified of a suspicious death possibly involving criminal activity.12
- If a health-care provider is rendering emergency services off its premises, it may disclose protected health information to the extent necessary to alert law enforcement officials to the commission, nature, or location of a crime or a crime victim as well as the identity, description, and location of the perpetrator.13
It should be noted that the release of private health-care information to law enforcement officials by a covered entity does not authorize those officials to disseminate the records beyond what is needed for the investigation or in court proceedings.
HIPAA establishes minimum requirements for the release of protected health information. Where state law runs contrary to these requirements, it is preempted by the federal requirements. If state law relating to patient information affords greater protection to the individual, state law rules. Such preemption is applicable where it is impossible to meet both federal and state requirements. Thus, it is important that law enforcement officials are familiar with the unique requirements of their own states’ health records privacy laws.
Due to the aggressive protection afforded individuals’ health information by both state and federal laws, obtaining a victim’s consent for the release of protected health-care information is the best way for law enforcement officials to gain access to medical records. When this is not possible or where the needed records involve investigation into criminal wrongdoing, ensuring that agency personnel follow HIPAA or state law guidelines will serve to balance the need to protect a person’s privacy against a valid law enforcement need for relevant investigative information. It will also ensure that health-care entities and their employees cooperate with law enforcement requests for protected information. ?
1See 45 CFR 160.103.
2See generally 45 CFR 164.501 (“Definitions”).
3See 45 CFR 164.502.
4See 45 CFR 164.512 (f) (1) (i).
5See 45 CFR 164.512 (f) (1) (ii) (A and B).
6See 45 CFR 164.512 (f) (1) (ii) (C).
7See 45 CFR 164.512 (f) (2).
8See 45 CFR 164.512 (j) (1) (ii) (A), (j) (2–3).
9See 45 CFR 164.512 (f) (3).
10See 45 CFR 164.512 (b) (1) (ii).
11See 45 CFR 164.512 (c).
12See 45 CFR 164.512 (f) (4).
13See 45 CFR 164.512 (f) (6) (i).