When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials? When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Answer:
The Privacy Rule is balanced to protect an individual’s privacy while
allowing important law enforcement functions to continue. The Rule
permits covered entities
to disclose protected health information (PHI) to law enforcement
officials, without the individual’s written authorization, under
specific circumstances summarized below. For a complete understanding of
the conditions and requirements for these disclosures, please review
the exact regulatory text at the citations provided. Disclosures for law
enforcement purposes are permitted as follows:
-
To comply with a court order or court-ordered warrant, a
subpoena or summons issued by a judicial officer, or a grand jury
subpoena. The Rule recognizes that the legal process in
obtaining a court order and the secrecy of the grand jury process
provides protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)-(B)).
-
To respond to an administrative request,
including an administrative subpoena or summons, a civil or an
authorized investigative demand, or similar process authorized under
law, provided that: the information sought is relevant and material to a
legitimate law enforcement inquiry; the request is specific and limited
in scope to the extent reasonably practicable in light of the purpose
for which the information is sought, and de-identified information could not reasonably be used (45 CFR 164.512(f)(1)(ii)(C)).
-
To respond to a request for PHI for purposes of identifying
or locating a suspect, fugitive, material witness or missing person; but
the covered entity must limit disclosures of PHI to name and
address, date and place of birth, social security number, ABO blood type
and rh factor, type of injury, date and time of treatment, date and
time of death, and a description of distinguishing physical
characteristics. Other information related to the individual’s DNA,
dental records, body fluid or tissue typing, samples, or analysis cannot
be disclosed under this provision, but may be disclosed in response to a
court order, warrant, or written administrative request (45 CFR
164.512(f)(2)).
This same limited information may be reported to law enforcement:
- About a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 CFR 164.502(j)(2));
- To identify or apprehend an individual who has admitted participation in a violent crime
that the covered entity reasonably believes may have caused serious
physical harm to a victim, provided that the admission was not made in
the course of or based on the individual’s request for therapy,
counseling, or treatment related to the propensity to commit this type
of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)).
-
To respond to a request for PHI about a victim of a crime, and the victim agrees.
If, because of an emergency or the person’s incapacity, the individual
cannot agree, the covered entity may disclose the PHI if law enforcement
officials represent that the PHI is not intended to be used against the
victim, is needed to determine whether another person broke the law,
the investigation would be materially and adversely affected by waiting
until the victim could agree, and the covered entity believes in its
professional judgment that doing so is in the best interests of the
individual whose information is requested (45 CFR 164.512(f)(3)).
Where child abuse victims or adult victims of abuse, neglect or
domestic violence are concerned, other provisions of the Rule apply:
- Child abuse or neglect may be reported to any
law enforcement official authorized by law to receive such reports and
the agreement of the individual is not required (45 CFR
164.512(b)(1)(ii)).
- Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)):
- If the individual agrees;
- If the report is required by law; or
- If expressly authorized by law, and based on the exercise of
professional judgment, the report is necessary to prevent serious harm
to the individual or others, or in certain other emergency situations
(see 45 CFR 164.512(c)(1)(iii)(B)).
- Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2)).
-
To report PHI to law enforcement when required by law
to do so (45 CFR 164.512(f)(1)(i)). For example, state laws commonly
require health care providers to report incidents of gunshot or stab
wounds, or other violent injuries; and the Rule permits disclosures of
PHI as necessary to comply with these laws.
-
To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)).
- Information about a decedent may also be shared with medical
examiners or coroners to assist them in identifying the decedent,
determining the cause of death, or to carry out their other authorized
duties(45 CFR 164.512(g)(1)).
-
To report PHI that the covered entity in good faith believes
to be evidence of a crime that occurred on the covered entity’s
premises (45 CFR 164.512(f)(5)).
-
When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity,
specifically, the commission and nature of the crime, the location of
the crime or any victims, and the identity, description, and location of
the perpetrator of the crime (45 CFR 164.512(f)(6)). This provision
does not apply if the covered health care provider believes that the
individual in need of the emergency medical care is the victim of abuse,
neglect or domestic violence; see above Adult abuse, neglect, or
domestic violence for when reports to law enforcement are allowed under
45 CFR 164.512(c).
-
When consistent with applicable law and ethical standards:
- To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public (45 CFR 164.512(j)(1)(i)); or
- To identify or apprehend an individual who appears to have escaped from lawful custody (45 CFR 164.512(j)(1)(ii)(B)).
-
For certain other specialized governmental law enforcement purposes, such as:
- To federal officials authorized to conduct
intelligence, counter-intelligence, and other national security
activities under the National Security Act (45 CFR 164.512(k)(2)) or to
provide protective services to the President and others and conduct
related investigations (45 CFR 164.512(k)(3));
- To respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody
of an inmate or others if they represent such PHI is needed to provide
health care to the individual; for the health and safety of the
individual, other inmates, officers or employees of or others at a
correctional institution or responsible for the transporting or
transferring inmates; or for the administration and maintenance of the
safety, security, and good order of the correctional facility, including
law enforcement on the premises of the facility (45 CFR 164.512(k)(5)).
Except when required by law, the disclosures to law enforcement
summarized above are subject to a minimum necessary determination by the
covered entity (45 CFR 164.502(b), 164.514(d)). When reasonable to do
so, the covered entity may rely upon the representations of the law
enforcement official (as a public officer) as to what information is the
minimum necessary for their lawful purpose (45 CFR
164.514(d)(3)(iii)(A)). Moreover, if the law enforcement official making
the request for information is not known to the covered entity, the
covered entity must verify the identity and authority of such person
prior to disclosing the information (45 CFR 164.514(h)).
| HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures ...read more |
| Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is ...read more |
| Wednesday, November 9, 2022 A federal grand jury in Newark, New Jersey, returned an indictment today charging an Indian national for fraudulently obtaining millions of dollars in Paycheck Protection Program (PPP) loans guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. According to court documents, Abhishek Krishnan, 40, previously resided in Wake County, North Carolina, before returning to his home country of India. After returning to India, Krishnan allegedly submitted numerous fraudulent PPP loan applications to federally insured banks, including on behalf of purported companies that were not registered business entities. ...read more |
| Private Practice Revises Process to Provide Access to Records Regardless of Payment Source Covered Entity: Private Practices Issue: Access At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the ...read more |
|
December 2024
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
11/12/22 Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?
Blog Archives
November 2022 (54)
Blog Labels
EHR Fraud (1)
Covered Entity (40)
HIPAA Enforcement (3)
BAA (3)
ePHI (2)
HIPAA (2)
PPP Fraud (1)
Data Breach (1)
Telehealth (1)
|
