HIPAA and Law Enforcement: The Intersection of Privacy and Security

The Basics of HIPAA Law

HIPAA Law is short for the Health Insurance Portability and Accountability Act of 1996, a piece of legislation that provides national standards for the protection of sensitive patient health information. For attorneys like us, HIPAA is one of three or four highly relevant acronyms and areas of the law. In addition to HIPAA, most criminal prosecutors will be involved with FMLA (Family and Medical Leave Act) cases, cases under the ADA (Americans with Disabilities Act), and a smaller percentage of sexual harassment cases based on Title VII of the Civil Rights Act of 1964. What these all have in common are issues relating to the workplace. They are highly relevant for the personal injury or medical malpractice lawyer as well.
The goal of HIPAA is to provide standards to protect patients’ medical records and other personal health information provided to health plans, doctors, hospitals , and other healthcare providers. The US Department of Health and Human Services is charged with implementing the following provisions: Title I – HIPAA’s health insurance reforms, which included privacy provisions; Title II – the administrative simplification provisions that require the establishment of national standards for electronic health care transactions and national identifiers for providers, health plans, and employers; Title III – the tax related health provisions, including a set of rules regarding medical savings accounts; Title IV – application and enforcement of group health plan requirements; Title V – revenue offsets.
The privacy regulation component of HIPAA provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. Covered entities are required to provide patients with a notice of its privacy practices, adopt privacy and security policies, train employees and implement safeguards to implement privacy and security policies.

HIPAA and Law Enforcement Access

Law enforcement agencies are included in the list of public interest uses and disclosures of protected health information under HIPAA. Even though HIPAA is largely privacy-centric, it also contains significant exceptions allowing covered entities to disclose information to law enforcement personnel when needed to further certain societal and governmental goals. Subpart (f) of 45 CFR § 164.512 describes the following circumstances in which HIPAA permits disclosure of protected health information to law enforcement personnel without patient authorization: • to report violations of certain types of injuries or abuse if the patient is a minor; • to report suspicious deaths; • as required by the U.S. Secretary of Veterans Affairs; • to identify or provide information on a victim of a crime; • to alert law enforcement of a person’s death under certain circumstances; • pursuant to a court order, subpoena, or other specific administrative requests; or • consistent with the laws of the jurisdiction. When disclosing protected health information for law enforcement purposes in any of the above permitted manners other than when they say imminent threat or as to the victim of a crime, a covered entity must make reasonable efforts to limit the information disclosed to the information reasonably necessary to achieve the purpose for which the disclosure is sought, and, to the extent needed to provide the individual with notice, make reasonable efforts, in the same manner as described supra for disclosures to client spouse rights organizations, to: (i) inform law enforcement that information is being disclosed under this section; (ii) inform the individual that the information has been disclosed under this section, if the content of the disclosure is readily apparent in the information disclosed; and (iii) inform the individual that the information will be disclosed under this section at the time of treatment and obtain, if practicable, from the individual a statement of refusal to authorize the disclosure and to use the individual’s best efforts to obtain an acknowledgement of the statement of refusal under these circumstances where practicable to do so. If the crime is of such a nature that informing the individual of the disclosure would likely result in harm to the individual or another person, notice is not required. Furthermore, in all cases, a covered entity may "seek a qualified protection order or seek to modify a satisfactory qualified protective order as necessary under the circumstances."

HIPAA Law Enforcement Exceptions

However, there are several exceptions to HIPAA’s restrictions on disclosing personal health information without patient consent. Most of the exceptions offered to law enforcement require a particular type of administrative subpoena. Some exceptions are intended for use only in situations involving public safety. Others permit release of protected health information in connection with law enforcement’s investigation of criminal activity or to allow law enforcement to fulfill its oversight role. This is not a comprehensive list of the reasons law enforcement may request a patient’s health information, but it is a summary of the terms that would allow a release to be made without patient consent:
Crimes on the Premises A covered entity may disclose PHI without an authorization to a law enforcement official if the covered entity believes in good faith that the PHI disclosed is likely to reveal the location of a victim or alleged perpetrator of a crime and the disclosure is made to a law enforcement official if and only to the extent that the disclosure is needed to alert law enforcement of the commission and to identify or apprehend the suspect or criminal.
Reporting Crimes on Premises This provision permits a covered entity to disclose limited information to alert law enforcement of criminal activity on its premises without authorization. Covered entities may reveal the following information about a person who is unable to consent: i. Name and address; ii. Identifying characteristics; iii. The individual’s similarities to a person who is sought by law enforcement.
Victims of Abuse, Neglect or Domestic Violence A covered entity may disclose PHI without an authorization where the covered entity believes the disclosure is necessary to prevent serious threat to health or safety, and the disclosure is made to a person reasonably able to prevent or lessen the threat. If other disclosures to government agencies are required, such as making notification to the Secretary of HHS, the Secretary can obtain a court order preventing the disclosure.
Disclosures Required by Law This exception allows disclosures to law enforcement officials if a covered entity is required by law to make such a disclosure. In addition, if disclosure is mandated by the state based on limitations set forth in California Penal Code Section 11166, et seq., a covered entity can provide that information to county welfare department social workers but only if there is a reasonable suspicion that the abuse occurred. Disclosure to law enforcement officials should be clearly requested under Welfare and Institutions Code 15630 rather than WIC 11166.
Victims of Abuse and Endangerment HIPAA permits a covered entity to report an incident of suspected abuse or endangerment related to domestic violence or child abuse without patient authorization only if the information is voluntarily disclosed and where the covered entity: (1) intends to report the information to the appropriate authorities; and (2) obtains a statement from the individual that the reporting occurs with his or her authorization.
The Emergency Exception and 911 Calls The Emergency Exception permits the sharing of personal health information without patient authorization if the disclosure is permitted in response to exigent circumstances or the treatment of an emergency medical condition. Required reporting information regarding gunshot wounds and knife stabbings are often triggered through the call to 911. For example, if a patient arrives at an emergency facility after a gun shot wound or stabbing, the involvement of law enforcement may be permitted upon reasonable cause or if the patient presents a danger to himself or others.
Conclusion Although HIPAA is restrictive when it comes to how patient health information is shared between a covered entity and a third party, there are important exceptions to HIPAA’s limitations on disclosure of patient health information. Unless the exception is clear, however, a covered entity should consider obtaining patient consent before releasing health information to a third party. Having said that, it is probably equally responsible to educate your staff so they clearly understand the appropriate reasons for disclosure of personal health information to a law enforcement agency before they release patient medical information based on the employee’s discretion.

HIPAA Privacy versus Law Enforcement

Unfortunately, the needs of law enforcement can sometimes run headlong into patient privacy. Here too, the only way forward is the path of the lawyer.
The patient’s right to privacy and confidentiality under HIPAA must be balanced with law enforcement’s immediate need for information. In all cases, the courts leave the judge to decide what’s more important: patient rights or the needs of law enforcement authorities. That means it’s up to your attorney to advocate on behalf of your interests.
For example, law enforcement may request a patient’s medical records without the patient’s consent when they are seeking evidence of abuse, assault or domestic violence. The legal requirements vary, of course, and may also vary from state to state. In this case, the court determined that the provider must still inform the patient and seek his or her consent .
However, if the patient exhibited a "special danger," in this case an unstable gunman, the court allowed law enforcement to obtain the records without the patient’s consent. This case also references another important distinction, one that is referenced further in the article "HIPAA for Law Enforcement, Courts and the Military," As Gilbert Keshner writes, the case "sharply distinguishes cases of "non-targeted investigations," (when the patient is the target of a criminal investigation), where patient information must be disclosed without consent, and "targeted investigations" (where the patient has no connection to the investigation), which require patient consent." What will the court allow, and whether or not they’ll see things your way, is something that must be evaluated on a case by case basis.

Recent Trends and Cases

The confluence of HIPAA’s privacy and security requirements and law enforcement are sometimes full of bumps, twists, and turns. Testimony by U.S. Secret Service agent, Sean Cavanaugh, before the House Appropriations Subcommittee on Homeland Security, on July 14, 2010 that hackers target medical identity data as a way to get access to a credit or debit account or make a claim with an insurer, proves that data is in fact the currency of choice for cybercriminals, and that makes HIPAA and law enforcement a new frontier for law enforcement and law enforcement agencies. Add to the above that HIPAA does not include law enforcement among the "covered entities," and that the definition of "business associates" is narrowing down so that it no longer includes the health information exchange (HIE), and what results is a head-scratching, gut-wrenching dilemma for law enforcement and government investigators to sort out whether vital health information is available for their use, and in what way such information can be accessed, requested and ultimately obtained while abiding by HIPAA.
The November 2009 decision in In Re: Grey was seen by many as a new frontier for HIPAA’s privacy requirements. The Delaware Supreme Court’s ruling in this case ordered a trial court to apply different legal standards to a prosecutor’s subpoena request for patient records in light of privacy requirements under HIPAA and Delaware constitution. The Delaware Supreme Court concluded that, although federal regulations must be considered, it is the state’s responsibility to decide the extent to which patient records may be released to law enforcement authorities. HIPPA does not limit the scope of that inquiry. In re: Grey impacts not only prosecutors, but also civil litigants, requiring that when faced with subpoenas for medical records, Delaware courts must look beyond the traditional balancing test of the federal HIPAA regulations to the constitutional privacy right that our Delaware Supreme Court has recognized. The recent decision of In re: Hava allows medical providers in California to comply with a search warrant for physical medical records, but does not make any (further) exception under the federal HIPAA regulations for mental health records. The Court "wr[ote] on a clean slate" to apply the HIPAA privacy regulations to a request for files by the authorities after a search warrant was issued, but simply ordered the mental health providers to turn over only the physical medical files because a mental health provider had been in those files when the warrant was served. The case isn’t far from the issues caused by the Grey case. It puts medical providers in a tight spot: shall they run afoul of HIPAA by not allowing a law enforcement that has properly secured a search warrant into their files, or should they benefit from the protection afforded them under the HIPAA regulations and keep out law enforcement even when it has a search warrant and only allow access to these records by those who have an "authority over the patient"? And, of course, before Grey, there was the landmark case of United States v. Comprehensive Drug Testing, Inc. which was considered by many as the legal equivalent of a federal Silkwood shower if entities were not careful about their privacy programs and compliance with the HIPAA privacy standards. In December 2009 a three-judge panel concluded that the original judge on the case, Senior U.S. District Judge Patricia J. Cowart, should not have allowed investigators to seize computers from a closed drug-testing laboratory at a Southern California cancer hospital, without specifying the data targets of the search. The ongoing case snared medical providers, medical technology providers, their affiliates and business associates in the government’s hunt for evidence that certain professional athletes were using steroids while competing in Major League Baseball, and raided labs, doctors offices, sports team clubhouses, the home of a former Federal Bureau of Investigation official and a manager of a baseball team in Arizona. These cases, and others show that some courts continue to sort out the "who can get what and when" lawsuit based on HIPAA obligations. Indeed, some courts are focused on the "who can get what and when" lawsuit based on HIPAA obligations, but other do not appear to recognize HIPAA authorities as anything more than a prophylactic measure and are shaping case opinions based on "time-tested conventions." To avoid a "scramble for remedying breaches" like what happened in the Comprehensive Drug Testing case, medical providers must adopt steps that will insure that their release of protected health information and health information technology is authorized to the proper medical care providers, treated in such a way that there is no improper access to protected health information by law enforcement or the public, and that breaches of health information privacy and security are minimized.

HIPAA for Legal and Health Care Institutions

For legal and healthcare institutions alike, navigating the complex intersection of HIPAA and law enforcement can present innumerable challenges. However, there are strategies institutions can use to mitigate risk. In addition to compliance from a corporate perspective, HIPAA requires that covered entities (and its workforce members) understand individual accountability under the law. To this end, covered entities should conduct focused training for particular groups of employees, including those that are typically involved in law enforcement coordination, such as privacy officers and IT administrators . Additionally, covered entities should develop internal policies and procedures relating to HIPAA requests by law enforcement, ensuring that all employees know both what the law requires and how your institution will respond. These policies should include clear rules about what authority must be presented when requests are made, what waiver/permission forms have been pre-authorized, and what protocol must be followed when covered entities face particularized or unusual requests from law enforcement.

Leave a Reply

Your email address will not be published. Required fields are marked *