The battle between individuals’ privacy rights and the needs of law enforcement, has raged for centuries in one form or another. When the HIPAA Privacy Rule was implemented, the authors of this rule tried to appease, as it were, both sides. The resulting “compromise” is that protected health information – the information the HIPAA Privacy Rule affords some protection from disclosure – can be disclosed when disclosure is needed by law enforcement. There are limits, however, as to how, where, when, and why, law enforcement may obtain this information. The HIPAA law enforcement exception to the general rule restricting use and disclosure of PHI (unless an exception permits or requires use or disclosure), is discussed below.
What is the HIPAA Law Enforcement Exception?
The HIPAA law enforcement exception can be found in the text of the HIPAA Privacy Rule.
Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.
The Privacy Rule provision that addresses whether PHI can be disclosed to law enforcement is 45 CFR § 164.512. This provision is entitled, “Uses and disclosures for which an authorization or opportunity to agree or object is not required.” The provision then lists circumstances under which PHI may be used or disclosed, despite the general rule. Circumstances allowing use of PHI without written authorization (or an opportunity to agree or object) include (among others):
- A specific state or federal law requires the disclosure of PHI
- Public health activities, which include (among other things):
- Reporting of disease or injury
- Reporting vital events such as birth or death
- Conducting of public health surveillance
- Conducting of public health investigations
- Conducting of public health interventions
- When a covered entity reasonably believes an individual is a victim of abuse, neglect, or domestic violence
- When a health oversight agency seeks to conduct health oversight activities authorized by law. These activities include:
- Licensure or disciplinary actions
- Civil, administrative, or criminal proceedings or actions
- Other activities necessary for appropriate oversight of the healthcare system, government benefit programs, and of:
- Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
- Entities subject to civil rights laws for which health information is necessary for determining compliance
- Disclosures for judicial and administrative proceedings
- Law enforcement purposes
The HIPAA Law Enforcement Exception: What Does it Cover?
Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances (subject to certain conditions):
- As required by law (including court orders, court ordered warrants, subpoenas) and administrative requests;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- In response to a law enforcement official’s request for information about a victim or suspected victim of a crime;
- To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death;
- When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and
- By a covered healthcare provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.