To Disclose or Not to Disclose? Understanding Law Enforcement Exceptions to HIPAA Policies
March 8th, 2019
Maintaining medical privacy for patients is a top concern for physicians and their practices. However, it can be difficult for healthcare professionals to understand the full scope of HIPAA legislation and determine when it’s appropriate to disclose protected health information. HIPAA protections do not apply in all situations, and many exceptions exist to protect doctors, patients, and the general public in a variety of scenarios, particularly those that involve providing information to law enforcement officials.
Here are some exceptions and guidelines practices should consider:
“Serious and Imminent Threat”
The HIPAA privacy rule states that a covered entity may disclose protected health information (PHI) to law enforcement without the individual’s signed HIPAA authorization form when the action is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public and the disclosure is made to a person reasonably able to prevent or lessen the threat.
That likely seems vague. But when it comes to HIPAA exceptions, the U.S. Office for Civil Rights (OCR) defers to the judgement of healthcare professionals to assess the nature and severity of a potential threat. OCR explicitly states it “would not second guess a health professional’s good faith belief that a patient poses a serious and imminent threat to the health or safety of the patient or others and that the situation requires the disclosure of patient information to prevent or lessen that threat.”
In other words, physicians and other medical staff should feel confident in their decision-making abilities and should expect that their sound medical judgement will not be called into question by investigative and enforcement authorities.
Not All Requests Warrant a Warrant
Being issued a valid warrant from a law enforcement official is a clear indication that the provider can (and must) release PHI. But not all scenarios will be that clear-cut.
Some circumstances in which providers may disclose information about a patient to law enforcement without a warrant include:
- To report or confirm the death of an individual when there is suspicion that the death was a result of criminal conduct
- When responding to an off-site medical emergency, as necessary to report criminal activity
- To report information when required by law (such as gunshots or stab wounds)
- To respond to a request for purposes of identifying or locating a suspect, fugitive, material witness, or missing person
- To respond to a request for information about an adult victim of a crime when the victim agrees
- To report abuse or neglect
- To report domestic violence
- To report a crime that occurred on premises
- To provide information to correctional institutions
Let Me See Some I.D.
When a law enforcement official requests medical information, it’s up to the medical professional to do his or her due diligence to ensure the requesting party is entitled to have access to the information and is actually who they say they are. Individuals or organizations will need to verify the requesting party’s identity by way of official documents or other forms of identification.
If a request for information is made in person, the provider should request an agency identification badge, other official credentials, or proof of government status. Should a request arrive in writing, the provider should ensure it has been delivered on appropriate government letterhead and contains necessary evidence or documentation of agency.
In addition, we suggest that personnel make copies of the individual’s identification, as well as warrants and pertinent documents for internal records. In some situations, personnel should also reach out to the official’s agency to verify his or her identity.
The Bottom Line
HIPAA is designed to protect patients’ privacy, not incapacitate healthcare providers. At the end of the day, physicians and other medical professionals should feel empowered to use their best judgement when it comes to disclosing PHI without signed consent in an effort to protect the health and safety of patients and others.
Every situation is unique, and advice on how to handle different scenarios may vary. Medical Mutual members who would like to learn more should review our HIPAA Final Rule Guide. Our team members are also standing by to assist our members with any questions and can establish connections with outside counsel for individualized legal advice when necessary. For further guidance on this issue, Medical Mutual members are encouraged to reach out to our Claims and Risk Management Departments at 800.662.7917.
Disclaimer: This post is written in general terms and is not a substitute for legal advice or intended to create an attorney-client relationship.
Jason Newton is Medical Mutual’s Senior Vice President & Associate General Counsel, based in Raleigh, NC.