Considerations for Law Enforcement Interactions
By Jean Martin
Health care providers may experience interactions with law enforcement personnel that create uncertainty around their responsibilities to patients, including the duty to protect patients’ privacy. Law enforcement personnel are tasked with ensuring public safety and conducting criminal investigations.
When these duties intersect as they relate to patients in the health care system, providers should understand how to meet their obligations while respecting the requests of law enforcement personnel. Situations that providers may encounter with law enforcement include treating a gunshot wound, reporting child abuse or neglect, possible threats to public safety, and if there is a crime on the premises of a medical facility or practice.
PROTECTED HEALTH INFORMATION UNDER HIPAA
Before disclosing patient information to law enforcement, a provider should consider whether it is protected under the federal Health Insurance Portability and Accountability Act (HIPAA) rules, which provide privacy protections for individually identifiable health information held by health care providers and their business associates. HIPAA “covered entities” include health care providers who transmit any health information in electronic form in connection with a transaction covered under the HIPAA regulations.1
Protected health information (PHI) includes individually identifiable health information transmitted or maintained in electronic media or any other form or medium.1 Individually identifiable health information is information created or received by a health care provider that identifies the individual and relates to the past, present, or future physical/mental health or condition of an individual; the provision of health care to the individual; or payment for the provision of health care to the individual.1
WHO IS CONSIDERED A LAW ENFORCEMENT OFFICIAL?
As outlined in the HIPAA Privacy Rule, a law enforcement official means an officer or employee of any agency or authority within the U.S., who is empowered by law to: (1) Investigate or conduct an official inquiry into a potential violation of law; or (2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.2
Law enforcement officials include (but are not limited to):
Police officers and state troopers
Sheriffs and sheriffs’ deputies
DEA and FBI special agents
The default position under HIPAA is that PHI cannot be disclosed without the patient’s authorization, but there are some exceptions relevant to law enforcement, including where reporting is required by state law.
KEY CONSIDERATIONS FOR ANY LAW ENFORCEMENT INTERACTION:
Don’t be afraid to ask for identification. Have they properly identified themselves? If the law enforcement official is not known to the provider, the provider must verify the identity and authority of the person.3 Processes should be in place for in-person, phone, and email interactions.
Share your side of the situation. Explain your understanding of the situation and the laws (HIPAA, etc.) that govern your actions of what you can and can’t do.
When trying to decide which federal or state law applies, the more restrictive one will likely apply. In general, if there is a state or federal law that is more restrictive than HIPAA (more protective of a patient’s privacy), providers are required to comply with the more restrictive law.
Document the details. Obtain any documentation or statements from the person requesting protected health information (PHI) when these documents or statements are relied upon to make the disclosure.4
Respect law enforcement and the challenges they are dealing with. Do not physically interfere with law enforcement officials or provide them false or misleading information.
Don’t provide more information than what is necessary. Unless disclosures made to law enforcement are required by law, they should be held to the “minimum necessary” standard. This means that when using or disclosing PHI, the HIPAA-covered entity or provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure, or request.5 A provider may rely upon the representations of a law enforcement official that the information requested is the minimum necessary for the stated purpose.6
Jean Martin, MD, JD, is a member of COPIC’s Legal Department.
145 C.F.R. § 160.103
245 C.F.R. § 164.103
345 C.F.R. § 164.514(h)(1)(i)
445 C.F.R. § 164.514(h)(1)(ii)
545 C.F.R. § 164.502(b)
645 C.F.R. § 164.514(d)(3)(iii)(A)