September/October 2021

When the Police Come Knocking
By Selena Chavis
For The Record
Vol. 33 No. 5 P. 20

Experts weigh in on the dos and don’ts of releasing information to law enforcement.

For many years, the health care industry has been well versed in the parameters of sharing protected health information (PHI) with law enforcement. But even with the best training, HIM professionals, compliance staff, and clinicians still find themselves facing confusing situations—and sometimes making the wrong decisions.

Sue Chamberlain, MSCTE, RHIA, CCS-P, CDIP, vice president of compliance and education with RRS Medical and a member of the Association of Health Information Outsourcing Services (AHIOS), has witnessed extreme responses on the part of both health care organizations and police.

In a recent situation where law enforcement showed up at a physician’s office, she recalls that staff “freaked out” and would provide no information. In another instance, law enforcement tried to intimidate staff into providing more information than was allowed. In terms of legal parameters, both responses were completely off the mark.

Juliana Reno, partner and chair of the Employee Benefits, Executive Compensation, and Health Practice Group at Venable LLP, points out that while release of information (ROI) and law enforcement incidents usually happen at large health systems and emergency departments, other health care organizations can occasionally be faced with these situations. For example, Reno recalls an incident in which police wanted to walk around a 24-hour call center after receiving a tip about a break-in.

“We said, ‘No, you can't do that because you'll be overhearing phone calls with people's names and health information,” Reno says.

Bottom line, there can be confusion all the way around.

Chamberlain notes that uncertainty exists not only on the provider side but also with police and prosecutors. For example, she points out that in the case of a subpoena, a custodian of record can usually sign off if they have the full record and not actually appear in court. Yet, “many of the subpoenas still have the appearance requirement on there, and most assume they can just send records and not appear, which may be what is actually expected by an attorney,” Chamberlain says.

Understanding the various ways that law enforcement can interact with health care organizations can also trip up some organizations. For instance, disclosure is required by law in some situations. In other cases, official processes such as warrants and subpoenas may be required. Often it comes down to understanding the relationship between HIPAA and state laws, says Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, vice president of privacy, compliance, and HIM policy with MRO Corp, and AHIOS Legislative and Government Affairs Committee Chair.

“Federal and state laws define some privacy rights for people who want to keep their medical records out of the hands of law enforcement, but law enforcement has many ways to access medical data when investigating crimes, identifying victims, or tracking down a fugitive,” Bowen explains. “Often, the police are able to seek out sensitive medical records without an individual's consent—and sometimes without a judge's authorization.”

When a disclosure is required by state or federal law, you must conform to the limitations in the law, Reno explains. “And if there are additional rules in HIPAA, then you also have to comply with HIPAA,” she says.

Still, while it’s critical to get ROI right when it comes to law enforcement, Reno points out that health care providers and police have a long history of working together. “Cops are generally not trying to get information that they're not allowed to get. Generally speaking, the cops are pretty respectful,” she emphasizes. “And the hospitals are trying to give them everything they can.”

ROI and Law Enforcement Basics
The HIPAA Privacy Rule broadly defines law enforcement as “any government official at any level of government authorized to either investigate or prosecute a violation of the law.”

Bowen points out that under HIPAA, medical information can be disclosed to law enforcement officials without an individual’s permission in a number of ways.

“Disclosures for law enforcement purposes apply not only to doctors or hospitals but also to health plans, pharmacies, health care clearinghouses, and medical research labs,” she says, pointing out that the broader scope is the result of the HITECH Act, which deems both a covered entity (CE) and any business associate as directly subject to these law enforcement access rules.

The challenge can be understanding how the federal rules and state rules interact. For example, Bowen notes that California, where HIPAA does not preempt more privacy-protective state laws, has somewhat stronger privacy rules that require more court involvement.

“In California, search warrants for medical records are generally authorized under the Penal Code and require judicial approval based on probable cause. Less stringent court orders based on a showing of good cause can also be used. And in California, even if a mere administrative subpoena is used, the California Penal Code requires an authorizing court order,” Bowen explains. “By contrast, HIPAA permits the police to use an administrative subpoena or other written request with no court involvement, as long as police include a written statement that the information they want is relevant, material, and limited in scope, and that deidentified information is insufficient.”

Reno says there are two basic rules as to how federal and state law interact. “One rule is that if state law requires a disclosure, then HIPAA permits you to make that disclosure,” she says, emphasizing that state law does not “override” HIPAA, but HIPAA specifically provides this permission. “The second rule is that HIPAA is a floor, not a ceiling. If state law provides greater protection, then state law applies.”

Bowen notes that law enforcement can also bypass judicial and administrative processes under HIPAA to gain access to medical records. For example, the police may request medical information directly to identify or locate a suspect, fugitive, witness, or missing person; when a crime has been committed at a health care facility; or when there is a medical emergency involved in a crime.

“In general, these are permissive disclosures,” Bowen says, although the CE or business associate may also refuse.

The Blue Card Initiative
Bowen points out that when confusion exists, providers tend to err on the side of nondisclosure. For this reason, Health and Human Services established a guide—also dubbed the “Blue Card initiative”—to help educate CEs and provide “in-the-moment” direction about what is acceptable.

Along with an explanation of the HIPAA Privacy Rule and an overview of who is required to comply with the mandate, the blue card provides the following guidelines:

Under what circumstances may a HIPAA CE disclose PHI to law enforcement?

A HIPAA CE may disclose PHI to law enforcement with the individual’s signed HIPAA authorization. A HIPAA CE also may disclose PHI to law enforcement without the individual’s signed HIPAA authorization in certain incidents, including the following:

• to report PHI to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public;

• to report PHI that the CE in good faith believes to be evidence of a crime that occurred on the premises of the CE;

• to alert law enforcement to the death of the individual when there is a suspicion that death resulted from criminal conduct;

• when responding to an offsite medical emergency, as necessary, to alert law enforcement to criminal activity;

• to report PHI to law enforcement when required by law to do so (such as reporting gunshots or stab wounds);

• to comply with a court order or a court-ordered warrant, subpoena, or summons issued by a judicial officer, or an administrative request from a law enforcement official (the administrative request must include a written statement that the information requested is relevant and material, specific, and limited in scope, and deidentified information cannot be used);

• to respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness, or missing person. However, the information must be limited to basic demographic and health information about the person; and

• to respond to a request for PHI about an adult victim of a crime when the victim agrees (or in limited circumstances if the individual is unable to agree). Child abuse or neglect may be reported, without a parent’s agreement, to any law enforcement official authorized by law to receive such reports.

Understanding the Role of Compliance and HIM
When it comes to ROI and law enforcement, the buck stops with HIM and compliance in terms of getting it right. Chamberlain emphasizes that foundationally, these roles exist to protect patients’ rights, while staying in step with the laws.

“They are the people that probably have the best big picture view of what you're trying to accomplish with protecting the patient’s rights, while also trying to provide the needed information for everything to run correctly,” she says. “They understand it probably better than anyone and can help others understand the situations and how to apply the laws in every situation.”

Every CE should have HIPAA policies and procedures that reflect how to respond to law enforcement. Bowen notes that this starts with a review of the Blue Card initiative and appropriate state laws, which should help health care organizations design appropriate policies. Compliance and HIM are subsequently charged with training employees, not only on general HIPAA policies but also on specific procedures.

“In an entity as large as a hospital, there are going to be different trainings depending on whether you're in the emergency department, you're in the medical records department, or you're on the labor and delivery ward,” Reno explains. “There's what I think of as generic HIPAA training—defining terms like PHI—HIPAA 101 kind of stuff. Then there is training in the hospital’s general HIPAA policies and procedures, and then there is specific role-based training—what you need to know to do your job.”

The latter is where ROI and law enforcement processes come into play. Bowen says training should create assurances that appropriate documentation is provided before providing information to law enforcement.

“It is advisable that officers are directed to a central, enterprisewide area to make their requests so that they can be dealt with appropriately,” she suggests. “Too often law enforcement may present requests to emergency department staff or others whose primary role is patient care and not release of information processes.”

A health care organization’s compliance or privacy officer are natural choices for centralizing requests, Reno says. Often, best practices dictate having a single role identified for responding to law enforcement, unless it’s a routine request.

“If there are a lot of routine disclosures, an organization will generally want to have a specific policy because you don't want to bug the privacy officer for something that happens all the time,” she points out. If it happens frequently, it should come down to training appropriate staff such that “if the cop says ABC, you can give him 123,” Reno says.

Outside of routine disclosures, Reno suggests identifying and training someone to serve as a backup in case the compliance or privacy officer can’t be reached.

Getting ROI right when responding to requests from law enforcement can be complex, but today’s health care organizations have tools at their disposal to respond appropriately. The Blue Card should provide foundational guidance for policies and procedures while giving priority to more stringent state laws. While training should encompass all appropriate staff who may interact with law enforcement, a centralized hub for requests is a best practice for ensuring quality control of processes.

— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.