NATIONAL CENTER FOR PROSECUTION OF CHILD ABUSE
Volume 16, Number 4, 2003
HIPAA—Exceptions Providing Law Enforcement Officials and Social Service Providers Access to Protected Health Information
The new Privacy Rule, the Health Insurance Portability and Accountability Act (HIPAA), that was enacted by Congress in 1996 and amended by the Department of Health and Human Services (DHHS) in 2002, may affect the ability of prosecutors, police officers and social service agencies to administer child abuse cases, because it prevents certain health care affiliates from disclosing protected health information.
HIPAA was created to provide extensive, nationwide protection to medical information by regulating how “covered entities” use and disclose protected health information.2 Covered entities include health plans, health care clearinghouses and any health care provider that transmits health information electronically.3 Congress established HIPAA to enable people to switch jobs without losing their health insurance, and not to interfere with law enforcement or social services. The civil and criminal penalties attached to HIPAA violations,4 however, may deter covered entities from disclosing protected health information, even when they are authorized to do so.
DHHS enacted a number of exceptions that allow covered entities to provide protected health information to law enforcement officials and social service agencies. It is imperative that law enforcement officials familiarize themselves with these regulations, so that they can continue to obtain indispensable medical evidence to effectively investigate and prosecute child abuse cases. Social service providers must also comprehend the HIPAA exceptions so that they may continue to serve victims of abuse, neglect and domestic violence. This article maps the exceptions law enforcement officials and social service agencies can utilize when requesting protected health information from covered entities.
Exceptions for Law Enforcement Access
There are a number of exceptions that permit law enforcement officials to access protected health information. These exceptions bypass the requirement that the individual consent or be given an opportunity to decide whether his or her protected health information will be disclosed.
- Required by law/mandatory reporting laws: A covered entity may disclose protected health information to law enforcement officials if it is required to do so by law.5 An example would be a state law mandating the reporting of certain wounds or other physical injuries.
- As permitted by a judicial officer: Law enforcement officials may obtain protected health information from a covered entity if they have a court order, warrant, subpoena or summons issued by a judicial officer or a grand jury subpoena.6
- Restricted access for administrative requests: An administrative subpoena may be used to obtain protected health information. In order to use an administrative subpoena, however, the following criteria must be met: 1) The information sought must be relevant and material to a legitimate investigation, 2) the request must be specific and limited in scope to meet its intended purpose, and 3) information that does not reveal the individual’s identity could not reasonably be substituted for the information sought.7
- Restricted access for the purpose of identifying or locating a suspect: Except for disclosures required by law, information provided to law enforcement officials for the purpose of identifying or locating a suspect, fugitive, material witness or missing person is limited. In response to such a request, a covered entity may disclose 1) name and address, 2) date and place of birth, 3) social security number, 4) blood type, 5) type of injury, 6) date and time of treatment, 7) date and time of death if applicable and 8) description of distinguishing physical characteristics.8 When the information sought is for identification and location purposes, a covered entity may not provide any information related to an individual’s DNA or DNA analysis, dental records or analysis of body fluids or tissue.9
- Victims of a crime: Health care entities may also provide law enforcement officials with an individual’s protected health information if the individual is a suspected victim of a crime.10 In such cases, covered entities can only disclose information if 1) the individual agrees to disclosure, or 2) the covered entity cannot obtain the individual’s agreement because of incapacity or an emergency.11 In cases of incapacity or emergency, it is necessary that 1) the law enforcement official represents that such information is needed to determine whether a crime was committed by someone other than the individual and will not be used against the victim, 2) the law enforcement official represents that law enforcement activity depends on disclosure and would be materially affected by waiting for the individual’s consent, and 3) the covered entity, while exercising professional judgment, determines that disclosure is in the best interest of the individual.12
- Decedents: If a health care provider suspects that an individual has died as a result of criminal conduct, it may disclose protected health information about the decedent to a law enforcement official.13
- Crime on premises: If a covered entity believes in good faith that protected health information is evidence of criminal conduct that occurred on the premises of the covered entity, it may disclose the information to a law enforcement official.14
- Reporting crime in emergencies: A health care provider rendering emergency medical care off the premises may disclose protected health information to a law enforcement official if the disclosure is needed to alert law enforcement to 1) the commission and nature of a crime, 2) the location or victims of such crime, and 3) the identity, description and location of the perpetrator.15 This exception does not apply if the covered health care provider believes the emergency is a result of abuse, neglect or domestic violence.16
- Victims of abuse, neglect or domestic violence: A covered entity that believes an individual has been the victim of abuse may disclose the individual’s protected health information to a government agency that is authorized by law to receive reports of abuse, neglect or domestic violence. Such disclosures are only permitted if at least one of the following applies: 1) the disclosure is required by law, 2) the individual has agreed to the disclosure, 3) the covered entity is expressly authorized by law to disclose such information and the disclosure is necessary to prevent serious harm to someone, and 4) the covered entity is expressly authorized by law to disclose such information and the law enforcement agency represents both that the information will not be used against the individual and that law enforcement activity would be significantly hindered by waiting to get the individual’s consent.17 In these cases, the covered entity must promptly inform the individual that the disclosure was made, unless 1) informing the individual would place the individual at risk of serious harm or 2) the covered entity would be informing the individual’s personal representative who is responsible for the abuse, neglect or domestic violence.18
- Averting a serious threat to health or safety: A covered entity may disclose protected health information if it believes: 1) the disclosure is needed to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the recipient is able to lessen the threat; or 2) the disclosure is critical to law enforcement’s ability to identify or apprehend an individual who either appears to have escaped from the custody of law enforcement or made a statement admitting participation in a violent crime.19 A covered entity acting on such a belief is presumed to be acting in good faith. An entity covered by HIPAA may not disclose protected health information based on an individual’s admitted participation in a violent crime if the statement was made either during therapy, counseling or treatment aimed at lessening the individual’s propensity towards violence, or through a request for such therapy, counseling or treatment. The protected health information that may be disclosed under this exception is subject to the same limitations as placed on the exception made for identifying and locating a suspect.20
- Jails, prisons, law enforcement custody: Correctional institutions and law enforcement officials may obtain the protected health information of individuals in their lawful custody. In such cases, however, a covered entity may only disclose information if the requesting body represents that the protected health information is necessary: 1) to provide health care to the individual, 2) to protect the health and safety of the individual or other inmates, 3) to protect the health and safety of officers, employees or others at the correctional institution, 4) to protect those involved in the transfer or transporting of the individual, 5) to promote law enforcement on the premises of the correctional institution, or 6) to maintain and administer safety, security and good order in the correctional facility.21 An individual is not subject to this exception when released on parole, probation, supervised release, or otherwise is no longer in lawful custody.22
Exceptions for Social Service Agencies
- Child abuse, neglect, or domestic violence: A covered entity may disclose the protected health information of an individual who is believed to be the victim of abuse, neglect or domestic violence. Such a disclosure can be made to a social service or protective services agency that is authorized by law to receive reports of abuse, neglect or domestic violence. Disclosures to social service providers are limited to three types of cases: 1) the individual consents to the disclosure, 2) the disclosure is required by law, or 3) the disclosure is authorized by law, and either the covered entity believes the disclosure is needed to prevent serious harm, or the individual is incapacitated and the public official represents that the information is required for immediate enforcement activity and will not be used against the individual.23 When a covered entity makes a disclosure under this exception it is required to promptly inform the individual. In cases where a covered entity believes that informing the individual or the individual’s representative, such as a guardian, would place the individual at risk of serious harm, the covered entity need not inform the individual or the individual’s representative of the disclosure.24
- Mandatory reporting laws: HIPAA preempts state law with few exceptions. HIPAA does not, however, preempt state law provisions that provide for the reporting of disease, injury, child abuse, death, or for public health surveillance purposes.25 For example, if a state law requires a hospital to report cases of child abuse to a social service agency, HIPAA would not prohibit the disclosure.
Delaying Disclosure to Individuals
An individual may request an accounting of all the instances in which a covered entity has disclosed his or her protected health information within the past six years.26 Covered entities must temporarily suspend an individual’s ability to receive an accounting of disclosures if a law enforcement official submits a written statement that such an accounting would impede law enforcement activities.27 The law enforcement official must specify a time limitation on the suspension. In order to place an immediate halt on an individual’s ability to seek an accounting of disclosures, a law enforcement official may make an oral request to the covered entity and then follow up with a written request within 30 days.28 A covered entity that receives an oral request to suspend an individual’s access to an accounting is required to document the request and temporarily suspend access for a period of no more than 30 days.29 The U.S. Department of Justice informally recommends that a law enforcement official present a badge when making an oral request and submit written requests on official letterhead.
While covered entities may fear penalties for HIPAA violations, there are a number of situations in which law enforcement officials and social service providers should be able to obtain vital medical evidence. The HIPAA regulations are new and it is difficult to predict how the courts will interpret and apply these rules. By understanding the above exceptions, however, law enforcement officials and social service agencies can continue to procure the health information they need in order to serve their communities.
1 Law Clerk, APRI’s National Center for Prosecution of Child Abuse.
2 HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services, Morbidity and Mortality Wkly. Rep., 2003 (Early Release), at 1.
3 HHS General Administrative Requirements, 45 C.F.R. § 160.103 (2003).
4Robert Pear, Health System Wearily Prepares for Privacy Rules, N.Y. Times (April 6, 2003) http://www.nytimes.com/2003/04/06/national/06PRIV.html.
5 § 164.512(f)(1)(i).
6 § 164.512(f)(1)(ii).
7 § 164.512(f)(1)(ii)(C).
8 § 164.512(f)(2)(i)(A)-(H).
9 § 164.512(f)(2)(ii).
10 § 164.512(f)(3).
11 § 164.512(f)(3).
12 § 164.512(f)(3).
13 § 164.512(f)(4).
14 § 164.512(f)(5).
15 § 164.512(f)(6).
16 § 164.512(f)(6)(ii).
17 § 164.512(c)(1).
18 § 164.512(c)(2).
19 § 164.512(j)(1).
20 See generally § 164.512(j)(2-4).
22 § 164.512(k)(5)(iii).
23 § 164.512(c)(i).
24 § 164.512(c)(2).
25 § 160.203(c).
26 § 164.528(a)(1).
27 § 164.528(a)(2)(1).
28 § 164.528(a)(2)(ii).
29 § 164.528(a)(2)(ii).