Medical Records Privacy
On December 28, 2000, the secretary of Health and Human Services published the final regulation on medical records privacy in the Federal Register. The regulation amends 45 CFR Section 160-164 in an attempt to provide extensive privacy protections to medical information and records and takes effect February 26, 2003. Copies of the preamble to the regulation (akin to the legislative history for a statute) and the text of the regulation can be found at http://aspe.hhs.gov/admnsimp/.
The excerpts and comments that follow pertain to the provisions of the regulation and preamble that most impact law enforcement functions. There are numerous other provisions that pertain exclusively to health care oversight reviews and investigations. These regulations must also be read in light of more restrictive state laws and other federal laws, such as those for drug programs, which restrict access to medical related information. Additionally, psychotherapy notes are held to a higher standard of protection because they are not part of the medical record and were not intended to be shared with anyone else.
Applicability
Except as otherwise provided, the regulation applies to health plans, to health care clearinghouses and to any health care provider who transmits any health information in electronic form. In the regulation these are termed "covered entities." The burden of protecting records is on the medical care community, as are both civil and criminal penalties, for unlawful disclosure. There are no penalties on law enforcement. Medical records or information improperly obtained by law enforcement are not, per se, inadmissible as evidence.
General Rule and Exceptions
The general rule is that the federal regulation will preempt state law unless the state law is more restrictive. State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation or intervention are an exception to this general rule.
The regulation does not contemplate sex offenders held in post confinement civil status and states may need to review the medical status of these persons and restrictions which may apply. The regulation does not specifically address drug diversion programs or similar programs in which physical samples are taken to verify the individual's drug abuse status. A court order or consent by the individual will eliminate this problem, but a prosecutor running these types of programs needs to ensure that acceptance into the program includes a specific waiver.
Uses and Disclosures of Protected Health Information
The general rule is that a covered entity may not use or disclose protected health information, except as permitted or required by the regulation.
Permitted disclosure of medical information may be made to the individual covered by the record with a consent from that individual or in compliance with an authorization that complies with provisions of the regulation. The regulation specifies that in a number of circumstances a "personal representative" may act on behalf of the individual.
Minors
In the case of an emancipated minor or incapacitated adult, if state law permits a person to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter with respect to protected health information relevant to such personal representation.
In the case of an unemancipated minor, if state law gives authority to a parent, guardian or other person acting in loco parentis on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative with respect to protected health information relevant to such personal representation. The regulation sets out exceptions permitting the minor to act on their own behalf under specified circumstances.
Cases of Abuse or Neglect
A covered entity may elect not to treat a person as the personal representative of an individual if they have a reasonable belief that the patient has been or may be subjected to domestic violence, abuse or neglect by the personal representative or that providing information to the personal representative could endanger the patient, and the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.
Deceased Individuals
If under applicable law an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative with respect to protected health information relevant to such personal representation.
Emergency Circumstances
Protected health information may be disclosed to notify or assist in the notification of (including identifying or locating) a family member, a personal representative of the individual or another person responsible for the care of the individual of the individual's location, general condition or death.
Uses and Disclosures for Which Consent, an Authorization or Opportunity to Agree or Object Is Not Required
A covered entity may use or disclose protected health information without the written consent or authorization of the patient or the opportunity for the patient to agree or object to release under specified circumstances.
Uses and Disclosures Required by Law
A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
Disclosures about Victims of Abuse, Neglect or Domestic Violence
A covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect or domestic violence to a government authority, including a social service or protective services agency authorized by law to receive reports of such abuse, neglect, or domestic violence:
- To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law;
- If the individual agrees to the disclosure; or
- To the extent the disclosure is expressly authorized by statute or regulation and:
If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.
Disclosures for Law Enforcement Purposes
A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the specified conditions of this section are met, as applicable.
A covered entity may disclose protected health information as required by law including laws that require the reporting of certain types of wounds or other physical injuries or in compliance with a court order or court-ordered warrant; or a subpoena or summons issued by a judicial officer; a grand jury subpoena; or an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand or similar process authorized under law.
Information being sought by warrant must be relevant and material to a legitimate law enforcement inquiry and the request must be specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.
Permitted Disclosures
Limited information for identification and location purposes is permitted to be disclosed. Except for disclosures required by law, a covered entity may disclose limited protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. The covered entity may disclose only the following information: name and address; date and place of birth; social security number; ABO blood type and rh factor; type of injury; date and time of treatment; date and time of death, if applicable; and, a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars and tattoos.
Except as otherwise permitted, the covered entity may not disclose for the purposes of identification or location any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.
Crime Victims
Except for disclosures required by law, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime if the victim agrees to the disclosure or the covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance.
In the latter case, the information may only be provided if:
- A law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;
- The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and
- The disclosure is in the best interests of the individual as determined by the covered entity in the exercise of professional judgment.
Deaths
A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.
Crime on the Premises
A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.
Reporting Crime in Emergencies
A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to the commission and nature of a crime; the location of such crime or of the victim(s) of such crime; and the identity, description and location of the perpetrator of such crime.
|
