1 minute read
Law Enforcement Exception to HIPAA: What Providers Need to Know
By AnDy BAer, MD
Healthcare providers are well-versed in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and the broad protection it offers to patient information held by healthcare providers and plans.
However, they might not be as aware of key exceptions to the rule — one of them being requests for protected health information (PHI) from state and local police and other law enforcement agencies.
A healthcare professional or practice may receive a verbal or written request for PHI or copies of medical records from law enforcement officials as part of an investigation. For example, they may be following up on suspected child abuse or investigating an altercation that resulted in a crime. It’s important that healthcare organizations understand how to appropriately respond to such a request to avoid a HIPAA violation and the associated fines.
HIPAA Law Enforcement Exception Defined
The HIPAA Privacy Rule exception for law enforcement purposes, 45 CFR § 164.512(f), permits a covered entity (generally, healthcare providers, health plans and their business associates) to disclose PHI to law enforcement officials without patient authorization under certain circumstances:
• If a court order, court-ordered warrant, subpoena or administrative request has been issued
• To identify or locate a suspect, fugitive, material witness or missing person
• To answer a law enforcement official’s request for information about a victim or suspected victim of a crime
• To alert law enforcement of a person’s death if the organization suspects that criminal activity caused the death
• When an organization believes that
