NOVEMBER 2004 TRAINING SESSION
This month’s training session is for physicians, nurses, and clinical staff; public relations staff; HIM and
medical records staff; business office and marketing staff; volunteers; and receptionists and front-end staff.
IN THIS ISSUE
17 Rules for Disclosing PHI
When Law Enforcement Officials
Don’t Have a Court Order,
Subpoena, or Warrant . . . . . . . . . . 1
Rules #1–#2: Disclosing PHI to
Law Enforcement Officials When
Your State or Other Law Requires
or Permits the Disclosure. . . . . . . . . . . . 1
Rules #3–#4: Disclosing PHI to
Law Enforcement Officials When
the Patient Is a Crime Victim . . . . . . . . . 2
Rules #5–#6: Disclosing Limited PHI
to Law Enforcement Officials in
Certain Situations Without Getting
the Patient’s Authorization to Do So . . . . 3
Disclosing PHI to Law Enforcement
Officials Who Don’t Have Court
Order, Subpoena, or Warrant
In previous issues, we’ve trained you on what to do before disclosing patients’
PHI to law enforcement officials with a court order, subpoena, or warrant. Generally, the HIPAA privacy regulations let your health care organization disclose
PHI in response to a court order or subpoena without getting the patient’s authorization to do so (see “Responding to a Subpoena for a Patient’s PHI,” Trainer,
Oct. 2003). And your organization may generally disclose a patient’s PHI to
a law enforcement official who has a search warrant without getting the patient’s
authorization (see “Disclosing PHI to Law Enforcement Officials with Search
Warrant,” Trainer, Jan. 2004).
Rule #10: Disclosing PHI to Law
Enforcement Officials When the
Patient Is a Victim of Abuse, Neglect,
or Domestic Violence. . . . . . . . . . . . . . . 5
This training session focuses on when you may disclose a patient’s PHI to law
enforcement officials who show up at your organization without a court order,
subpoena, or warrant, and what PHI you may disclose. Generally, whether or not
a disclosure is okay will depend on why the officials want the PHI disclosure. For
example, state or federal law may require your organization to disclose a patient’s
PHI to law enforcement officials under certain circumstances (say, when a
patient’s wounds are the result of gunshots or stabbing). If so, your organization
may disclose the patient’s PHI without the patient’s authorization. But generally if
a patient is a crime victim, your organization needs the patient’s permission to
disclose her PHI to law enforcement officials. If your organization fails to get the
patient’s permission when required to do so, you or your organization could face
fines, lawsuits, or other penalties for wrongful disclosure of her PHI.
Rule #11: Disclosing PHI to Law
Enforcement Officials When the
Patient Is in a Correctional Facility or
Custody of a Law Enforcement Official . . 6
To help you understand what PHI you may disclose to law enforcement officials without a court order, subpoena, or warrant, and when to do it, we give you
17 rules to follow. There’s also a Trainer’s Quiz to help you test your knowledge.
Rule #7: Disclosing PHI to Law
Enforcement Officials When Your
Organization Suspects that a Patient’s
Death Resulted from Criminal Activity . . 4
Rule #8: Disclosing PHI to Law
Enforcement Officials When Your
Organization Suspects that a Crime
Has Been Committed at Its Facility . . . . 5
Rule #9: Disclosing PHI to Law
Enforcement Officials to Report a
Crime When Your Organization Delivers
Off-Site Emergency Services . . . . . . . . . 5
Rules #12–#13: Verifying a Law
Enforcement Official’s Identity
and Authority . . . . . . . . . . . . . . . . . . . . . 6
Rules #14–#17: Accounting for
Your Organization’s Disclosures
to Law Enforcement Officials. . . . . . . . . 7
At a Glance. . . . . . . . . . . . . . . . . . . 7
Trainer’s Quiz . . . . . . . . . . . . . . . . . 9
Trainer’s Answers
& Explanations. . . . . . . . . . . . . . . 10
17 RULES FOR DISCLOSING PHI WHEN
LAW ENFORCEMENT OFFICIALS DON’T HAVE
A COURT ORDER, SUBPOENA, OR WARRANT
Rule #1: Your Organization May Disclose PHI to Law Enforcement Officials
Without the Patient’s Authorization When Your State or Other
Law Requires It to Do So
From time to time, a state or other law (say, the Patriot Act) will require your
organization to disclose PHI to law enforcement officials. This generally involves
state laws that require reporting of certain wounds or injuries (say, gunshot
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
2
BOARD OF ADVISORS
Jana H. Aagaard, Esq.
Law Office of Jana H.
Aagaard
Carmichael, CA
Miriam Paramore
PCI: e-commerce for
healthcare
Louisville, KY
M. Peter Adler, Esq.
Foley and Lardner
Washington, DC
Judy Rhodes, RN
Peer Consulting
Indianapolis, IN
Patricia Gentil
Waterbury Hospital
Waterbury, CT
Jackie Selby, Esq.
Oxford Health Plans, Inc.
Trumbull, CT
Gwen Hughes, RHIA
Care Communications
Chicago, IL
Jay Silverman, Esq.
Ruskin Moscou
Faltischek, PC
Uniondale, NY
Gretchen McBeath, Esq.
Brickler & Eckler, LLP
Columbus, OH
Errick Woosley
E. Woosley & Assocs.
Batesville, IN
Michelle Wilson, Editor
Lauren McCloud, Group Publisher
Suzanne Perney, Publisher
HIPAA Security & Privacy Staff Trainer (is published
monthly by HCPro, Inc., 100 Hoods Lane, Marblehead,
MA 01945. Subscription rate: $357/year; back issues
are available at $25 each.
Postmaster: Send address changes to HIPAA Security & Privacy Staff Trainer, P.O. Box 1168, Marblehead, MA 01945
Copyright 2004 HCPro, Inc. All rights reserved.
Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced,
in any form or by any means, without prior written
consent of HCPro, Inc., or the Copyright Clearance
Center at 978/750-8400. Please notify us immediately if you have received an unauthorized copy.
For editorial comments or questions, call 781/6391872 or fax 781/639-2982. For renewal or subscription
information, call customer service at 800/650-6787, fax
800/639-8511, or e-mail: customerservice@hcpro.
com. Visit our Web site at www.hcpro.com.
Occasionally, we make our subscriber list available to
selected companies/vendors. If you do not wish to be
included on this mailing list, please write to the Marketing Department at the address above.
Opinions expressed are not necessarily those
ofHIPAA Security & Privacy Staff Trainer.Mention of
products and services does not constitute endorsement. Advice given is general, and readers should
consult professional counsel for specific legal, ethical,
or clinical questions. HIPAA Security & Privacy Staff
Trainer is not affiliated in any way with the Joint Commission on Accreditation of Healthcare Organizations.
NOVEMBER 2004
wounds, stab wounds, or dog bites), child abuse or neglect, or domestic
abuse. If your state has such a mandatory reporting law, your organization
may disclose the patient’s PHI to law enforcement officials without getting
the patient’s authorization to do so.
It may also, without getting the patient’s authorization, initiate disclosures of a patient’s PHI to law enforcement officials when required by
law to do so. It doesn’t have to be responding to law enforcement requests
for that PHI.
Example #1: XYZ Hospital treats Patient A for third degree burns. State law
requires health care organizations to report all burn victims to law enforcement
officials. Officer X shows up at XYZ’s emergency department and requests
Patient A’s PHI. XYZ Hospital may disclose Patient A’s PHI in response to Officer X’s request without getting the patient’s authorization to do so.
Example #2: Following a car accident, Patient A is treated at XYZ Hospital’s emergency department. Blood test results indicate that the patient was
intoxicated while driving his car. State law requires health care providers to
notify law enforcement when a patient’s blood tests indicate that the patient
was intoxicated while driving a car involved in an accident. XYZ Hospital
may initiate a disclosure of Patient A’s PHI to law enforcement officials
without getting the patient’s authorization to do so.
Trainer Says: Even though the HIPAA privacy regulations don’t require it,
your organization should get law enforcement officials to put requests for
patients’ PHI in writing, says health care attorney Kelly T. Hagan. At a minimum, it should document any oral requests made by law enforcement officials
for patients’ PHI, he suggests. Your organization should tell you its policies
and procedures for documenting requests from law enforcement officials.
Rule #2: If State or Other Law Permits, but Doesn’t Require, Your
Organization to Disclose PHI to Law Enforcement Officials,
You Must Get the Patient’s Authorization to Do So
What if your state or other law doesn’t require a health care organization to
disclose PHI to law enforcement officials but merely allows it to do so in
certain situations? Then, the HIPAA privacy regulations require your organization to first get the patient’s authorization. Otherwise, you must get other
legal documentation (like a court order, subpoena, or search warrant) from
an official before the disclosure.
Example: Following a car accident, Patient A is treated at XYZ Hospital.
Blood tests show that Patient A was driving while intoxicated. State law permits, but doesn’t require, health care providers to notify law enforcement about
blood tests indicating that a patient was intoxicated while driving a car involved
in an accident. Officer X is assigned to investigate the accident and requests
Patient A’s PHI, including his blood test results. XYZ Hospital must get Patient
A’s authorization to disclose his PHI to Officer X unless Officer X has a court
order or other legal document (say, a search warrant) authorizing the disclosure.
Rule #3: Except in Certain Circumstances, if the Patient Is a Crime
Victim, Your Organization Must Get the Patient’s Permission to
Disclose Her PHI in Response to a Law Enforcement Request
From time to time, a law enforcement official may come to your organization requesting the PHI of a patient who’s a crime victim or suspected of
being a crime victim. If so, your organization needs the patient’s permission
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
NOVEMBER 2004
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
(either orally or in writing) to disclose her PHI in response
to the request, except when the patient: 1) needs emergency treatment; 2) is incapacitated (see Rule #4, below);
or 3) state law requires the disclosure (see Rule #1). Similarly, the HIPAA privacy regulations don’t allow a health
care organization to initiate disclosures about victims to
law enforcement agencies without the patient’s permission
unless the organization is required to do so by state law.
Example #1: XYZ Hospital treats Patient A for a leg
injury suffered when someone tried to steal her purse. The
police ask the hospital for Patient A’s emergency room
record. XYZ Hospital must ask Patient A for her permission
to disclose her PHI to the police. For instance, the hospital
may say: “The police are investigating the robbery that
caused your injuries. As part of their investigation, the
police have asked us for your PHI. Do we have your permission to disclose your PHI to them?” If the patient says yes,
XYZ Hospital may disclose Patient A’s PHI to the police.
Your organization needn’t get the patient’s written
authorization before disclosing her PHI to law enforcement. It’s sufficient to get the patient’s agreement (either
orally or in writing) to make the disclosure to law enforcement, says Hagan.
Trainer Says: From time to time, a victim may also be
a fugitive or suspect. For example, a patient may get shot
while committing a robbery and seek treatment in a hospital emergency room. If so, your organization must follow
the rules for disclosing the PHI of a suspect, fugitive, witness, or missing person set out in Rule #5, below. And if
your organization suspects that a patient’s injuries are the
result of abuse, neglect, or domestic violence, it must follow the conditions set out in Rule #10.
Rule #4: In an Emergency or When the Patient Is
Incapacitated, Your Organization May Disclose
the PHI of a Patient Who’s a Crime Victim to
Law Enforcement Without the Patient’s
Authorization, if Certain Conditions Are Met
In certain circumstances, the HIPAA privacy regulations
allow your organization to disclose a patient’s PHI without
the patient’s authorization to do so in response to a law
enforcement official’s request, even though the patient is
or is suspected of being a crime victim. The first requirement for such a disclosure is that at the time the patient is
admitted to your facility, she is incapacitated or needs
emergency treatment. In addition, you may disclose the
patient’s PHI to law enforcement only if all three of the
following conditions are met:
1) The law enforcement official states that the PHI is
needed to determine if someone other than the patient has
committed a crime and that the PHI won’t be used against
the patient. For example, an elderly patient from a nursing
3
home is admitted to a hospital with suspicious injuries.
The local police investigating the injuries say that they
need the patient’s PHI to determine whether a crime was
committed against the patient.
2) The law enforcement official states that immediate
law enforcement activity depends on the disclosure, and
without it, law enforcement efforts will be adversely
affected. For example, law enforcement officials may not
be able to charge a suspect with a specific crime unless
they know the extent of the patient’s injuries.
3) Your organization determines, in the exercise of its
professional judgment, that the disclosure is in the best
interests of the patient. According to the comments to the
HIPAA privacy regulations, assessing the patient’s best
interests includes taking into account any further risk of
harm to the patient. For example, a patient is shot during a
robbery. It would be in the patient’s best interests to apprehend the person suspected in the shooting.
If the victim is also a fugitive or suspect, the HIPAA
privacy regulations require your organization to follow the
specific rules for disclosing the PHI of a suspect, fugitive,
witness, or missing person set out in Rule #5, below. And
if your organization suspects that the victim’s injuries are
the result of abuse, neglect, or domestic violence, it must
follow the conditions set out in Rule #10.
Trainer Says: Even though the HIPAA privacy regulations don’t require it, your organization should get the law
enforcement official’s request for a victim’s PHI in writing, says Hagan. Some law enforcement agencies (like the
Kansas Bureau of Investigation) have a form they use for
this purpose. For example, the form could say: “The victim’s PHI is needed to determine whether a violation of
law by a person other than the victim has occurred. The
victim’s PHI isn’t intended to be used against the victim.
Immediate law enforcement activity would be materially
and adversely affected by waiting until the victim is able to
agree to the disclosure. I believe that the disclosure is in
the victim’s best interests and may prevent further serious
harm to him or other potential crime victims.” Your organization should also document the factual basis and rationale
for its professional judgment that disclosure is in the
patient’s best interests, says Hagan. This may protect your
organization if the patient later complains, he says.
Rule #5: Your Organization Needn’t Get the Patient’s
Authorization to Disclose Limited PHI in
Response to a Request from Law Enforcement
to Identify or Locate a Suspect, Fugitive,
Witness, or Missing Person
The HIPAA privacy regulations allow your organization to
disclose limited identifying PHI of a patient to law
enforcement to aid their efforts to identify or locate a sus-
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
4
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
pect, fugitive, witness, or missing person without getting
the patient’s authorization. The request for the patient’s
PHI must come from law enforcement. The HIPAA privacy regulations don’t authorize your organization to initiate
the disclosure.
A health care organization may disclose only the following PHI for identification and location:
■ Name and address;
■ Date and place of birth;
■ Social Security number;
■ Blood type and Rh factor;
■ Type of injury;
■ Date and time of treatment;
■ Date and time of death; and
■ Description of distinguishing characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos.
The regulations explicitly exclude any PHI related to a
patient’s DNA or a DNA analysis; dental records; or typing, samples or analysis of body fluids or tissues (unless
it’s one of the items listed above).
Example: A witness to a shooting tells police the time
of the shooting and that the perpetrator, also, was shot.
Law enforcement officials don’t know the perpetrator’s
identity and don’t have enough information to get a warrant. According to the comments to the HIPAA privacy
regulations, law enforcement officials have a legitimate
need to ask local emergency rooms whether anyone came
in with a bullet wound around the time of the shooting. So
a health care organization may disclose the limited PHI
listed above for the purpose of identifying the perpetrator,
according to the comments.
What’s a request by a law enforcement official or
agency? According to the comments to the HIPAA privacy regulations, a request by law enforcement officials
includes oral or written requests by individuals acting
on behalf of a law enforcement agency (say, a media
organization’s broadcasting a request on the evening
news for the public’s assistance in identifying a suspect).
It also includes “Wanted” posters, public announcements, and similar requests to the general public for
assistance in locating suspects, fugitives, witnesses,
or missing persons.
The HIPAA privacy regulations have special rules
for treating victims of abuse, neglect, or domestic violence. If a health care organization believes that a witness or missing person was a victim of abuse, neglect,
or domestic violence, it must follow the conditions set
out in Rule #10.
NOVEMBER 2004
Rule #6: Your Organization Needn’t Get the Patient’s
Authorization to Disclose Limited PHI to Law
Enforcement Officials to Avoid a Serious
Threat to the Health or Safety of a Person or
the Public
Your organization doesn’t need the patient’s authorization
to disclose limited PHI to law enforcement officials if it
believes that the disclosure of the PHI is needed to avert a
serious and imminent threat to health or safety. But your
organization may disclose only the limited identifying PHI
that may also be disclosed about suspects, fugitives, witnesses, or missing persons (see Rule #5, above).
Before releasing the PHI, your organization must
believe that the disclosure is:
■ Necessary to prevent or lessen a serious or imminent
threat to the health or safety of a person or the public; and
■ Being made to a person or persons reasonably able to
prevent or lessen the threat, including the target of the threat.
Example: Patient A is treated at XYZ Hospital’s emergency room. He appears intoxicated and is ready to get
into a car and drive away. The law in XYZ Hospital’s state
permits, but doesn’t require, a health care provider to notify law enforcement if the provider is giving emergency
medical care to a person believed to be under the influence
of drugs or alcohol and that person is about to drive a car.
If XYZ Hospital believes that Patient A’s driving is a serious threat to public health or safety, it may disclose Patient
A’s PHI to law enforcement to prevent that threat without
getting the patient’s authorization.
Rule #7: If Your Organization Suspects that a Patient’s
Death Resulted from Criminal Activity, It
Needn’t Get Authorization from the Patient’s
Representative to Disclose PHI to Law
Enforcement Officials
If your organization suspects that a patient’s death may
have resulted from criminal activity (say, a homicide or
overdose of narcotics or illegal drugs), your organization
may disclose the patient’s PHI to law enforcement officials
to alert officials to the patient’s death. The comments to
the HIPAA privacy regulations point out that the patient
can’t authorize the disclosure and it may be difficult for a
health care organization to determine the identity of a
patient’s personal representative and get the representative’s authorization for the disclosure. Permitting disclosures allows law enforcement officials to begin their
investigation into the death more rapidly and increases the
likelihood of a resolution to the cause of death, according
to the comments to the HIPAA privacy regulations.
Example: Patient A is admitted to XYZ Hospital with
multiple, suspicious bruises, and dies. The hospital sus-
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
NOVEMBER 2004
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
pects that the patient was beaten to death. XYZ Hospital
may disclose Patient A’s PHI to law enforcement officials.
Rule #8: If Your Organization Suspects that a Crime
Has Been Committed at Its Facility, It Needn’t
Get the Patient’s Authorization to Disclose
PHI that It Believes Is Evidence of the Crime
If your health care organization suspects that a crime has
been committed on its premises, it doesn’t need to get a
patient’s authorization to disclose the patient’s PHI that it
believes, in good faith, is evidence of the crime. If it’s later
determined that your organization was wrong in its belief
that the PHI was evidence of a crime, it wouldn’t be subject to sanctions under the HIPAA privacy regulations,
according to the comments to the regulations.
Example: XYZ Pharmacy believes that Patient A’s prescription was altered, in violation of state law. The pharmacy reports the suspected crime to law enforcement and
discloses Patient A’s PHI. XYZ Pharmacy needn’t get
Patient A’s authorization before making the disclosure. If
XYZ Pharmacy was wrong in its belief that the PHI was
evidence of a crime, it wouldn’t be subject to sanctions
under the privacy regulations.
Rule #9: If Your Organization Delivers Off-Site
Emergency Services, It Needn’t Get a
Patient’s Authorization to Disclose PHI to
Report a Crime, if Certain Conditions Are Met
Suppose your health care organization provides emergency
medical care away from its facility (say, your hospital’s
paramedics treat victims at an accident scene). It may disclose PHI related to that treatment to law enforcement
officials without getting any authorizations. But it may do
so only if the disclosure appears necessary to alert law
enforcement to:
■ The commission and nature of a crime;
■ The location of a crime or its victim; and
■ The identity, description, and location of the suspect.
Health care providers (like emergency medical technicians) who respond to medical emergencies generally
arrive before police, firefighters, and other emergency
personnel. This puts them in the best position to alert
law enforcement about criminal activities, according to
the comments to the HIPAA privacy regulations. For
example, emergency personnel may be the first persons
aware that a patient has been the victim of a beating or
murder. They may also be in a position to report information that may immediately contribute to the perpetrator’s capture.
Example: XYZ Hospital sends a team of paramedics
to a house fire. At the scene, they begin treating a patient
5
with burns to his right arm. The patient hears police sirens
and runs away. When the police arrive, the paramedics
may tell police that they treated a possible witness to the
fire with burns to the right arm and that the person ran
away. They may also give a description of the person to
the police.
The HIPAA privacy regulations have special rules for
treating victims of abuse, neglect, or domestic violence. If
your organization believes that the medical emergency is
the result of abuse, neglect, or domestic violence of the
person in need of emergency medical care, it must follow
the conditions set out in Rule #10, below.
Trainer Says: Nothing in the privacy regulations
requires your organization to disclose PHI to law enforcement when responding to a medical emergency. Instead,
such disclosures are discretionary and subject to applicable
ethical standards and state laws.
Rule #10: Your Organization May Disclose the PHI of a
Victim of Abuse, Neglect, or Domestic
Violence, Under Certain Conditions
If your organization believes that a patient is or may be the
victim of abuse, neglect, or domestic violence, it may disclose her PHI to a government agency (including a law
enforcement agency) that’s authorized by law to receive
reports of abuse, neglect, or domestic violence. But disclosure is allowed only if one of the following conditions is met:
■ The disclosure is required by law;
■ The patient has agreed to the disclosure;
■ The health care organization is authorized by law to
disclose a victim’s PHI and the disclosure is necessary to
prevent serious harm to someone; or
■ The health care organization is authorized by law to
disclose a victim’s PHI, and the law enforcement agency
states both that the PHI won’t be used against the patient
and that law enforcement activity would be significantly
hindered by waiting to get the patient’s consent.
If your organization makes a disclosure of a patient’s
PHI to law enforcement, it must promptly inform the
patient (either orally or in writing) that the disclosure was
made, unless:
■ Informing the patient would place the patient at risk
of serious harm. According to the comments to the HIPAA
privacy regulations, this exception is necessary to address
the potential for future harm, either physical or emotional,
that the patient may face from knowing that a report has
been made to law enforcement officials; or
■ The health care organization would be informing the
patient’s personal representative who’s responsible for the
abuse, neglect, or domestic violence.
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
6
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
Rule #11: If a Patient Is in a Correctional Facility or
Custody of a Law Enforcement Official, Your
Organization May Disclose the Patient’s PHI
to the Facility or Official Without the Patient’s
Authorization, if Certain Conditions Are Met
If a patient is an inmate in a correctional facility or in the
custody of a law enforcement official, your organization
needn’t get the patient’s authorization to disclose his PHI
to that facility or the official having custody. But disclosure of the patient’s PHI is allowed only if the PHI is necessary for one of the following reasons:
■ To provide health care to the patient;
■ To protect the health and safety of the patient or
other inmates;
■ To protect the health and safety of officers, employees, or others at the correctional facility;
■ To protect the health and safety of the patient or persons responsible for transporting inmates;
■ To promote law enforcement on the premises of the
correctional facility; or
■ To maintain and administer safety, security, and good
order in the correctional facility.
The HIPAA privacy regulations say that a health care
organization may reasonably rely on the oral or written
statement of public officials (including law enforcement
officials) that disclosure of the patient’s PHI is necessary
for these purposes.
Example: Patient A is hurt while committing a crime.
She’s placed in police custody and is taken to XYZ Hospital for treatment. When Patient A leaves the hospital, a
police officer asks the hospital about her follow-up care.
XYZ Hospital may disclose to the officer the PHI necessary to provide health care to the patient (say, information
about any medications the patient needs to take and any
drug interactions to watch for).
Rule #12: Your Organization Must Verify a Law
Enforcement Official’s Identity
If a law enforcement official shows up at your organization requesting a patient’s PHI, you must verify that the
person requesting it is a legitimate law enforcement official. The HIPAA privacy regulations allow you to rely on
the following items to verify an official’s identity if the
request is made in person:
■ A law enforcement agency identification badge;
■ Other official credentials (say, a photo ID issued by a
law enforcement agency); or
■ Other proof of government status (say, a document
on the agency’s letterhead).
NOVEMBER 2004
Example: To head off an imminent threat to the health
or safety of a person or the public, a federal agent asks
XYZ Hospital for Patient A’s PHI. Before disclosing
Patient A’s PHI, XYZ verifies the agent’s identity by asking to see his badge.
If the request is made in writing, the regulations allow
you to rely on the following items to verify the identity of
the law enforcement official:
■ A request made on the appropriate government letterhead (say, a request made on the letterhead of the local
police department);
■ A written statement on the appropriate government
letterhead that the person making the request is acting
under the government’s authority (say, a private investigator hired by a county health department to investigate an
alleged crime); or
■ Other evidence or documentation that confirms that
the person is acting on behalf of a law enforcement agency
(say, a contract for services).
Example: The state hires ABC Inc. to visit XYZ Pharmacy to go through its patient records and document evidence of prescription fraud. Before letting ABC Inc. see its
patients’ records, XYZ Pharmacy verifies ABC Inc.’s identity by asking for a copy of the contract between ABC Inc.
and the state.
Trainer Says: Your organization should tell you to document a law enforcement official’s identification and how
it wants you to do this. One method is to write down for
your organization’s records the name, title, division, badge
number, address, and telephone number of each official,
health care attorney A. James Johnston suggests.
Rule #13: Your Organization Must Verify a Law
Enforcement Official’s Authority
The HIPAA privacy regulations also require you to verify
the law enforcement official’s authority to request a
patient’s PHI. The regulations allow you to rely on the following items to verify an official’s authority to have access
to PHI when the official doesn’t have a warrant, subpoena,
or other legal document issued by a grand jury or a judicial or administrative tribunal:
■ A written statement provided on a government
agency letterhead that describes the legal authority under
which the PHI is requested (say, to conduct intelligence
activities under the National Security Act); or
■ If a written statement is impracticable (say, in an
emergency), an oral statement describing the official’s
legal authority. For example, police are searching for a
bank robber who was shot during a holdup. Soon after the
robbery, Patient A shows up at XYZ Hospital for treatment
of a gunshot wound. A police officer tells XYZ Hospital
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
NOVEMBER 2004
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
that he’s looking for a bank robber who was shot at the
scene of the crime and asks XYZ Hospital if it has treated
any gunshot victims since the robbery. XYZ Hospital isn’t
required to demand written proof that the officer requesting the PHI is legally authorized to see Patient A’s PHI
before it can disclose the PHI to the officer, according to
the regulations’ preamble.
Rule #14: In General, Your Organization Must Account
for Disclosures of a Patient’s PHI Made in
Response to a Law Enforcement Request
In general, if a patient asks your organization for a written
accounting of disclosures of his PHI, the accounting must
include disclosures that your organization or its business
associates make to law enforcement officials.
Example: Patient A is unconscious when she arrives by
ambulance at XYZ Hospital’s emergency department. The
hospital believes that the patient is a victim of domestic
violence. State law allows a health care provider to report
suspected cases of abuse to the appropriate law enforcement agency without getting the patient’s authorization to
do so. XYZ Hospital uses its discretion to report the abuse
to the local police department. A few months later, the
patient asks XYZ Hospital for an accounting of all her
PHI disclosed in the past two years. XYZ Hospital’s
accounting to her must include its disclosure to the local
police department of its suspicions that she was abused.
But a health care organization doesn’t have to account
for all disclosures it or its business associates make of a
patient’s PHI at the request of a law enforcement official.
The HIPAA privacy regulations set out several exceptions
(see Rules #15 and #16, next page). They also set out cer-
AT A G L A N C E
17 Rules for Disclosing PHI to Law Enforcement Officials Who Don’t Have
a Court Order, Subpoena, or Warrant
1.
Your Organization May Disclose PHI to Law Enforcement
Officials Without the Patient’s Authorization When Your
State or Other Law Requires It to Do So
9.
2.
If State or Other Law Permits, but Doesn’t Require,
Your Organization to Disclose PHI to Law Enforcement
Officials, You Must Get the Patient’s Authorization
to Do So
10. Your Organization May Disclose the PHI of a Victim
of Abuse, Neglect, or Domestic Violence, Under
Certain Conditions
3.
Except in Certain Circumstances, if the Patient Is a
Crime Victim, Your Organization Must Get the Patient’s
Permission to Disclose Her PHI in Response to a Law
Enforcement Request
4.
In an Emergency or When the Patient Is Incapacitated,
Your Organization May Disclose the PHI of a Patient
Who’s a Crime Victim to Law Enforcement Without the
Patient’s Authorization, if Certain Conditions Are Met
5.
6.
7.
8.
Your Organization Needn’t Get the Patient’s Authorization
to Disclose Limited PHI in Response to a Request from
Law Enforcement to Identify or Locate a Suspect, Fugitive,
Witness, or Missing Person
Your Organization Needn’t Get the Patient’s Authorization
to Disclose Limited PHI to Law Enforcement Officials to
Avoid a Serious Threat to the Health or Safety of a
Person or the Public
If Your Organization Suspects that a Patient’s Death
Resulted from Criminal Activity, It Needn’t Get
Authorization from the Patient’s Representative to
Disclose PHI to Law Enforcement Officials
If Your Organization Suspects that a Crime Has Been
Committed at Its Facility, It Needn’t Get the Patient’s
Authorization to Disclose PHI that It Believes Is Evidence
of the Crime
7
If Your Organization Delivers Off-Site Emergency Services,
It Needn’t Get a Patient’s Authorization to Disclose PHI to
Report a Crime, if Certain Conditions Are Met
11. If a Patient Is in a Correctional Facility or Custody of a Law
Enforcement Official, Your Organization May Disclose the
Patient’s PHI to the Facility or Official Without the Patient’s
Authorization, if Certain Conditions Are Met
12. Your Organization Must Verify a Law Enforcement
Official’s Identity
13. Your Organization Must Verify a Law Enforcement
Official’s Authority
14. In General, Your Organization Must Account for
Disclosures of a Patient’s PHI Made in Response to a
Law Enforcement Request
15. Your Organization Doesn’t Have to Account for PHI
Disclosures It Makes to Authorized Federal Officials for
Intelligence or National Security Purposes
16. Your Organization Doesn’t Have to Account for PHI
Disclosures It Makes to Correctional Institutions or Law
Enforcement Officials, in Certain Custodial Situations
17. Your Organization May Temporarily Suspend a Patient’s
Right to Get an Accounting of PHI Disclosures to a Law
Enforcement Official if the Official Asks Your
Organization to Do So
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
8
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
tain situations in which an organization must temporarily
suspend a patient’s right to get an accounting of certain
disclosures (see Rule #17, below).
Rule #15: Your Organization Doesn’t Have to Account
for PHI Disclosures It Makes to Authorized
Federal Officials for Intelligence or National
Security Purposes
A patient’s right to get an accounting of disclosures of his
PHI doesn’t include disclosures made to authorized federal
officials for intelligence and national security purposes. So
your organization doesn’t have to account for these disclosures. They include disclosures made to federal law
enforcement officials (say, FBI agents), as well as to any
other federal official authorized by law to carry out national security and intelligence functions.
Example: A federal agent goes to XYZ Hospital and
asks to see Patient A’s PHI. The agent states that the PHI is
needed for intelligence or national security purposes. The
hospital then discloses the patient’s PHI to the agent. A
short time later, the patient requests an accounting of the
hospital’s disclosures of his PHI. XYZ Hospital doesn’t
have to include the disclosure to the federal agent in the
accounting.
Your organization should keep track of such disclosures, even if it doesn’t have to give an accounting to the
patient, advises health care attorney Gretchen McBeath.
Rule #16: Your Organization Doesn’t Have to Account
for PHI Disclosures It Makes to Correctional
Institutions or Law Enforcement Officials, in
Certain Custodial Situations
If a patient is an inmate in a correctional facility or in the
custody of a law enforcement official, your organization
doesn’t have to account for disclosures of the patient’s PHI
to that facility or official having custody. This is so if the
disclosure is necessary for:
■ The provision of health care to the patient;
■ The health and safety of the patient or other inmates;
■ The health and safety of officers, employees, or others at the correctional facility;
■ The health and safety of the patient or persons
responsible for transporting inmates;
■ Law enforcement on the premises of the correctional
facility; or
■ The administration and maintenance of the safety,
security, and good order of the correctional facility.
NOVEMBER 2004
Example: Patient A is treated at XYZ Hospital and is
discharged into police custody. Before leaving XYZ Hospital, Dr. X tells the police officer assigned to transport
Patient A that the patient has a concussion and must be
watched for the next 24 hours. If Patient A requests an
accounting of PHI disclosures, XYZ Hospital doesn’t have
to account for this disclosure to the police officer.
Rule #17: Your Organization May Temporarily Suspend
a Patient’s Right to Get an Accounting of PHI
Disclosures to a Law Enforcement Official if
the Official Asks Your Organization to Do So
If a law enforcement official requests it, your organization
may temporarily suspend a patient’s right to get an
accounting of disclosures to a law enforcement official.
A law enforcement official’s request to temporarily
suspend a patient’s right to an accounting of disclosures to
it can be oral or written. If the request is written, the official must state that an accounting to the patient would be
reasonably likely to impede the law enforcement agency’s
activities. It must also specify the time for which the suspension is required.
If the official makes an oral request for a temporary
suspension, your organization must:
■ Document the request, including the identity of the
official or agency making the statement;
■ Temporarily suspend the patient’s right to an
accounting of disclosures, subject to the request; and
■ Limit the temporary suspension to no longer than 30
days from the date of the oral statement unless a written
request is submitted during that time.
Your organization should spell out policies and procedures for you to follow on the handling of temporary
suspensions. ■
TRAINER RESOURCES
Kelly T. Hagan, Esq.: Schwabe, Williamson & Wyatt, PC, 1211 SW
5th Ave., Ste. 1800, Portland, OR 97204; [email protected].
A. James Johnston, Esq.: Post & Schell, PC, 1800 JFK Blvd.,
19th Fl., Philadelphia, PA 19103; [email protected].
Gretchen McBeath, Esq.: Bricker & Eckler LLP, 100 S. 3rd St.,
Columbus, OH 43215.
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
NOVEMBER 2004
TRAINER’S QUIZ
We’ve given you an overview of how a health care organization may disclose PHI to law enforcement officials
who don’t have a court order, subpoena, or warrant. Now let’s see if you can apply these 17 rules to real-life
situations that health care organizations like yours are likely to encounter. The TRAINER’s Quiz, below, will
give you an opportunity to test your knowledge. Take it, and see how well you do.
INSTRUCTIONS: Analyze the questions below according to the 17 rules for disclosing PHI to law
enforcement officials who don’t have a court order, subpoena, or warrant. Circle the answer you think is right.
The correct answers (with explanations) appear after the quiz. Good luck!
QUESTION #1
QUESTION #4
The local evening news displays a photo of a suspected
bank robber and asks the public’s help in capturing the suspect. Nurse X recognizes the photo as Patient A. She calls
the local police department to say that Patient A resembles
the photo. She also tells the police that Patient A was
treated at the hospital earlier that day and was later admitted to the facility. True or false: The HIPAA privacy regulations require Nurse X to get the patient’s authorization
before disclosing his PHI to the local police department.
Patient A spills hot tea and burns her hand. She’s treated
at XYZ Hospital and released. State law permits, but
doesn’t require, health care organizations to report all burn
injuries. True or false: The HIPAA privacy regulations
require XYZ Hospital to get Patient A’s authorization before
disclosing her PHI to local law enforcement officials.
a. True.
b. False.
QUESTION #2
Patient A is hurt when her purse is snatched. She drives
herself to XYZ Hospital for treatment of an open wound on
her leg. Officer X, who’s investigating the purse snatching,
asks XYZ Hospital to show him Patient A’s medical record.
XYZ Hospital determines that Patient A’s wound isn’t an
emergency treatment situation. True or false: The HIPAA
privacy regulations require XYZ Hospital to get Patient A’s
permission before disclosing her PHI to Officer X.
a. True.
a. True.
b. False.
QUESTION #5
Patient A is brought to XYZ Hospital’s emergency room by
his girlfriend and later dies. XYZ Hospital believes the
death was the result of a drug overdose. So it alerts the
local police department’s narcotics squad to Patient A’s
death. True or false: The HIPAA privacy regulations require
XYZ Hospital to get authorization from Patient A’s personal representative before it can disclose his PHI to the narcotics squad.
a. True.
b. False.
b. False.
QUESTION #3
Patient A is treated at XYZ Hospital for a dog bite. State law
requires health care organizations to report all injuries from
dog bites. A local animal enforcement officer asks XYZ
Hospital for Patient A’s PHI. True or false: The HIPAA privacy regulations require XYZ Hospital to get Patient A’s
authorization before disclosing her PHI to the animal
enforcement officer.
a. True.
b. False.
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com
9
10
H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R
NOVEMBER 2004
T R A I N E R ’ S A N S W E R S & E X P L A N AT I O N S
Correct answer: b
Reason: Rule #5 applies here.
Because state law requires health care organizations to
report dog bite injuries, XYZ Hospital may disclose Patient
A’s PHI to the animal control officer without getting the
patient’s authorization to do so.
Rule #5: Your Organization Needn’t Get the Patient’s
Authorization to Disclose Limited PHI in
Response to a Request from Law Enforcement to Identify or Locate a Suspect,
Fugitive, Witness, or Missing Person
Wrong answer explained:
a. As explained above, a health care organization (like XYZ
Hospital, here) may disclose a patient’s PHI to a law
enforcement official (like the animal enforcement officer, here) when required by state law to do so.
The HIPAA privacy regulations let a health care organization
disclose a patient’s PHI to a law enforcement official in
response to a request from law enforcement to identify a
missing suspect. A request by law enforcement officials
includes a media broadcast (like the evening news, here)
asking for the public’s assistance in identifying a suspect
(like Patient A, here). So Nurse X wasn’t required to get
Patient A’s authorization before disclosing his PHI to the
local police department in response to the broadcast.
Correct answer: a
Reason: Rule #2 applies here.
Wrong answer explained:
a. As explained above, a health care provider (like Nurse X,
here) may disclose a patient’s PHI to a law enforcement
official in response to a media broadcast for the public’s
assistance in identifying a suspected criminal.
Because the state permits, but doesn’t require, health care
organizations to report burn injuries, XYZ Hospital may not
disclose Patient A’s PHI to law enforcement officials without getting the patient’s authorization to do so.
QUESTION #1
QUESTION #2
Correct answer: a
Reason: Rule #3 applies here.
Rule #3: Except in Certain Circumstances, if the Patient
Is a Crime Victim, Your Organization Must Get
the Patient’s Permission to Disclose Her PHI
in Response to a Law Enforcement Request
A health care organization must get a crime victim’s permission (either orally or in writing) to disclose her PHI in
response to a law enforcement request for the patient’s
PHI, except in certain emergency situations or when the
patient is incapacitated.
Wrong answer explained:
b. As explained above, a health care organization (like XYZ
Hospital, here) needs a crime victim’s permission to disclose her PHI to a law enforcement official.
QUESTION #3
Correct answer: b
Reason: Rule #1 applies here.
Rule #1: Your Organization May Disclose PHI to Law
Enforcement Officials Without the Patient’s
Authorization When Your State or Other Law
Requires It to Do So
QUESTION #4
Rule #2: If State or Other Law Permits, but Doesn’t
Require, Your Organization to Disclose PHI to
Law Enforcement Officials, You Must Get the
Patient’s Authorization to Do So
Wrong answer explained:
b. As explained above, a health care organization (like XYZ
Hospital, here) may not disclose a patient’s PHI to a law
enforcement official when not required by state law to
do so.
QUESTION #5
Correct answer: b
Reason: Rule #7 applies here.
Rule #7: If Your Organization Suspects that a Patient’s
Death Resulted from Criminal Activity, It
Needn’t Get Authorization from the Patient’s
Representative to Disclose PHI to Law
Enforcement Officials
Because XYZ Hospital suspects that Patient A’s death may
have resulted from criminal activity (like the drug overdose,
here), it may disclose his PHI to law enforcement officials
(like the narcotics squad, here) for the purpose of alerting
the officials to the patient’s death. XYZ Hospital needn’t
get an authorization from the deceased patient’s personal
representative to do so.
Wrong answer explained:
a. As explained above, a health care organization (like XYZ
Hospital, here) that suspects that a patient’s death may
have been caused by criminal activity may disclose the
patient’s PHI to alert law enforcement officials to the
patient’s death.
© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com