HIPAA, PHI, and Law Enforcement in 2023

When can you share protected health information (PHI) with law enforcement? There are certain circumstances when the law allows you to share PHI. You should always keep the “minimum necessary” rule in mind whenever you are giving out information.

New HIPAA rules proposed by Health and Human Services (HHS). On April 11, 2023, the HHS published a notice on upcoming new rules to add greater protection to reproductive health care because of new state laws passed due to the outcome of the Supreme Court ruling on Roe v. Wade. As quickly as we can, TMC will notify you of the changes after the new rules are published. These rules will likely impact the rights for release of health information or PHI under HIPAA to law enforcement when the information includes reproductive issues, such as pregnancy.

Coroners/medical examiners: Information needed to identify a body or determine cause of death can be sent to the coroner or medical examiner on request. We recommend that you get the request in writing on their letterhead. You can send the information in any secure manner such as fax, encrypted email, hand-delivery, or pick up by a representative from the coroner’s office or by a law enforcement officer. You cannot send it via a family member of the deceased as this destroys the chain of custody for the data. US mail, while considered secure, is usually not fast enough for the coroner’s needs.

Subpoenas: There are different kinds of subpoenas, and they all have one thing in common: you must respond. You can be sure that your patient has been notified of the subpoena if you have a judge-signed subpoena, an authorization signed by the patient, or an attorney signed document that states this process has already happened. You can even call and talk to your patient and document this. If your patient does not want you to respond to the subpoena, the patient must provide a court order to block the subpoena.

Active investigation: If the police have an active investigation, they can request information from you. They are NOT allowed to search your records to find information to open an investigation. You can verify this by asking them to sign a request that they give the following information:

• The case number
• The specific kind of information they want (DNA information requires a court order)
• The officer’s signature, name, rank, and badge number
• Whether the disclosure needs to be withheld from the patient. (In order to protect the integrity of an active investigation, law enforcement can request that patients are not notified of a PHI disclosure until a specified end date or event such as when the case is closed. Otherwise, it goes on an accounting of disclosures log in the patient’s file.)

Crime on premises: If a crime has occurred on your premises you are allowed to report it to the police and give them information to confirm the crime.

Avert a serious and imminent threat to the health and safety of an individual or the public: You can report to the police if you believe that someone poses a serious and immediate threat. This includes reporting someone who you know has escaped from lawful custody.

Correctional institutes: You can provide information to the correctional institute that is necessary for the health and safety of the inmate as well as the prison’s personnel.

As with all disclosures, the doctor can decide to not release information if they feel it would endanger the health and safety of an individual. Only the doctor can make this determination and they may be required to appear before a judge to defend that decision.