HIPAA Compliance Strategies

Featured Health Business Daily Story May 12, 2008

HIPAA Covered Entities Still Wrestle With Questions About When to Release Patient Information to Law Enforcement

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

More than five years after the HIPAA privacy rule took effect, covered entities (CEs) are still seeking easy and effective methods for dealing with law enforcement officials who request PHI, as evidenced by what Greg Young went through after he was interviewed for an RPP article in August 2007 and commented on a listserv.

More than 50 staff members from CEs across the country contacted Young for a copy of his policy on dealing with law enforcement. Young, a former police detective and current privacy and security officer at Mammoth Hospital in Mammoth Lakes, Calif., created the policy (along with a form for officers to fill out) to help hospital staff members deal with overzealous officers who are requesting patient information.

"I heard stories from ER nurses where cops were being overbearing. We understand their perspective and their need to get information," he says. "HIPAA allows for an exchange of information. All I did was take HIPAA language and develop a form around it….It allows for [officers] to get basic information to make sure that the person they're looking for is in our hospital." The policy summarizes requirements on "disclosures for law enforcement purposes" at C.F.R. 164.512(f).

Almost two years after the policy was put in place, Young says both sides are happy with it. "The [law enforcement] officials were really grateful. They were glad to have a tool so that they can walk into the ER and say, 'I think you have a patient by this name,' and hospital personnel can comply. It's fast and easy," he says.

The policy also protects the police department if the investigation leads to an arrest and officers have done everything correctly by law, Young points out. "All the information that they go from can be used in court. But if they barge in…and violate HIPAA to acquire information, it can't be used," he says. Also, by using the form and getting cooperation from the hospital quickly, officers might find out that the person they're looking for isn't at the facility and won't waste any more time there, he adds.

Young says he sees participants on privacy listservs who are overanalyzing situations. "If there is criminal conduct taking place, don't hesitate — get the cops there. Worry about the HIPAA stuff later," he says. For example, if visitors come in to see a patient who is in a gang, and a person from a rival gang comes in to "finish the job" on the patient or rough someone up, "you need to get the cops in there and take care of things," he says.

Education Can Help

Chicago attorney Brian Annulis says a few of his clients have called him with some stories about law enforcement officials who don't seem to know much about HIPAA or take it into account. "In their mind, the law enforcement officials were seeking information that was other than what is permitted under HIPAA," he says.

In one situation, law enforcement officials asked the CE to notify them any time someone came to the emergency department with drug paraphernalia. The hospital explained that it is not a police agent, so that wasn't its job. "You have to have a situation in which a patient feels comfortable enough to come in and doesn't feel that he or she is going to be arrested on the spot. The hospital [staff] said they would not hide the paraphernalia, but that they would not be a snitch," says Annulis, who is with Katten Muchin Rosenman LLP.

Another request was more traditional, but still posed a problem, Annulis tells RPP. Officials were seeking information on a person they had in custody who was not a current patient at the facility. "They were just requesting the records….They might have been entitled to the information, but still had to go through the correct channels" via a subpoena or court order, he says.

One resolution to these types of situations came through the CE's in-house counsel who "called the state and said that they were not trying to be difficult or uncooperative, but that they had to comply with this law," says Annulis. The CE addressed the request that was immediately before it and worked with the officials on a plan to deal with future requests. "It was partly by education and was partly through an agreement with the state's attorney's office," he says.

Not All Requestors Are Cops

But not all law enforcement officials are those who carry badges and guns, and some CEs might get confused about whether they can provide information. "Law enforcement encompasses more than just police officers," says Minneapolis attorney Jud DeLoss, who is with Gray Plant Mooty.

DeLoss wrote an opinion letter about a case in which a state board of nursing (BON) sought the medical records of a nurse who was under investigation. The easiest way to obtain the records would be to have the nurse authorize the disclosure. Many refuse to do that, so health oversight agencies try to use 164.512(d), which allows CEs to disclose information to agencies that are conducting audits; civil, administrative, or criminal investigations; licensure or disciplinary actions; etc.

But "this is an area that is troublesome for licensing agencies because 164.512(d) is not applicable when the individual is the subject of the investigation," DeLoss tells RPP. Instead, if the disclosure is not directly related to receipt of care, a claim for public health benefits or qualification for those benefits, the BON should use 164.512(f) to obtain the information, DeLoss wrote in the opinion.

"At the outset it should be noted that a covered entity may disclose PHI as permitted by and in accordance with any one of the paragraphs set forth under section 164.512, regardless of whether that disclosure would fail to meet a requirement for disclosure under a different paragraph in section 164.512," he wrote. "Under [164.512(f)(1)(ii)(C)], a covered entity may disclose PHI in compliance with and as limited by the relevant requirements of a court order, court-ordered warrant, a subpoena, or a summons issued by a judicial officer….In addition, the covered entity may disclose PHI pursuant to an administrative request, including an administrative subpoena or summons, a civil investigative demand, or similar process."

DeLoss also points out in the opinion that a law enforcement official under 164.512(f) means any agency of the federal government, state governments, territories or political subdivision of a state or territory. "I will defer to BON on the authority it possesses to investigate and prosecute violations by its nurse members," DeLoss said.

There also is a three-part test in subparagraphs (1) through (3) of 164.512(f) that CEs can do to determine if a disclosure is proper, DeLoss adds. "This three-part test was designed to prove that the agency's interest in the PHI is sufficiently important to overcome the individual's privacy interest." According to the test, a request must (1) be relevant to a legitimate law enforcement inquire, (2) be "specific and limited in scope to the extent reasonably practicable in light of the purpose for which it is sought," and (3) be de-identified so information could not be used.

If a subpoena or other administrative request says that it passes the three-part test, it's not necessary for a CE to perform its own test, DeLoss added.

Advertise With AIS

Privacy

Site Map