How to respond to patient information requests

A common scene: Law enforcement has entered your building and is demanding lab records on your patient. Common question: Do you release or not release? This issue can come up in just about any healthcare setting. Each situation is so fact specific that simple guidelines do not necessarily apply, but don’t just hand over records to law enforcement. Procedural due process requirements exist that must be met, and law enforcement must show they have the authority to obtain the records. Still, it is not uncommon for a healthcare worker to be threatened with immediate arrest for failure to comply.

Whether you are a covered entity (CE), or a business associate (BA), a clear understanding of when to release and when to deny or require patient consent or a court order is crucial.  This issue continues to be misunderstood by law enforcement agents and can be intimidating to providers despite governing Health Information Portability and Accountability Act of 1996 (“HIPAA”), Federal (alcohol/drug abuse) and State (Mental Health) laws.

Law enforcement’s mission to “investigate/solve” a crime can often cause confusion and obscure the hospital’s need to protect a patient’s protected health information (PHI). Disclosure in these circumstances is hard to contain because the law enforcement agent may go directly to a patient care area and ask the unit staff for access, bypassing health information management staff who know the laws, thereby exposing the organization to an unauthorized disclosure and HIPAA breach.

Under 45 CFR 164.512(f) of the HIPAA Privacy Rule, disclosure to law enforcement agents (police, probation/parole officer, detective) require written patient consent or a court order issued by a judicial officer for access to PHI, except in the following circumstances:

  • A valid court order, warrant, subpoena, or administrative process. (45 CFR § 164.512(f)(1)(ii)).
  • To avert imminent harm that threatens the health or safety of an individual or the public (45 CFR § 164.512(j)(1)(i)).
  • As required by law such as reporting child or adult abuse or neglect, injuries from gunshots or criminal activity, etc. (45 CFR § 164.512(a), (f)(1)(i); see also § 164.512(b)(1)(ii) (child abuse) and § 164.512(c) (adult/elder abuse)).
  • To identify a person to help identify or locate a suspect, fugitive, material witness or missing person, but may only disclose limited information (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a “wanted” poster or bulletin.
  • Victim of a crime (45 CFR § 164.512(f)(3)).
  • Death resulting from a crime (45 CFR 164.512(f)(4)).
  • Crime on premises (45 CFR § 164.512(f)(5)).
  • Crime away from Premises (45 CFR § 164.512(f)(6)).
  • Report by victim (45 CFR § 164.502(j)(2)).
  • Admission of violent crime (45 CFR § 164.512(j)(1)(ii)(A), (j)(2)-(3)).
  • To locate a known fugitive (45 CFR § 164.512(j)(1)(ii)(B)).
  • Prisoners (45 CFR § 164.512(k)(5)).
  • Medical examiners and coroners (45 CFR § 164.512(g)(1)).

The PHI that may be disclosed in each of these circumstances is limited to the minimum necessary (name/address, DOB, SS#, blood type, type of injury, date/time of treatment or death, description of distinguishing physical characteristics) to address the issue.

The health care entity must exercise due diligence in ensuring both the officer and the request for information are legitimate, and file a copy of all paperwork provided to document all actions taken in compliance with the request in the patient’s medical record. As a best practice, refer such requests for internal legal review to validate proper procedure to follow. Finally, the nuances of this particular issue speak to the need for CEs to provide continuous education for all hospital workers specific to the process for releasing of PHI.

Common requests for PHI without patient consent or court order:
  • Blood/alcohol level
    • (No-need a court order-no material harm to case).
  • Detective brings a subpoena issued/signed by the police chief for access to “alleged perpetrator’s” medical record.
    • Do not release without an order issued by a judicial/court officer or the patient’s consent.
  • State Police want to review behavioral health medical record of patient to determine if the patient was competent at the time of the “alleged” crime before charging for the crime.
    • Do not release – this is a “material issue” that must be decided by the MD and courts (unless a “competent” patient provides consent).

Footnote 1. A CE providing emergency health care in response to a medical emergency, other than such emergency on the premises of the CE, may disclose protected health information to law enforcement if necessary to alert law enforcement to the commission and nature of a crime, the location of such crime or of the victim(s) of such crime and the identity, description, and location of the perpetrator of such crime

For more information on protected health information, please contact Linda at 781-272-8001.