Skip to main content
Top Button
Could Your Patient Be “Wanted?” Taking Action Under HIPAA Could Your Patient Be “Wanted?” Taking Action Under HIPAA

Could Your Patient Be “Wanted?” Taking Action Under HIPAA

News and media alerts often convey law enforcement officials’ requests for information about the identity of a suspected criminal. With the increasing rigor of HIPAA enforcement activity by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and the recent uptick in privacy litigation, health care providers are often hesitant to share health information about their patients when presented with this unusual circumstance. But it is important to remember that the HIPAA Privacy Rule does not create inordinate barriers to the disclosure of protected health information (PHI) in situations where the release of such information is vital to ensuring public safety.

As OCR observes in its guidance on disclosures to law enforcement, the Privacy Rule balances patients’ interest in privacy with the need for effective law enforcement. To that end, the Privacy Rule permits a HIPAA covered entity to disclose PHI without patient authorization for various law enforcement purposes, such as to comply with court orders, subpoenas, and administrative requests, respond to requests about crime victims and criminal suspects, and report abuse, neglect, and certain criminal activities.

If a covered entity sees such a news report and believes one of its patients fits the suspect’s profile, then the Privacy Rule permits the covered entity to share limited information about the patient with law enforcement officials without the patient’s authorization. In particular, the Privacy Rule states that “a covered entity may disclose [PHI] in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person.[1]

Under such circumstances, the request from law enforcement need not be directed specifically to the covered entity. The law enforcement request may take the form of a general request to the public, and the request may be issued through the media. Moreover, the law enforcement request need not be in writing. In its commentary to the 2000 Final Privacy Rule, OCR explained:
We clarify our intent not to allow covered entities to initiate disclosures of limited identifying information to law enforcement in the absence of a law enforcement request; a covered entity may disclose protected health information under this provision only in response to a request from law enforcement. We allow a “law enforcement official’s request” to be made orally or in writing, and we intend for it to include requests by a person acting on behalf of law enforcement, for example, requests by a media organization making a television or radio announcement seeking the public’s assistance in identifying a suspect. Such a request also may include a “Wanted” poster and similar postings.[2]

If a covered entity chooses to report a patient to law enforcement officials as a possible criminal suspect, it must ensure that the identifying information it shares is limited in scope.[3] Namely, the covered entity may disclose only the following facts about the suspect to law enforcement officials: name and address; date and place of birth; Social Security number; ABO blood type and Rh factor; type of injury; date and time of treatment; date and time of death, if applicable; and a description of the patient’s distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, facial hair, scars, and tattoos.[4] The covered entity cannot share information related to the suspect’s DNA or DNA analysis, dental records, or samples or analysis of body fluids or tissue.[5] Nor may the covered entity disclose specific clinical or diagnostic information to law enforcement officials, aside from the general types of injuries the suspect may have experienced.
A covered entity should also remember to document such a disclosure to law enforcement officials in its accounting of disclosures of the patient’s PHI, unless law enforcement officials provide the covered entity with a written statement that an accounting to the patient would be reasonably likely to impede law enforcement activities and specifying the time period for which such an accounting cannot be provided to the patient.[6]

Accordingly, a covered entity may report limited PHI about potential criminal suspects to the local police or other law enforcement agencies in response to a request relayed by news outlets without running afoul of the HIPAA Privacy Rule.[7] OCR recognizes that certain disclosures of patient information are necessary for law enforcement operations to function smoothly and has acknowledged that “when only limited identifying information is disclosed and the purpose is solely to ascertain the identity of a [suspect], the invasion of privacy would be outweighed by the public interest.”[8]

For more information on HIPAA privacy law, contact Sherry Fabina-Abney or another member of our HIPAA Privacy and Security team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 
[1] See 45 C.F.R. § 164.512(f)(2).
[2] See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462, 82531 (December 28, 2000).
[3] A workforce member who has a suspicion that a patient may be a criminal suspect is advised to confer with the covered entity’s privacy officer or in-house legal department prior to discussing the patient’s information with law enforcement officials.
[4] See 45 C.F.R. § 164.512(f)(2)(i).
[5] See 45 C.F.R. § 164.512(f)(2)(ii).
[6] See 45 C.F.R. § 164.528(a).
[7] Nevertheless, a covered entity should evaluate whether such a disclosure to law enforcement is permitted under applicable state laws, which may contain more stringent requirements than the HIPAA Privacy Rule. Further, health care providers with federally-assisted drug and alcohol abuse programs (i.e., “Part 2” programs) should consider whether such a disclosure to law enforcement about a patient who receives treatment for substance abuse is consistent with the Confidentiality of Alcohol and Drug Abuse Patient Records regulations at 42 C.F.R. Part 2.
[8] See Standards for Privacy of Individually Identifiable Health Information; Proposed Rule, 64 Fed. Reg. 59918, 59962 (November 3, 1999).
View Full Site View Mobile Optimized