Practice Management

When Should You Disclose PHI to Law Enforcement?

Follow these HIPAA regulations to make sure you are in compliance

Police officer and investigator review documents

Imagine a police officer walks into your clinic insisting that you provide her with information about a patient. What should you do?

HIPAA privacy rules permit certain disclosures of patient health information (PHI) for specific law enforcement purposes. The exact regulations are available on the U.S. Department of Health & Human Services website. In general, HIPAA allows for PHI disclosures to law enforcement in the following situations:

  • If there is a court order, warrant, subpoena, or other administrative request.
  • To identify or locate a suspect, fugitive, material witness, or missing person. (Limited to name, address, date and place of birth, Social Security number, ABO blood type and Rh factor, injury type, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics.)
  • To provide PHI about a crime victim (with the victim’s consent). If it is an emergency or the individual lacks capacity to consent, physicians can disclose PHI in certain circumstances when it is in the best interest of the patient to do so.
  • Child abuse or neglect does not require the patient’s agreement.
  • Adult abuse, neglect, or domestic violence may be reported to law enforcement if the patient agrees, if the report is required by law, or if a report is necessary to prevent serious harm (based on the professional judgment of the clinician).
  • If there is evidence of a crime on the provider’s premises or if there is evidence of criminal activity at an off-site medical emergency
  • To avert harm, to identify an individual who has escaped from lawful custody, and for certain other specialized governmental law enforcement purposes.

Gerold DeLoss, head of the Healthcare Practice Group at Gozdecki, Del Giudice, Americus, Farkas & Brocato LLP, a law firm in Chicago, IL, provides additional guidance on this topic.

  • Contact your legal counsel. “Unless it’s an emergency, there is no need to respond to the request right then and there,” DeLoss advises. “If it’s a circumstance where there’s a grave and imminent danger to an individual, the physician can exercise professional judgment to determine if it makes sense to release that information.”
  • Release only the minimum information necessary. The No. 1 mistake clinicians make is releasing too much PHI, DeLoss says. “Having received a warrant or subpoena, the practice or physician should determine whether the request is focused, reasonable, and specific and that de-identified information would not be sufficient,” DeLoss adds.
  • Document the incident. This is especially important in emergency situations when health care providers do not have time to consult legal counsel and the law enforcement request falls outside of clear-cut HIPAA rules.

Check out recent practice management articles: 

Prescribing Benzodiazepines: Weighing the Risks and Benefits

Informed Refusal—What You Need to Know