Protecting Patient's Information and Cooperating with Law Enforcement

Southfield, MI, Michigan

April 9, 2013


The Health Insurance Portability and Accountability Act (HIPAA) went into effect almost ten years ago. Still, it is not uncommon to receive requests from law enforcement for patient’s protected health information (PHI) that you, as a covered entity are unable to provide. However, there are circumstances when disclosing PHI to law enforcement is allowed under HIPAA. As a covered entity, or an organization that must comply with the law, you need to be prepared to respond to these requests.
If you don’t already have a policy, you’ll want to put one into place. Health and Human Services offers a wealth of information through the Frequently Asked Questions (FAQ’s) on their website. This topic has multiple FAQ’s and can be found here.
HIPAA permits covered entities to disclose PHI to law enforcement officials without written authorization under certain circumstances. Some of the more common requests are:
  • To comply with a court order or court ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. Note that a request from a law office is not the same as a court ordered subpoena. 
  • To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request from a law enforcement official. Because an administrative request may be made without judicial involvement, HIPAA requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material specific and limited in scope, and de-identified information cannot be used. 
  • To respond to a request for PHI for the purposes of identifying or locating a suspect, fugitive, material witness or missing person 
  • To identify a suspected perpetrator of a crime when the report is made by the victim who is a member of your workforce 
  • To identify or apprehend an individual who has admitted to participation in a violent crime. 
  • Child abuse or neglect may be disclosed to law enforcement officials authorized by law to receive such reports, if the individual agrees or it is required by law.
  • To alert law enforcement officers to the death of the patient, when there is a suspicion that death resulted from criminal conduct.
  • When reporting to an off-site medical emergency, as necessary to alert law enforcement about criminal activity, specifically the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime. 
  • Covered entities must limit disclosures of PHI to name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, etc. cannot be disclosed without a court order, warrant, or other request as allowed by HIPAA.
It is a common misconception by employees that if they are approached by a police officer or other investigator, that it is acceptable to share an unlimited amount of PHI. In fact, some police officers believe that they are entitled to an unlimited amount of PHI and can be quite convincing. A written policy, trained employees, and open communication is the best way to maintain a positive working relationship with our law enforcement partners.