Healthcare facilities have to be very careful when releasing patient information, even when that information is going to law enforcement agencies.
The Health Insurance Portability and Accountability Act Privacy Rule outlines very specific cases when a hospital is permitted to release protected health information without a patient’s written consent. Even in some of those situations, the type of information allowed to be released is severely limited.
For starters, a hospital can release patient information to a law enforcement official when the details are used for the identification and location of a suspect, fugitive, material witness or missing person.
It may also release patient information about a person suspected of a crime when the accuser is a member of the hospital workforce; or to identify a patient that has admitted to committing a violent crime, as long as the admission was not made during or because of the patient’s request for therapy, counseling or treatment related to the crime.
In those cases, the following information is all that can be released by a covered entity:
- Name and address
- Date and place of birth
- Social Security Number
- ABO blood type and rh factor
- Type of injury
- Date and time of treatment
- Date and time of death, if applicable
- Description of distinguishing physical characteristics including height, weight, gender, race, hair/eye color, facial hair, scars or tattoos
Additional information can be released by a hospital to comply with a court order, subpoena or summons issued by a judicial officer or grand jury; or to respond to an administrative subpoena or investigative demand if that demand comes with a written statement that the patient information is relevant and limited in scope.
RELATED: Texas Hospital Fined $3.2M for Years of HIPAA Violations
Other provisions of the HIPAA Privacy Rule that allow hospitals to disclose PHI are listed below.
1. To alert law enforcement of the death of an individual.
2. To report evidence of a crime that occurred on the hospital’s premises.
3. When responding to an off-site emergency to alert law enforcement of criminal activity.
4. For some specialized law enforcement purposes including national security activities under the National Security Act; to help protect the President; or to respond to a request from a correctional institution or law enforcement official that has custody of an inmate in certain circumstances.
Hospital employees must verify a person is a law enforcement official by viewing a badge or faxing requests on official letterheads.
HIPAA has different requirements for phone requests for information about a patient’s condition or location in the hospital.
Overall, hospitals should craft their own policies for employees to follow based on HIPAA regulations and state laws.
Read more about PHI disclosures to law enforcement at the U.S. Department of Health and Human Services’ website.
Read Next: DHS Gives HIPAA Guidance for Cloud Computing Providers