|
|
|
Disclosures of Protected Health Information to Law Enforcement 45 CFR Part 164,
42 CFR Part 2
TABLE OF CONTENTS: I. REQUIRED REPORTING BY PROVIDERS II. PERMITTED REPORTING BY PROVIDERS III. REQUESTS FROM LAW ENFORCEMENT for Directory Information IV. REQUESTS FROM LAW ENFORCEMENT for Additional Information
B.
Grounds for requested disclosure V. ACCOUNTING OF DISCLOSURES - REQUEST FOR SUSPENSION APPENDIX: Restrictions on Law Enforcement Access to Patient Records Held by Federally Assisted Alcohol and Substance Abuse Treatment Programs
I. REQUIRED REPORTING BY PROVIDERS. HIPAA does not change mandatory reporting requirements for health care providers as contained in state statutes. These statutes include:A. Injuries arising from violent or criminal acts (Utah Code Ann. 26-23a-2);B. Child abuse (62A-4a-403), including domestic violence in presence of child (76-5-109.1),C. Elder/vulnerable adult abuse (62A-3-305);D. Therapist’s duty to warn (78-14a-102);E. Bioterrorism (26-23b-103) (report made to Department of Health or local health department).
II. PERMITTED REPORTING BY PROVIDERS. HIPAA permits – but does not require – health care providers to disclose information, in good faith and in accordance with applicable law and standards of ethical disclosure, under the following circumstances:A. Crime against provider’s workforce member. 45 CFR 164.502(j)(2).B. Whistleblower. 164.502(j)(1).C. Decedent (if suspicion that death resulted from criminal conduct). 164.512(f)(4).D. Crime on provider’s premises. 164.512(f)(5).E. Crime off provider’s premises when emergency health care is given in response to a medical emergency. 164.512(f)(6).F. Information necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. 164.512(j).Providers exercise their discretion in deciding whether to make these reports. For factors pertaining to provider’s discretion to disclose, see section II.B(2)b., below.
III. REQUESTS FROM LAW ENFORCEMENT for Directory Information.Directory Information is available to the public generally; including law enforcement officials. Provider may normally disclose name, location, and one-word condition, unless the patient opts-out or unless the provider opts-out the patient. (Religious affiliation may also be disclosed, but only to clergy.) 45 CFR 164.510(a). IV. REQUESTS FROM LAW ENFORCEMENT for Additional InformationRequests for more information than directory information require both: (1) identification and verification of the requester as a law enforcement official and (2) the legal ground for the requested disclosure. A. Verification of Identity1. Is the request from a law enforcement official? 45 CFR 164.512(f). Law enforcement official is defined as: “officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (1) Investigate or conduct an official inquiry into a potential violation of law; or (2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.” 45 CFR 164.501. 2. Provider verifies identity and authority of official making the request. 45 CFR 164.514(h). a) Request in person: If official makes the request in person, provider requests the official’s ID to verify identity and authority. b) Request in writing: Requests in writing are to be submitted on agency letterhead; forms are to be accompanied by a cover letter on agency letterhead. Provider verifies source of writing and authority of requester. c) Request by telephone: Provider verifies source and identity by contacting official’s dispatch center. (1) Dispatcher can be temporarily designated to act for law enforcement official in emergency circumstances if dispatcher can verify law enforcement official’s identification; or, official may provide identification via telephone. (2) If the identification is not adequate, health care provider can deny request (except for directory information). B. Grounds for requested disclosure.1. Authorization signed by patient. a) Patients have the right to “authorize” their medical information to be disclosed to another person. Authorization form must comply with HIPAA requirements. 45 CFR 164.508. b) The task force has prepared a standardized form, “Authorization to Disclose Health Information to a Law Enforcement Agency,” it encourages law enforcement officials to use. It will be available at the following web site: http://attorneygeneral.utah.gov/hipaa.html c) Provider may request verification of patient’s signature, e.g., by notarization, by certified peace officer or duly authorized federal agent, or other appropriate authentication. 45 CFR 164.514(h). a) Required Disclosure. Are there grounds for required disclosure of PHI? If yes, provider must disclose. If not, look at Permitted Disclosure. 45 CFR 164.512(f)(1). (1) Court Orders for Disclosure. Special process applies. (a) Court order. (b) Court-ordered arrest warrant. (c) Subpoena or summons issued by judge. (For example, a subpoena authorized under U.C.A. 77-22-1. et. seq. In rare circumstances, federal statutes may authorize other federal officials to issue a mandatory order, e.g., DEA.) (d) Federal grand jury subpoena. Fed.R.Crim.Pro. 6 and 17. (2) Non-court-ordered requests, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law. (a) Administrative requests under law must contain the following statements: (i) This is a legitimate law enforcement inquiry, (ii) The information sought is relevant and material to the inquiry, (iii) The request is specific and limited in scope, and (iv) De-identified information could not reasonably be used. (b) Administrative requests authorized under Utah law: (i) Child abuse. Once law enforcement official is notified of possibility of child abuse, if request is made, provider must disclose photographs or X-rays, and all other medical records pertinent to an investigation for child abuse. U.C.A. 62A-4a-403 & 406. (ii) Subpoena power under Rule 14 of the Utah Rules of Criminal Procedure. Any attorney prosecuting or defending a criminal case that has been filed (including a pro se criminal defendant) can exercise this subpoena power to compel witnesses and the production of documents only in the following manners: (a) Request to appear in court. If a request to appear is made pursuant to this rule, whether by a law enforcement official or otherwise, the health care provider will appear in court and ask the judge to determine whether the patient’s interests are sufficiently protected before testifying. OR (b) Request for production of records. If a request for production of records is made pursuant to this rule, the request will be handled consistent with 45 CFR 164.512(e) (civil proceedings). Provider will require satisfactory assurances regarding notification to the subject of the records prior to making disclosures. This is necessary to ensure the interests of the patient, especially when the patient is a victim of a crime. (iii) County attorney subpoena power. The county attorney may subpoena witnesses to appear before court or grand jury. U.C.A. 17-18-1. Note: This statute does not give power to compel production of documents. (But see 2.a)(2)(b)(ii), above; once case is filed, documents can be compelled with notice to opposing party.) (iv) State grand jury subpoena, signed by the prosecutor conducting the grand jury. Can be for witness to appear or to produce documents. U.C.A. 77-10a-13. (v) Controlled substances subpoena power. Attorney general, deputy attorney general, assistant attorney general, county attorney, deputy county attorney, district attorney, or deputy district attorney may compel appearance of witnesses and production of documents relevant or material to controlled substances investigation. 77-22a-1. (3) When a provider discloses information that is required by law, if the disclosure is limited to the relevant requirements of that law, the Minimum Necessary rule does not apply. 45 CFR 502(b)(2)(v). b) Permitted Disclosure. Are there grounds for permitted disclosure of PHI? If yes, health care provider may disclose, at the discretion of the provider. If grounds do not exist, must not disclose except for directory information as defined above. 45 CFR 164.512(f)(2), (3). (1) Grounds for permitted disclosure: (a) Request for information to identify or locate a suspect, fugitive, material witness, or missing person. Only the following limited information may be released: name and address; date and place of birth; social security number; ABO blood type and rh factor; type of injury; date and time of treatment; date and time of death, if applicable; and a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos. (b) Request for information about a person who is or is suspected to be a victim of a crime. Requirements: (i) Patient unable to agree to release of information, (ii) The information is needed to determine whether someone else committed a crime, (iii) Information is not intended to be used against patient, (iv) Immediate law enforcement activity would be materially harmed by waiting until patient is able to agree to release, and (v) It is in best interest of patient, as decided by provider. (2) Factors pertaining to provider’s discretion to disclose—does provider have compelling reason not to disclose: (a) Disclosure is against interest of the patient. (b) Uncertainty about identity of law enforcement official. (c) Severity of the crime. (d) Small risk to the public. (e) Information not needed urgently. (f) Information readily available from another source. a) Provider shall disclose information to a health oversight agency for oversight activities authorized by law. 45 CFR 164.512(d) b) Normally there are two requirements to qualify as a health oversight purpose: (1) First, the activity must be conducted by a “Health Oversight” agency. This usually includes: (a) Federal law enforcement agencies (e.g., DEA; FBI; Health and Human Services, Office of Inspector General, Office of Investigations (HHS-OIG-OI); DOD-Defense Criminal Investigative Service; FDA-Office of Criminal Investigation); (b) State regulatory agencies (e.g., Department of Professional Licensing; Medicaid Fraud Control Unit; Health Insurance Fraud Unit. Note: fraud units must be investigating fraudulent claims for public health benefits, or qualification for or receipt of public benefits or services regarding that beneficiary); Note 1: Local law enforcement agents are generally not Health Oversight agencies unless they are assisting federal officials or state regulatory officials. Note 2: If local law enforcement agency is involved, provider should contact legal counsel for advice. (2) Second, it must be a health oversight activity or health care fraud investigation. (a) The target of the activity or investigation will generally be a health care provider or organization. (b) The target of the investigation will rarely be the patient whose records are requested. However, if the oversight agency believes that the patient whose records are requested has committed health care fraud, the patient may be the target of the activity or investigation. (c) If the patient is the subject of the activity or investigation, the provider should consider contacting legal counsel to clarify whether this is a health oversight or law enforcement purpose before producing records. (d) For example, if law enforcement officials are investigating a patient that is “doctor shopping” for drugs, rather than investigating a health care provider or other individual subject to health oversight, this would be considered a law enforcement investigation, rather than a health oversight investigation. c) The “minimum necessary” standard applies. d) If the standard is met, provider releases the information.
REQUEST FOR SUSPENSION A. The disclosures to law enforcement or health oversight agencies discussed in this outline, whether requested by law enforcement officials or reported by providers, must generally be reported to a patient upon the patient’s request. This report is called an accounting of disclosures. Exception: Disclosures of directory information and disclosures in response to a signed authorization by the patient are not reported in an accounting of disclosures. 45 CFR 164.528(a). B. Provider must suspend the patient’s right to an accounting of these disclosures if the law enforcement or health oversight agency does the following: 1. Requests the suspension, 2. States that informing the patient of the disclosure would be reasonably likely to impede the agency’s activities, and 3. Specifies the time for which the suspension is required. C. Time length of suspension. 1. An oral request is valid up to 30 days. 2. A written statement is valid for the time specified. D. These rules on accounting of disclosure also apply to disclosures under 42 CFR Part 2, discussed in the Appendix to this summary.
APPENDIX: Restrictions on Law Enforcement Access to Patient Records Held by Federally Assisted Alcohol and Substance Abuse Treatment Programs Disclosure Restrictions for Drug and Alcohol Abuse Treatment Programs. Federal statutes and regulations protect all information about any person who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program. See 42 USC §§ 290ee-3 & 290dd-3; 42 CFR Part 2, specifically 42 CFR §2.11 (definition of a "patient"). These regulations are referred to as “Part 2.” Part 2 protects any and all information that could reasonably be used to identify an individual. Programs may not use or disclose any information about any patient unless the patient has consented in writing (on a form that meets the requirements established by the regulations) or unless another very limited exception specified in the regulations applies (discussed below). Any disclosure must be limited to the information necessary to carry out the purpose of the disclosure. See 42 CFR §§2.11 and 2.13(a). Limits on Disclosure to Law Enforcement. Part 2 permits programs to disclose only very limited information and only under very specific circumstances to law enforcement officials: Directory Information Not Available. Information from the patient directory of the facility (typically, name, location, and one-word condition) is generally not available regarding patients in these programs. Disclosure with Patient Consent. Patients can consent in writing to the disclosure of their information from these programs to another person. The consent form must contain the elements stated in 42 CFR §2.31. A consent form with additional provisions is required if participation in the program is a condition of the disposition of a criminal proceeding against the patient or of the patient's release from custody, and information is to be disclosed to personnel who need the information to monitor the patient's progress. See 42 CFR §2.35. Crime on Premises. Such disclosures must be directly related to crimes and threats to commit crimes on program premises or against program personnel and must be limited to the circumstances of the incident and the patient's status, name, address and last known whereabouts. See 42 CFR §2.12(c)(5). Child Abuse Reporting. Part 2 permits programs to comply with State laws that require the reporting of child abuse and neglect. See 42 CFR §2.12(c)(6). However, Part 2 limits programs to making only an initial report; it does not allow programs to respond to follow-up requests for information or to subpoenas, unless the patient has signed a consent form or a court has issued an order that complies with Part 2, Subpart E. Subpoena Responses; Court Orders Must Satisfy 42 CFR Part 2, Subpart E. Part 2 permits programs to release information in response to a subpoena if the patient signs a consent permitting release of the information requested in the subpoena. When the patient does not consent, Part 2 prohibits programs from releasing information in response to a subpoena, unless a court has issued an order that complies with the rule. See 42 CFR Part 2, Subpart E. · Subpart E sets out the procedure the court must follow, the findings it must make, and the limits it must place on any disclosure it authorizes. · A court order complying with Subpart E “is a unique kind of court order,” and must be accompanied by a “subpoena or a similar legal mandate” “in order to compel disclosure.” 42 CFR § 2.61. · A court order under Subpart E “may authorize disclosure of confidential communications made by a patient to a[n alcohol or substance abuse] program in the course of diagnosis, treatment, or referral for treatment only if: o “The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties; o “The disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or o “The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of confidential communications.” 42 CFR § 2.63 · The court and law enforcement officials seeking to obtain records protected by Part 2 must follow specific procedures required by federal regulations. See 42 CFR §§ 2.64-2.67. Sources: 42 CFR Part 2; Substance Abuse and Mental Health Treatment Services Administration (see, e.g., http://hipaa.samhsa.gov/); U.S. Department of Health & Human Services. |
Comments or questions regarding the UMA Web site should be directed to Mark Fotheringham, UMA V.P. of Communications; phone (801)747-3500 or email to mark@utahmed.org Copyright © 2007 Mark Fotheringham |
Back to
UMA Home Page