Skip to main content

Law enforcement exceptions to HIPAA

What can you do if you suspect one of your patients may harm himself or others? If you report your suspicions to the police, would that violate patient privacy?

You may report your suspicions to the police, according to the agency that enforces HIPAA. HIPAA’s Privacy Rule is balanced to protect individual privacy while allowing law enforcement activities to continue. 

As a physician, you may — when consistent with applicable law and standards of ethical conduct — use or disclose PHI if you believe in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. 1, 2 

Other circumstances in which it is acceptable for physicians to release PHI to law enforcement include:

1. To comply with a court order or court-ordered warrant, a subpoena, or summons issued by a judicial officer, or a grand jury subpoena. 2

2. To respond to an administrative request. The Rule requires requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used. 2

3. To identify or locate a suspect, fugitive, material witness, or missing person. PHI disclosures must be limited to name and address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury, date and time of treatment, date and time of death, and distinguishing physical characteristics. Additional PHI may be disclosed in response to a court order, warrant, or written administrative request. 2

This same limited information may be reported for the following individuals.

4. About a suspect whose alleged victim is a member of the physician’s workforce. 2

5. To identify or apprehend an individual who has admitted participation in a violent crime, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to this type of violent act. 2

6. To respond to a request for PHI about a victim of a crime, and the victim agrees. If, because of an emergency or the person’s incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials confirm: 

  • the PHI is not intended to be used against the victim;
  • the PHI is needed to determine whether another person broke the law; 
  • the investigation would be adversely affected by waiting for the victim’s agreement; and
  • it is the physician’s professional judgment that doing so is in the best interests of the individual whose information is requested. 2

Where child abuse victims or adult victims of abuse, neglect, or domestic violence are concerned, other provisions of the Rule apply:

7. Child abuse or neglect must be reported to any authorized law enforcement official; the agreement of the child in question is not required (45 CFR 164.512(b)(1)(ii)). 2

8. Adult abuse, neglect, or domestic violence may be reported (45 CFR 164.512(c)):

  • if the alleged victim consents to the disclosure;
  • if the report is required by law; 3,4 or
  • if the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations. 2

Notice to the individual of the report may be required. 2

9. To report PHI to law enforcement when required by law to do so, such as incidents of gunshot, stab wounds, or other violent injuries. 2

10. To alert law enforcement when there is a suspicion that a death resulted from criminal conduct. PHI about a decedent may also be shared with medical examiners or coroners to assist them in their authorized duties. 2

11. To report PHI that the physician in good faith believes to be evidence of a crime that occurred on the physician’s premises. 2

12. When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity. Does not apply if the individual in need of care is a victim of abuse, neglect, or domestic violence. 2 (See provisions for these circumstances above.)

13. When consistent with applicable law and ethical standards. Please see 45 CFR 164.512(j)(1)(i) and 45 CFR 164.512(j)(1)(ii)(B).

14. For certain, other specialized governmental law enforcement purposes, such as: to federal officials under the National Security Act 2 or to respond to a request for PHI by a correctional institution or in relation to the lawful custody of an inmate. 1

 

Minimum necessary determination

Except when required by law, disclosures to law enforcement are subject to a minimum necessary determination by the physician. 5 If the law enforcement official making the request is not known to the physician, the identity and authority of such person must be confirmed before disclosing information. 5 

 

Sources

1. U.S. Department of Health and Human Services. Health information privacy. When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials? Available at http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/505.html. Accessed September 18, 2019.

2. Code of Federal Regulations. Title 45, Subtitle A, Subchapter, Part 164, Subpart E, Section 164.512. Uses and disclosures for which an authorization or opportunity to agree or object is not required. Accessed September 18, 2019.

3. According to the Texas Department of Family and Protective Services, “Texas law says anyone who thinks a child, or person 65 years or older, or an adult with disabilities is being abused, neglected, or exploited must report it to DFPS.” Texas Family Code Title 5, Subtitle E, Chapter 261, Section 261.001 and Human Resources Code Title 2, Subtitle D, Chapter 48, Section 261.001.  

4. Code of Federal Regulations. Title 45. Public Welfare. Section 164.512 (a). Security and Privacy. Uses and disclosures for which an authorization or opportunity to agree or object is not required. Available at https://www.law.cornell.edu/cfr/text/45/164.512. Accessed September 18, 2019.

5. Code of Federal Regulations. Title 45, Subtitle A, Subchapter, Part 164, Subpart E, Section 164.514. Other requirements relating to uses and disclosures of protected health information. Accessed September 18, 2019.