Jeffery Young, CHPA, CPP, president of the International Association for Healthcare Security & Safety, says a patient’s protected health information (PHI) can be disclosed to law enforcement without the individual’s signed Health Insurance Portability and Accountability Act (HIPAA) authorization in these situations:
- if it allows the law enforcement official to be reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public;
- if the covered entity in good faith believes the PHI to be evidence of a crime that occurred on the premises of the covered entity;
- to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct;
- when responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity;
- when required by law to do so, such as reporting gunshots or stab wounds;
- to comply with a court order or court-ordered warrant, a subpoena, or summons issued by a judicial officer, or an administrative request from a law enforcement official;
- to respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness, or missing person;
- to respond to a request for PHI about an adult victim of a crime when the victim agrees.
In Young’s experience, many government and law enforcement officials view HIPAA requirements as a barrier to accessing information needed for their investigations and dislike the need to “jump through hoops,” he says. “HIPAA is not meant to be a barrier to bona fide requirements,” Young says. “It’s an assurance for the protection of personal information.”
- Jeffery Young, CHPA, CPP, President, International Association for Healthcare Security & Safety, Glendale Heights, IL. Email: Jeffery.Young@fraserhealth.ca.