Can’t we all get along? Here are ways to work with police without violating HIPAA

 Risk managers have to say no sometimes, but diplomacy is key

It’s 3 a.m., and you get a call from the emergency department. The staff is in a heated dispute with a local police officer who’s demanding information about a patient who assaulted another while waiting to be transferred to inpatient care. Your staff is worried about violating patient privacy. The officer is complaining loudly that the hospital is obstructing a criminal investigation.

What’s a risk manager to do?

The immediate situation might require your intervention to assure police that they will get all the information they are entitled to, even if staff can’t hand it over immediately. But you can avoid getting more of those 3 a.m. calls by working closely with the local police department to establish reasonable expectations and by educating your staff about how to respond to a criminal investigation.

Tim Dimoff, a former police officer and current president of SACS Consulting in Akron, OH, which specializes in security and liability concerns for health care facilities, says it is common for police and health care providers to have heated arguments about releasing patient information. "You can find yourself in that situation a lot," he says. "There’s an intersection of all these concerns, and the laws have only gotten more difficult to comply with lately. You’ve got to walk a fine line."

Officer, hospital have different perspectives

A case in New York recently brought attention to the difficult situation that risk managers can face when police must conduct a criminal investigation in the facility. Police in Harrison, NY, report that in August 2003, two patients sexually assaulted a 15-year-old mentally handicapped girl for hours while she was in the locked mental health unit at St. Vincent’s Westchester Hospital.

Police report that when they arrived to investigate, hospital staff would not cooperate and obstructed basic forensic work. The Harrison Police Department has accused the hospital of interfering with police investigations of criminal activity in the past, prior to this incident. A spokesman for St. Vincent’s declined Healthcare Risk Management’s request for comment.

Though the facts of that case and exactly what happened between the police and hospital staff are in dispute, Dimoff says the scenario is familiar. "You’ve got a police officer who doesn’t understand why you won’t cooperate, and you’ve got a doctor who doesn’t understand why the police officer doesn’t understand," he says. "It can escalate quickly."

Medical information is protected

The best thing a risk manager can do is to focus on the separation between medical and nonmedical information, he suggests. When police officers show up to investigate a crime, in most cases, they’re not really interested in the medical information that is protected by HIPAA, he says. But they may not have a clear understanding of where the line is drawn between what your staff can release without violating HIPAA and what it can’t, Dimoff says.

In most cases, it comes down to a lack of communication, he says. The police officer is asking questions without knowing what language to use so that the hospital staff can respond without violating patient privacy. And the staff is so determined not to violate HIPAA or be sued by the patient that it clams up without being helpful.

"Realize that the officer who comes to the hospital probably isn’t that well versed in HIPAA regulations. He’s got a job to do, and he’s just asking all the questions he can think of," Dimoff says. "Your folks are well meaning, too, so you have to find a way for them to communicate."

Know where to draw the line

Dimoff advises risk managers to train health care staff — particularly those in the ED and other areas where they are likely to encounter police investigations — in where to draw the line. Medical information is protected, but criminal information is not, he says. "If medical staff witness a crime, or the person is talking about it and they overhear it, the staff should not hesitate to report that information to the police," he says. "The confusion arises because they think that when it’s a patient they can’t release any information. No. It’s medical information they can’t release."

Even if you’re a doctor or a nurse, that doesn’t mean everything you know about a patient is protected medical information, he says. In most cases, health care staff should be able to cooperate fully with a police investigation of criminal activity on your property without violating patient confidentiality, Dimoff notes.

However, some caution is warranted, says Kevin Lyles, JD, a partner with the law firm of Jones Day in New York and a specialist in health care law. Lyles says it is understandable that risk managers might want to err on the side of caution with HIPAA. "If they’re asking about the victim, I think it would be safe to get the patient’s consent before releasing that information to the police," he says. "If the patient is unconscious or incapacitated, HIPAA does allow you to release that information as long as the police tell you it’s not going to be used against the person. It’s worth noting that HIPAA allows you to release information under some conditions but it never requires you to."

Protected and complicated

Lyles cautions that a lot more information may be considered protected health information under HIPAA than a police officer would imagine. For instance, if you have a patient’s name, address, and Social Security number because he is a patient in the facility, "that’s all protected health information," Lyles explains.

But it can get complicated. HIPAA does allow you to disclose certain basic information — name, address, date of birth, blood type, date and time of treatment, and a physical description — when the police are searching for that person as a suspect in a crime. "You don’t have to, but HIPAA allows you to," he says. "One thing you should never do is give your employees any instructions that might be seen as impeding the investigation. Don’t tell your employees not to talk to the police. That could be seen as impeding."

The answer sometimes has to be, No’

But what about when the police start asking about protected information, such as why a patient was being treated? If they want to know whether the victim was mentally impaired, or why the accused assailant was on a locked ward, what can your staff do? That’s more difficult, but still can be resolved without a confrontation, Dimoff says.

"The police can see that as an entirely reasonable question considering the circumstances, but the risk manager might be wary about releasing that information," he says. "Sometimes, the police come in and start asking questions without realizing you can’t give them that. But once you say no, they can dig in their heels and insist, and then you’re just butting heads."

Lyles says that information such as why a patient was on a mental health unit can be disclosed if they are searching for the person as a crime suspect. You may have to use your own judgment in determining how much of that information is relevant to their search for the suspect, he says. "If they have a suspect in hand and want to know why he was here in your hospital, that’s different," he says. "Then they need to come back with a warrant or a subpoena."

Subpoena can be solution

Both sides need to understand that the subpoena is a method for the hospital to turn over information that protects everyone from legal consequences. But Dimoff cautions that both parties must understand how to resolve this situation amicably. You don’t want your staff to shout, "You’ll have to subpoena us if you want this information!" as if it were a challenge.

Instead, have staff explain to police that, for certain protected information, that’s the method required. You can say it in a conciliatory way — that you wish you could just give them the information, but your hands are tied. Conversely, the police need to understand that your staff isn’t stonewalling when it suggests a subpoena. It’s crucial that the harried police officer doesn’t take it personally when the harried physician says no.

"There needs to be training on both sides, but the police need more of an education on this than the health care side," Dimoff says. "They need to understand what kind of restrictions they might face in a health care setting, and that there is a proper process. They need to know they’ll get a lot more cooperation if they go in to the hospital with those things in mind."

A good way to facilitate that rapport might be for the risk manager to offer an inservice to the local police department. Particularly if you have a large facility with a busy ED, the police might find it worthwhile to have you come and explain to their officers or supervisors what sort of constraints you face in releasing information. Both sides can then offer suggestions on how to smooth out the rough spots.

"You can work it out calmly instead of arguing about it in the middle of the night when no one is in a good mood," Dimoff says.