Compliance and Privacy Services provides reminder on HIPAA disclosures to law enforcement

UC Davis Health’s Compliance and Privacy Services Department has a reminder for those who handle sensitive patient information.

The Health Insurance Portability and Accountability Act (HIPAA) generally prohibits health care providers from disclosing protected health information (PHI). This includes sharing PHI with police or other law enforcement officials. Disclosing PHI to law enforcement is permitted with the patient’s written authorization or if certain conditions are met.

HIPAA allows sharing PHI with law enforcement agencies in the following cases:

1. By court order, warrant, subpoena, or administrative process
2. To avoid harm
3. When required by law, e.g., to report child or adult abuse or neglect, injuries from gunshots or criminal activity, etc.
4. To identify or locate a person
5. If the patient is the victim of a crime
6. In cases of patient death
7. If there is criminal conduct on the premises

Explanations of these conditions can be found in UC Davis Health Policy 2426.

What to consider for law enforcement requests

 Staff should consider the following when dealing with law enforcement requests:

1. If you do not know the law enforcement official making the request for information, you must verify their identity and authority before disclosing the information, e.g., by requesting identification
2. Except when required by law, you should limit disclosures to the minimum amount of individuals necessary. When reasonable to do so, you may rely upon the representations of the law enforcement official (as a public officer) as to what information is the minimum necessary for their lawful purpose.
3. If the law enforcement request does not fit within one of the exceptions allowing disclosure, you should explain the limits to law enforcement; however, you should not physically interfere with or impede law enforcement if they insist on accessing information over your objection. Contact your supervisor or seek support from Risk Management, Compliance and Privacy Services, or Legal Affairs.
4. In all cases, you should document the circumstances surrounding the disclosure to law enforcement in the log for accounting of disclosures as required by Policy 2446.

Disclosing information as part of a Facility Directory

You may disclose limited information to law enforcement as part of a facility directory if:

1. You have informed the patient or know that a UC Davis Health staff member has informed the patient that UC Davis Health would include information in our facility directory, and the patient has had the chance to restrict disclosures and declined.
2. The law enforcement requestor asks for the person by name, and:
3. The disclosure is limited to the location in the facility and the general condition. This includes patients brought to UC Davis Health by police but not arrested or otherwise in custody.

Conclusion

Although we, as UC Davis Health workforce members, can and should cooperate with law enforcement as appropriate (especially when doing so is necessary to keep us or others safe), we should remember that we are not agents of the police and that we owe separate duties to our patients under HIPAA and UCDH policies.

It is also important to remember that law enforcement officers are not subject to HIPAA. Their concern is apprehending criminals. Unless the disclosure or access is required or allowed as set forth above, we should not disclose PHI to the police. We must carefully consider the situation before allowing police access to patients.

If the police officer demands access anyway, we should object appropriately and professionally and document the circumstances. When in doubt, contact your supervisor or seek support from Risk Management, Compliance and Privacy Services, or Legal Affairs.

Questions? Please do not hesitate to contact the UC Davis Health Compliance and Privacy Services Office at 916-734-8808 or via email at hs-privacyprogram@ucdavis.edu.