|October 2, 2013|
Previously published on October 1, 2013
The Office for Civil Rights (OCR) of the Department of Health and Human Services recently announced the release of its guidance, “Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule: A Guide for Law Enforcement.” The guide is a resource OCR designed to assist law enforcement and emergency planners when addressing information-sharing situations where the HIPAA Privacy Rule may be at issue. The guide describes the HIPAA Privacy Rule and identifies entities that must comply with its requirements and entities that are not required to comply. The guide also outlines the manner in which the HIPAA Privacy Rule allows the disclosure of protected health information (PHI) in common situations involving law enforcement, such as in response to a judicial subpoena for medical records. (See Summary of the new guidance.)
State Law Protections
When responding to a request from law enforcement, covered entities and their business associates should always consider whether more stringent state law protections apply and prevent a use or disclosure that would otherwise be permitted by HIPAA. For instance, in New York, medical records are protected by privilege unless (1) the individual to whom the records relate authorizes their disclosure or (2) a state law requires their disclosure to law enforcement, such as in the case of a gunshot wound.
In some cases, prosecutors serve hospitals and other health care providers with a judicial or grand jury subpoena to obtain the medical records of an individual who is suspected of having committed a crime. Should the hospital or other health care provider disclose the requested records? Although HIPAA allows such a disclosure, stricter state law privileges generally protect the information in that situation.
The new OCR guide will serve as a helpful resource for law enforcement, covered entities, business associates and others who encounter situations where medical records or other PHI is involved. The guide, however, is only a starting point. An in-depth analysis of state law is necessary to understand specific privacy obligations.