NOVEMBER 2004 TRAINING SESSION This month’s training session is for physicians, nurses, and clinical staff; public relations staff; HIM and medical records staff; business office and marketing staff; volunteers; and receptionists and front-end staff.

IN THIS ISSUE 17 Rules for Disclosing PHI When Law Enforcement Officials Don’t Have a Court Order, Subpoena, or Warrant . . . . . . . . . . 1 Rules #1–#2: Disclosing PHI to Law Enforcement Officials When Your State or Other Law Requires or Permits the Disclosure. . . . . . . . . . . . 1 Rules #3–#4: Disclosing PHI to Law Enforcement Officials When the Patient Is a Crime Victim . . . . . . . . . 2 Rules #5–#6: Disclosing Limited PHI to Law Enforcement Officials in Certain Situations Without Getting the Patient’s Authorization to Do So . . . . 3

Disclosing PHI to Law Enforcement Officials Who Don’t Have Court Order, Subpoena, or Warrant In previous issues, we’ve trained you on what to do before disclosing patients’ PHI to law enforcement officials with a court order, subpoena, or warrant. Generally, the HIPAA privacy regulations let your health care organization disclose PHI in response to a court order or subpoena without getting the patient’s authorization to do so (see “Responding to a Subpoena for a Patient’s PHI,” Trainer, Oct. 2003). And your organization may generally disclose a patient’s PHI to a law enforcement official who has a search warrant without getting the patient’s authorization (see “Disclosing PHI to Law Enforcement Officials with Search Warrant,” Trainer, Jan. 2004).

Rule #10: Disclosing PHI to Law Enforcement Officials When the Patient Is a Victim of Abuse, Neglect, or Domestic Violence. . . . . . . . . . . . . . . 5

This training session focuses on when you may disclose a patient’s PHI to law enforcement officials who show up at your organization without a court order, subpoena, or warrant, and what PHI you may disclose. Generally, whether or not a disclosure is okay will depend on why the officials want the PHI disclosure. For example, state or federal law may require your organization to disclose a patient’s PHI to law enforcement officials under certain circumstances (say, when a patient’s wounds are the result of gunshots or stabbing). If so, your organization may disclose the patient’s PHI without the patient’s authorization. But generally if a patient is a crime victim, your organization needs the patient’s permission to disclose her PHI to law enforcement officials. If your organization fails to get the patient’s permission when required to do so, you or your organization could face fines, lawsuits, or other penalties for wrongful disclosure of her PHI.

Rule #11: Disclosing PHI to Law Enforcement Officials When the Patient Is in a Correctional Facility or Custody of a Law Enforcement Official . . 6

To help you understand what PHI you may disclose to law enforcement officials without a court order, subpoena, or warrant, and when to do it, we give you 17 rules to follow. There’s also a Trainer’s Quiz to help you test your knowledge.

Rule #7: Disclosing PHI to Law Enforcement Officials When Your Organization Suspects that a Patient’s Death Resulted from Criminal Activity . . 4 Rule #8: Disclosing PHI to Law Enforcement Officials When Your Organization Suspects that a Crime Has Been Committed at Its Facility . . . . 5 Rule #9: Disclosing PHI to Law Enforcement Officials to Report a Crime When Your Organization Delivers Off-Site Emergency Services . . . . . . . . . 5

Rules #12–#13: Verifying a Law Enforcement Official’s Identity and Authority . . . . . . . . . . . . . . . . . . . . . 6 Rules #14–#17: Accounting for Your Organization’s Disclosures to Law Enforcement Officials. . . . . . . . . 7

At a Glance. . . . . . . . . . . . . . . . . . . 7 Trainer’s Quiz . . . . . . . . . . . . . . . . . 9 Trainer’s Answers & Explanations. . . . . . . . . . . . . . . 10

17 RULES FOR DISCLOSING PHI WHEN LAW ENFORCEMENT OFFICIALS DON’T HAVE A COURT ORDER, SUBPOENA, OR WARRANT Rule #1: Your Organization May Disclose PHI to Law Enforcement Officials Without the Patient’s Authorization When Your State or Other Law Requires It to Do So

From time to time, a state or other law (say, the Patriot Act) will require your organization to disclose PHI to law enforcement officials. This generally involves state laws that require reporting of certain wounds or injuries (say, gunshot

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

2

BOARD OF ADVISORS Jana H. Aagaard, Esq. Law Office of Jana H. Aagaard Carmichael, CA

Miriam Paramore PCI: e-commerce for healthcare Louisville, KY

M. Peter Adler, Esq. Foley and Lardner Washington, DC

Judy Rhodes, RN Peer Consulting Indianapolis, IN

Patricia Gentil Waterbury Hospital Waterbury, CT

Jackie Selby, Esq. Oxford Health Plans, Inc. Trumbull, CT

Gwen Hughes, RHIA Care Communications Chicago, IL

Jay Silverman, Esq. Ruskin Moscou Faltischek, PC Uniondale, NY

Gretchen McBeath, Esq. Brickler & Eckler, LLP Columbus, OH

Errick Woosley E. Woosley & Assocs. Batesville, IN

Michelle Wilson, Editor Lauren McCloud, Group Publisher Suzanne Perney, Publisher HIPAA Security & Privacy Staff Trainer (is published monthly by HCPro, Inc., 100 Hoods Lane, Marblehead, MA 01945. Subscription rate: $357/year; back issues are available at $25 each. Postmaster: Send address changes to HIPAA Security & Privacy Staff Trainer, P.O. Box 1168, Marblehead, MA 01945 Copyright 2004 HCPro, Inc. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent of HCPro, Inc., or the Copyright Clearance Center at 978/750-8400. Please notify us immediately if you have received an unauthorized copy. For editorial comments or questions, call 781/6391872 or fax 781/639-2982. For renewal or subscription information, call customer service at 800/650-6787, fax 800/639-8511, or e-mail: customerservice@hcpro. com. Visit our Web site at www.hcpro.com. Occasionally, we make our subscriber list available to selected companies/vendors. If you do not wish to be included on this mailing list, please write to the Marketing Department at the address above. Opinions expressed are not necessarily those ofHIPAA Security & Privacy Staff Trainer.Mention of products and services does not constitute endorsement. Advice given is general, and readers should consult professional counsel for specific legal, ethical, or clinical questions. HIPAA Security & Privacy Staff Trainer is not affiliated in any way with the Joint Commission on Accreditation of Healthcare Organizations.

NOVEMBER 2004

wounds, stab wounds, or dog bites), child abuse or neglect, or domestic abuse. If your state has such a mandatory reporting law, your organization may disclose the patient’s PHI to law enforcement officials without getting the patient’s authorization to do so. It may also, without getting the patient’s authorization, initiate disclosures of a patient’s PHI to law enforcement officials when required by law to do so. It doesn’t have to be responding to law enforcement requests for that PHI. Example #1: XYZ Hospital treats Patient A for third degree burns. State law requires health care organizations to report all burn victims to law enforcement officials. Officer X shows up at XYZ’s emergency department and requests Patient A’s PHI. XYZ Hospital may disclose Patient A’s PHI in response to Officer X’s request without getting the patient’s authorization to do so. Example #2: Following a car accident, Patient A is treated at XYZ Hospital’s emergency department. Blood test results indicate that the patient was intoxicated while driving his car. State law requires health care providers to notify law enforcement when a patient’s blood tests indicate that the patient was intoxicated while driving a car involved in an accident. XYZ Hospital may initiate a disclosure of Patient A’s PHI to law enforcement officials without getting the patient’s authorization to do so. Trainer Says: Even though the HIPAA privacy regulations don’t require it, your organization should get law enforcement officials to put requests for patients’ PHI in writing, says health care attorney Kelly T. Hagan. At a minimum, it should document any oral requests made by law enforcement officials for patients’ PHI, he suggests. Your organization should tell you its policies and procedures for documenting requests from law enforcement officials. Rule #2: If State or Other Law Permits, but Doesn’t Require, Your Organization to Disclose PHI to Law Enforcement Officials, You Must Get the Patient’s Authorization to Do So

What if your state or other law doesn’t require a health care organization to disclose PHI to law enforcement officials but merely allows it to do so in certain situations? Then, the HIPAA privacy regulations require your organization to first get the patient’s authorization. Otherwise, you must get other legal documentation (like a court order, subpoena, or search warrant) from an official before the disclosure. Example: Following a car accident, Patient A is treated at XYZ Hospital. Blood tests show that Patient A was driving while intoxicated. State law permits, but doesn’t require, health care providers to notify law enforcement about blood tests indicating that a patient was intoxicated while driving a car involved in an accident. Officer X is assigned to investigate the accident and requests Patient A’s PHI, including his blood test results. XYZ Hospital must get Patient A’s authorization to disclose his PHI to Officer X unless Officer X has a court order or other legal document (say, a search warrant) authorizing the disclosure. Rule #3: Except in Certain Circumstances, if the Patient Is a Crime Victim, Your Organization Must Get the Patient’s Permission to Disclose Her PHI in Response to a Law Enforcement Request

From time to time, a law enforcement official may come to your organization requesting the PHI of a patient who’s a crime victim or suspected of being a crime victim. If so, your organization needs the patient’s permission

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

NOVEMBER 2004

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

(either orally or in writing) to disclose her PHI in response to the request, except when the patient: 1) needs emergency treatment; 2) is incapacitated (see Rule #4, below); or 3) state law requires the disclosure (see Rule #1). Similarly, the HIPAA privacy regulations don’t allow a health care organization to initiate disclosures about victims to law enforcement agencies without the patient’s permission unless the organization is required to do so by state law. Example #1: XYZ Hospital treats Patient A for a leg injury suffered when someone tried to steal her purse. The police ask the hospital for Patient A’s emergency room record. XYZ Hospital must ask Patient A for her permission to disclose her PHI to the police. For instance, the hospital may say: “The police are investigating the robbery that caused your injuries. As part of their investigation, the police have asked us for your PHI. Do we have your permission to disclose your PHI to them?” If the patient says yes, XYZ Hospital may disclose Patient A’s PHI to the police. Your organization needn’t get the patient’s written authorization before disclosing her PHI to law enforcement. It’s sufficient to get the patient’s agreement (either orally or in writing) to make the disclosure to law enforcement, says Hagan. Trainer Says: From time to time, a victim may also be a fugitive or suspect. For example, a patient may get shot while committing a robbery and seek treatment in a hospital emergency room. If so, your organization must follow the rules for disclosing the PHI of a suspect, fugitive, witness, or missing person set out in Rule #5, below. And if your organization suspects that a patient’s injuries are the result of abuse, neglect, or domestic violence, it must follow the conditions set out in Rule #10. Rule #4: In an Emergency or When the Patient Is Incapacitated, Your Organization May Disclose the PHI of a Patient Who’s a Crime Victim to Law Enforcement Without the Patient’s Authorization, if Certain Conditions Are Met

In certain circumstances, the HIPAA privacy regulations allow your organization to disclose a patient’s PHI without the patient’s authorization to do so in response to a law enforcement official’s request, even though the patient is or is suspected of being a crime victim. The first requirement for such a disclosure is that at the time the patient is admitted to your facility, she is incapacitated or needs emergency treatment. In addition, you may disclose the patient’s PHI to law enforcement only if all three of the following conditions are met: 1) The law enforcement official states that the PHI is needed to determine if someone other than the patient has committed a crime and that the PHI won’t be used against the patient. For example, an elderly patient from a nursing

3

home is admitted to a hospital with suspicious injuries. The local police investigating the injuries say that they need the patient’s PHI to determine whether a crime was committed against the patient. 2) The law enforcement official states that immediate law enforcement activity depends on the disclosure, and without it, law enforcement efforts will be adversely affected. For example, law enforcement officials may not be able to charge a suspect with a specific crime unless they know the extent of the patient’s injuries. 3) Your organization determines, in the exercise of its professional judgment, that the disclosure is in the best interests of the patient. According to the comments to the HIPAA privacy regulations, assessing the patient’s best interests includes taking into account any further risk of harm to the patient. For example, a patient is shot during a robbery. It would be in the patient’s best interests to apprehend the person suspected in the shooting. If the victim is also a fugitive or suspect, the HIPAA privacy regulations require your organization to follow the specific rules for disclosing the PHI of a suspect, fugitive, witness, or missing person set out in Rule #5, below. And if your organization suspects that the victim’s injuries are the result of abuse, neglect, or domestic violence, it must follow the conditions set out in Rule #10. Trainer Says: Even though the HIPAA privacy regulations don’t require it, your organization should get the law enforcement official’s request for a victim’s PHI in writing, says Hagan. Some law enforcement agencies (like the Kansas Bureau of Investigation) have a form they use for this purpose. For example, the form could say: “The victim’s PHI is needed to determine whether a violation of law by a person other than the victim has occurred. The victim’s PHI isn’t intended to be used against the victim. Immediate law enforcement activity would be materially and adversely affected by waiting until the victim is able to agree to the disclosure. I believe that the disclosure is in the victim’s best interests and may prevent further serious harm to him or other potential crime victims.” Your organization should also document the factual basis and rationale for its professional judgment that disclosure is in the patient’s best interests, says Hagan. This may protect your organization if the patient later complains, he says. Rule #5: Your Organization Needn’t Get the Patient’s Authorization to Disclose Limited PHI in Response to a Request from Law Enforcement to Identify or Locate a Suspect, Fugitive, Witness, or Missing Person

The HIPAA privacy regulations allow your organization to disclose limited identifying PHI of a patient to law enforcement to aid their efforts to identify or locate a sus-

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

4

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

pect, fugitive, witness, or missing person without getting the patient’s authorization. The request for the patient’s PHI must come from law enforcement. The HIPAA privacy regulations don’t authorize your organization to initiate the disclosure. A health care organization may disclose only the following PHI for identification and location: ■ Name and address; ■ Date and place of birth; ■ Social Security number; ■ Blood type and Rh factor; ■ Type of injury; ■ Date and time of treatment; ■ Date and time of death; and ■ Description of distinguishing characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos. The regulations explicitly exclude any PHI related to a patient’s DNA or a DNA analysis; dental records; or typing, samples or analysis of body fluids or tissues (unless it’s one of the items listed above). Example: A witness to a shooting tells police the time of the shooting and that the perpetrator, also, was shot. Law enforcement officials don’t know the perpetrator’s identity and don’t have enough information to get a warrant. According to the comments to the HIPAA privacy regulations, law enforcement officials have a legitimate need to ask local emergency rooms whether anyone came in with a bullet wound around the time of the shooting. So a health care organization may disclose the limited PHI listed above for the purpose of identifying the perpetrator, according to the comments. What’s a request by a law enforcement official or agency? According to the comments to the HIPAA privacy regulations, a request by law enforcement officials includes oral or written requests by individuals acting on behalf of a law enforcement agency (say, a media organization’s broadcasting a request on the evening news for the public’s assistance in identifying a suspect). It also includes “Wanted” posters, public announcements, and similar requests to the general public for assistance in locating suspects, fugitives, witnesses, or missing persons. The HIPAA privacy regulations have special rules for treating victims of abuse, neglect, or domestic violence. If a health care organization believes that a witness or missing person was a victim of abuse, neglect, or domestic violence, it must follow the conditions set out in Rule #10.

NOVEMBER 2004

Rule #6: Your Organization Needn’t Get the Patient’s Authorization to Disclose Limited PHI to Law Enforcement Officials to Avoid a Serious Threat to the Health or Safety of a Person or the Public

Your organization doesn’t need the patient’s authorization to disclose limited PHI to law enforcement officials if it believes that the disclosure of the PHI is needed to avert a serious and imminent threat to health or safety. But your organization may disclose only the limited identifying PHI that may also be disclosed about suspects, fugitives, witnesses, or missing persons (see Rule #5, above). Before releasing the PHI, your organization must believe that the disclosure is: ■ Necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public; and ■ Being made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. Example: Patient A is treated at XYZ Hospital’s emergency room. He appears intoxicated and is ready to get into a car and drive away. The law in XYZ Hospital’s state permits, but doesn’t require, a health care provider to notify law enforcement if the provider is giving emergency medical care to a person believed to be under the influence of drugs or alcohol and that person is about to drive a car. If XYZ Hospital believes that Patient A’s driving is a serious threat to public health or safety, it may disclose Patient A’s PHI to law enforcement to prevent that threat without getting the patient’s authorization. Rule #7: If Your Organization Suspects that a Patient’s Death Resulted from Criminal Activity, It Needn’t Get Authorization from the Patient’s Representative to Disclose PHI to Law Enforcement Officials

If your organization suspects that a patient’s death may have resulted from criminal activity (say, a homicide or overdose of narcotics or illegal drugs), your organization may disclose the patient’s PHI to law enforcement officials to alert officials to the patient’s death. The comments to the HIPAA privacy regulations point out that the patient can’t authorize the disclosure and it may be difficult for a health care organization to determine the identity of a patient’s personal representative and get the representative’s authorization for the disclosure. Permitting disclosures allows law enforcement officials to begin their investigation into the death more rapidly and increases the likelihood of a resolution to the cause of death, according to the comments to the HIPAA privacy regulations. Example: Patient A is admitted to XYZ Hospital with multiple, suspicious bruises, and dies. The hospital sus-

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

NOVEMBER 2004

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

pects that the patient was beaten to death. XYZ Hospital may disclose Patient A’s PHI to law enforcement officials. Rule #8: If Your Organization Suspects that a Crime Has Been Committed at Its Facility, It Needn’t Get the Patient’s Authorization to Disclose PHI that It Believes Is Evidence of the Crime

If your health care organization suspects that a crime has been committed on its premises, it doesn’t need to get a patient’s authorization to disclose the patient’s PHI that it believes, in good faith, is evidence of the crime. If it’s later determined that your organization was wrong in its belief that the PHI was evidence of a crime, it wouldn’t be subject to sanctions under the HIPAA privacy regulations, according to the comments to the regulations. Example: XYZ Pharmacy believes that Patient A’s prescription was altered, in violation of state law. The pharmacy reports the suspected crime to law enforcement and discloses Patient A’s PHI. XYZ Pharmacy needn’t get Patient A’s authorization before making the disclosure. If XYZ Pharmacy was wrong in its belief that the PHI was evidence of a crime, it wouldn’t be subject to sanctions under the privacy regulations. Rule #9: If Your Organization Delivers Off-Site Emergency Services, It Needn’t Get a Patient’s Authorization to Disclose PHI to Report a Crime, if Certain Conditions Are Met

Suppose your health care organization provides emergency medical care away from its facility (say, your hospital’s paramedics treat victims at an accident scene). It may disclose PHI related to that treatment to law enforcement officials without getting any authorizations. But it may do so only if the disclosure appears necessary to alert law enforcement to: ■ The commission and nature of a crime; ■ The location of a crime or its victim; and ■ The identity, description, and location of the suspect. Health care providers (like emergency medical technicians) who respond to medical emergencies generally arrive before police, firefighters, and other emergency personnel. This puts them in the best position to alert law enforcement about criminal activities, according to the comments to the HIPAA privacy regulations. For example, emergency personnel may be the first persons aware that a patient has been the victim of a beating or murder. They may also be in a position to report information that may immediately contribute to the perpetrator’s capture. Example: XYZ Hospital sends a team of paramedics to a house fire. At the scene, they begin treating a patient

5

with burns to his right arm. The patient hears police sirens and runs away. When the police arrive, the paramedics may tell police that they treated a possible witness to the fire with burns to the right arm and that the person ran away. They may also give a description of the person to the police. The HIPAA privacy regulations have special rules for treating victims of abuse, neglect, or domestic violence. If your organization believes that the medical emergency is the result of abuse, neglect, or domestic violence of the person in need of emergency medical care, it must follow the conditions set out in Rule #10, below. Trainer Says: Nothing in the privacy regulations requires your organization to disclose PHI to law enforcement when responding to a medical emergency. Instead, such disclosures are discretionary and subject to applicable ethical standards and state laws. Rule #10: Your Organization May Disclose the PHI of a Victim of Abuse, Neglect, or Domestic Violence, Under Certain Conditions

If your organization believes that a patient is or may be the victim of abuse, neglect, or domestic violence, it may disclose her PHI to a government agency (including a law enforcement agency) that’s authorized by law to receive reports of abuse, neglect, or domestic violence. But disclosure is allowed only if one of the following conditions is met: ■ The disclosure is required by law; ■ The patient has agreed to the disclosure; ■ The health care organization is authorized by law to disclose a victim’s PHI and the disclosure is necessary to prevent serious harm to someone; or ■ The health care organization is authorized by law to disclose a victim’s PHI, and the law enforcement agency states both that the PHI won’t be used against the patient and that law enforcement activity would be significantly hindered by waiting to get the patient’s consent. If your organization makes a disclosure of a patient’s PHI to law enforcement, it must promptly inform the patient (either orally or in writing) that the disclosure was made, unless: ■ Informing the patient would place the patient at risk of serious harm. According to the comments to the HIPAA privacy regulations, this exception is necessary to address the potential for future harm, either physical or emotional, that the patient may face from knowing that a report has been made to law enforcement officials; or ■ The health care organization would be informing the patient’s personal representative who’s responsible for the abuse, neglect, or domestic violence.

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

6

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

Rule #11: If a Patient Is in a Correctional Facility or Custody of a Law Enforcement Official, Your Organization May Disclose the Patient’s PHI to the Facility or Official Without the Patient’s Authorization, if Certain Conditions Are Met

If a patient is an inmate in a correctional facility or in the custody of a law enforcement official, your organization needn’t get the patient’s authorization to disclose his PHI to that facility or the official having custody. But disclosure of the patient’s PHI is allowed only if the PHI is necessary for one of the following reasons: ■ To provide health care to the patient; ■ To protect the health and safety of the patient or other inmates; ■ To protect the health and safety of officers, employees, or others at the correctional facility; ■ To protect the health and safety of the patient or persons responsible for transporting inmates; ■ To promote law enforcement on the premises of the correctional facility; or ■ To maintain and administer safety, security, and good order in the correctional facility. The HIPAA privacy regulations say that a health care organization may reasonably rely on the oral or written statement of public officials (including law enforcement officials) that disclosure of the patient’s PHI is necessary for these purposes. Example: Patient A is hurt while committing a crime. She’s placed in police custody and is taken to XYZ Hospital for treatment. When Patient A leaves the hospital, a police officer asks the hospital about her follow-up care. XYZ Hospital may disclose to the officer the PHI necessary to provide health care to the patient (say, information about any medications the patient needs to take and any drug interactions to watch for). Rule #12: Your Organization Must Verify a Law Enforcement Official’s Identity

If a law enforcement official shows up at your organization requesting a patient’s PHI, you must verify that the person requesting it is a legitimate law enforcement official. The HIPAA privacy regulations allow you to rely on the following items to verify an official’s identity if the request is made in person: ■ A law enforcement agency identification badge; ■ Other official credentials (say, a photo ID issued by a law enforcement agency); or ■ Other proof of government status (say, a document on the agency’s letterhead).

NOVEMBER 2004

Example: To head off an imminent threat to the health or safety of a person or the public, a federal agent asks XYZ Hospital for Patient A’s PHI. Before disclosing Patient A’s PHI, XYZ verifies the agent’s identity by asking to see his badge. If the request is made in writing, the regulations allow you to rely on the following items to verify the identity of the law enforcement official: ■ A request made on the appropriate government letterhead (say, a request made on the letterhead of the local police department); ■ A written statement on the appropriate government letterhead that the person making the request is acting under the government’s authority (say, a private investigator hired by a county health department to investigate an alleged crime); or ■ Other evidence or documentation that confirms that the person is acting on behalf of a law enforcement agency (say, a contract for services). Example: The state hires ABC Inc. to visit XYZ Pharmacy to go through its patient records and document evidence of prescription fraud. Before letting ABC Inc. see its patients’ records, XYZ Pharmacy verifies ABC Inc.’s identity by asking for a copy of the contract between ABC Inc. and the state. Trainer Says: Your organization should tell you to document a law enforcement official’s identification and how it wants you to do this. One method is to write down for your organization’s records the name, title, division, badge number, address, and telephone number of each official, health care attorney A. James Johnston suggests. Rule #13: Your Organization Must Verify a Law Enforcement Official’s Authority

The HIPAA privacy regulations also require you to verify the law enforcement official’s authority to request a patient’s PHI. The regulations allow you to rely on the following items to verify an official’s authority to have access to PHI when the official doesn’t have a warrant, subpoena, or other legal document issued by a grand jury or a judicial or administrative tribunal: ■ A written statement provided on a government agency letterhead that describes the legal authority under which the PHI is requested (say, to conduct intelligence activities under the National Security Act); or ■ If a written statement is impracticable (say, in an emergency), an oral statement describing the official’s legal authority. For example, police are searching for a bank robber who was shot during a holdup. Soon after the robbery, Patient A shows up at XYZ Hospital for treatment of a gunshot wound. A police officer tells XYZ Hospital

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

NOVEMBER 2004

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

that he’s looking for a bank robber who was shot at the scene of the crime and asks XYZ Hospital if it has treated any gunshot victims since the robbery. XYZ Hospital isn’t required to demand written proof that the officer requesting the PHI is legally authorized to see Patient A’s PHI before it can disclose the PHI to the officer, according to the regulations’ preamble. Rule #14: In General, Your Organization Must Account for Disclosures of a Patient’s PHI Made in Response to a Law Enforcement Request

In general, if a patient asks your organization for a written accounting of disclosures of his PHI, the accounting must include disclosures that your organization or its business associates make to law enforcement officials.

Example: Patient A is unconscious when she arrives by ambulance at XYZ Hospital’s emergency department. The hospital believes that the patient is a victim of domestic violence. State law allows a health care provider to report suspected cases of abuse to the appropriate law enforcement agency without getting the patient’s authorization to do so. XYZ Hospital uses its discretion to report the abuse to the local police department. A few months later, the patient asks XYZ Hospital for an accounting of all her PHI disclosed in the past two years. XYZ Hospital’s accounting to her must include its disclosure to the local police department of its suspicions that she was abused. But a health care organization doesn’t have to account for all disclosures it or its business associates make of a patient’s PHI at the request of a law enforcement official. The HIPAA privacy regulations set out several exceptions (see Rules #15 and #16, next page). They also set out cer-

AT A G L A N C E

17 Rules for Disclosing PHI to Law Enforcement Officials Who Don’t Have a Court Order, Subpoena, or Warrant 1.

Your Organization May Disclose PHI to Law Enforcement Officials Without the Patient’s Authorization When Your State or Other Law Requires It to Do So

9.

2.

If State or Other Law Permits, but Doesn’t Require, Your Organization to Disclose PHI to Law Enforcement Officials, You Must Get the Patient’s Authorization to Do So

10. Your Organization May Disclose the PHI of a Victim of Abuse, Neglect, or Domestic Violence, Under Certain Conditions

3.

Except in Certain Circumstances, if the Patient Is a Crime Victim, Your Organization Must Get the Patient’s Permission to Disclose Her PHI in Response to a Law Enforcement Request

4.

In an Emergency or When the Patient Is Incapacitated, Your Organization May Disclose the PHI of a Patient Who’s a Crime Victim to Law Enforcement Without the Patient’s Authorization, if Certain Conditions Are Met

5.

6.

7.

8.

Your Organization Needn’t Get the Patient’s Authorization to Disclose Limited PHI in Response to a Request from Law Enforcement to Identify or Locate a Suspect, Fugitive, Witness, or Missing Person Your Organization Needn’t Get the Patient’s Authorization to Disclose Limited PHI to Law Enforcement Officials to Avoid a Serious Threat to the Health or Safety of a Person or the Public If Your Organization Suspects that a Patient’s Death Resulted from Criminal Activity, It Needn’t Get Authorization from the Patient’s Representative to Disclose PHI to Law Enforcement Officials If Your Organization Suspects that a Crime Has Been Committed at Its Facility, It Needn’t Get the Patient’s Authorization to Disclose PHI that It Believes Is Evidence of the Crime

7

If Your Organization Delivers Off-Site Emergency Services, It Needn’t Get a Patient’s Authorization to Disclose PHI to Report a Crime, if Certain Conditions Are Met

11. If a Patient Is in a Correctional Facility or Custody of a Law Enforcement Official, Your Organization May Disclose the Patient’s PHI to the Facility or Official Without the Patient’s Authorization, if Certain Conditions Are Met 12. Your Organization Must Verify a Law Enforcement Official’s Identity 13. Your Organization Must Verify a Law Enforcement Official’s Authority 14. In General, Your Organization Must Account for Disclosures of a Patient’s PHI Made in Response to a Law Enforcement Request 15. Your Organization Doesn’t Have to Account for PHI Disclosures It Makes to Authorized Federal Officials for Intelligence or National Security Purposes 16. Your Organization Doesn’t Have to Account for PHI Disclosures It Makes to Correctional Institutions or Law Enforcement Officials, in Certain Custodial Situations 17. Your Organization May Temporarily Suspend a Patient’s Right to Get an Accounting of PHI Disclosures to a Law Enforcement Official if the Official Asks Your Organization to Do So

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

8

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

tain situations in which an organization must temporarily suspend a patient’s right to get an accounting of certain disclosures (see Rule #17, below). Rule #15: Your Organization Doesn’t Have to Account for PHI Disclosures It Makes to Authorized Federal Officials for Intelligence or National Security Purposes

A patient’s right to get an accounting of disclosures of his PHI doesn’t include disclosures made to authorized federal officials for intelligence and national security purposes. So your organization doesn’t have to account for these disclosures. They include disclosures made to federal law enforcement officials (say, FBI agents), as well as to any other federal official authorized by law to carry out national security and intelligence functions. Example: A federal agent goes to XYZ Hospital and asks to see Patient A’s PHI. The agent states that the PHI is needed for intelligence or national security purposes. The hospital then discloses the patient’s PHI to the agent. A short time later, the patient requests an accounting of the hospital’s disclosures of his PHI. XYZ Hospital doesn’t have to include the disclosure to the federal agent in the accounting. Your organization should keep track of such disclosures, even if it doesn’t have to give an accounting to the patient, advises health care attorney Gretchen McBeath. Rule #16: Your Organization Doesn’t Have to Account for PHI Disclosures It Makes to Correctional Institutions or Law Enforcement Officials, in Certain Custodial Situations

If a patient is an inmate in a correctional facility or in the custody of a law enforcement official, your organization doesn’t have to account for disclosures of the patient’s PHI to that facility or official having custody. This is so if the disclosure is necessary for: ■ The provision of health care to the patient; ■ The health and safety of the patient or other inmates; ■ The health and safety of officers, employees, or others at the correctional facility; ■ The health and safety of the patient or persons responsible for transporting inmates; ■ Law enforcement on the premises of the correctional facility; or ■ The administration and maintenance of the safety, security, and good order of the correctional facility.

NOVEMBER 2004

Example: Patient A is treated at XYZ Hospital and is discharged into police custody. Before leaving XYZ Hospital, Dr. X tells the police officer assigned to transport Patient A that the patient has a concussion and must be watched for the next 24 hours. If Patient A requests an accounting of PHI disclosures, XYZ Hospital doesn’t have to account for this disclosure to the police officer. Rule #17: Your Organization May Temporarily Suspend a Patient’s Right to Get an Accounting of PHI Disclosures to a Law Enforcement Official if the Official Asks Your Organization to Do So

If a law enforcement official requests it, your organization may temporarily suspend a patient’s right to get an accounting of disclosures to a law enforcement official. A law enforcement official’s request to temporarily suspend a patient’s right to an accounting of disclosures to it can be oral or written. If the request is written, the official must state that an accounting to the patient would be reasonably likely to impede the law enforcement agency’s activities. It must also specify the time for which the suspension is required. If the official makes an oral request for a temporary suspension, your organization must: ■ Document the request, including the identity of the official or agency making the statement; ■ Temporarily suspend the patient’s right to an accounting of disclosures, subject to the request; and ■ Limit the temporary suspension to no longer than 30 days from the date of the oral statement unless a written request is submitted during that time. Your organization should spell out policies and procedures for you to follow on the handling of temporary suspensions. ■ TRAINER RESOURCES Kelly T. Hagan, Esq.: Schwabe, Williamson & Wyatt, PC, 1211 SW 5th Ave., Ste. 1800, Portland, OR 97204; [email protected]. A. James Johnston, Esq.: Post & Schell, PC, 1800 JFK Blvd., 19th Fl., Philadelphia, PA 19103; [email protected]. Gretchen McBeath, Esq.: Bricker & Eckler LLP, 100 S. 3rd St., Columbus, OH 43215.

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

NOVEMBER 2004

TRAINER’S QUIZ We’ve given you an overview of how a health care organization may disclose PHI to law enforcement officials who don’t have a court order, subpoena, or warrant. Now let’s see if you can apply these 17 rules to real-life situations that health care organizations like yours are likely to encounter. The TRAINER’s Quiz, below, will give you an opportunity to test your knowledge. Take it, and see how well you do. INSTRUCTIONS: Analyze the questions below according to the 17 rules for disclosing PHI to law enforcement officials who don’t have a court order, subpoena, or warrant. Circle the answer you think is right. The correct answers (with explanations) appear after the quiz. Good luck!

QUESTION #1

QUESTION #4

The local evening news displays a photo of a suspected bank robber and asks the public’s help in capturing the suspect. Nurse X recognizes the photo as Patient A. She calls the local police department to say that Patient A resembles the photo. She also tells the police that Patient A was treated at the hospital earlier that day and was later admitted to the facility. True or false: The HIPAA privacy regulations require Nurse X to get the patient’s authorization before disclosing his PHI to the local police department.

Patient A spills hot tea and burns her hand. She’s treated at XYZ Hospital and released. State law permits, but doesn’t require, health care organizations to report all burn injuries. True or false: The HIPAA privacy regulations require XYZ Hospital to get Patient A’s authorization before disclosing her PHI to local law enforcement officials.

a. True.

b. False.

QUESTION #2 Patient A is hurt when her purse is snatched. She drives herself to XYZ Hospital for treatment of an open wound on her leg. Officer X, who’s investigating the purse snatching, asks XYZ Hospital to show him Patient A’s medical record. XYZ Hospital determines that Patient A’s wound isn’t an emergency treatment situation. True or false: The HIPAA privacy regulations require XYZ Hospital to get Patient A’s permission before disclosing her PHI to Officer X. a. True.

a. True.

b. False.

QUESTION #5 Patient A is brought to XYZ Hospital’s emergency room by his girlfriend and later dies. XYZ Hospital believes the death was the result of a drug overdose. So it alerts the local police department’s narcotics squad to Patient A’s death. True or false: The HIPAA privacy regulations require XYZ Hospital to get authorization from Patient A’s personal representative before it can disclose his PHI to the narcotics squad. a. True.

b. False.

b. False.

QUESTION #3 Patient A is treated at XYZ Hospital for a dog bite. State law requires health care organizations to report all injuries from dog bites. A local animal enforcement officer asks XYZ Hospital for Patient A’s PHI. True or false: The HIPAA privacy regulations require XYZ Hospital to get Patient A’s authorization before disclosing her PHI to the animal enforcement officer. a. True.

b. False.

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com

9

10

H I PA A S E C U R I T Y & P R I VA C Y S TA F F T R A I N E R

NOVEMBER 2004

T R A I N E R ’ S A N S W E R S & E X P L A N AT I O N S

Correct answer: b Reason: Rule #5 applies here.

Because state law requires health care organizations to report dog bite injuries, XYZ Hospital may disclose Patient A’s PHI to the animal control officer without getting the patient’s authorization to do so.

Rule #5: Your Organization Needn’t Get the Patient’s Authorization to Disclose Limited PHI in Response to a Request from Law Enforcement to Identify or Locate a Suspect, Fugitive, Witness, or Missing Person

Wrong answer explained: a. As explained above, a health care organization (like XYZ Hospital, here) may disclose a patient’s PHI to a law enforcement official (like the animal enforcement officer, here) when required by state law to do so.

The HIPAA privacy regulations let a health care organization disclose a patient’s PHI to a law enforcement official in response to a request from law enforcement to identify a missing suspect. A request by law enforcement officials includes a media broadcast (like the evening news, here) asking for the public’s assistance in identifying a suspect (like Patient A, here). So Nurse X wasn’t required to get Patient A’s authorization before disclosing his PHI to the local police department in response to the broadcast.

Correct answer: a Reason: Rule #2 applies here.

Wrong answer explained: a. As explained above, a health care provider (like Nurse X, here) may disclose a patient’s PHI to a law enforcement official in response to a media broadcast for the public’s assistance in identifying a suspected criminal.

Because the state permits, but doesn’t require, health care organizations to report burn injuries, XYZ Hospital may not disclose Patient A’s PHI to law enforcement officials without getting the patient’s authorization to do so.

QUESTION #1

QUESTION #2 Correct answer: a Reason: Rule #3 applies here. Rule #3: Except in Certain Circumstances, if the Patient Is a Crime Victim, Your Organization Must Get the Patient’s Permission to Disclose Her PHI in Response to a Law Enforcement Request A health care organization must get a crime victim’s permission (either orally or in writing) to disclose her PHI in response to a law enforcement request for the patient’s PHI, except in certain emergency situations or when the patient is incapacitated. Wrong answer explained: b. As explained above, a health care organization (like XYZ Hospital, here) needs a crime victim’s permission to disclose her PHI to a law enforcement official.

QUESTION #3 Correct answer: b Reason: Rule #1 applies here. Rule #1: Your Organization May Disclose PHI to Law Enforcement Officials Without the Patient’s Authorization When Your State or Other Law Requires It to Do So

QUESTION #4

Rule #2: If State or Other Law Permits, but Doesn’t Require, Your Organization to Disclose PHI to Law Enforcement Officials, You Must Get the Patient’s Authorization to Do So

Wrong answer explained: b. As explained above, a health care organization (like XYZ Hospital, here) may not disclose a patient’s PHI to a law enforcement official when not required by state law to do so.

QUESTION #5 Correct answer: b Reason: Rule #7 applies here. Rule #7: If Your Organization Suspects that a Patient’s Death Resulted from Criminal Activity, It Needn’t Get Authorization from the Patient’s Representative to Disclose PHI to Law Enforcement Officials Because XYZ Hospital suspects that Patient A’s death may have resulted from criminal activity (like the drug overdose, here), it may disclose his PHI to law enforcement officials (like the narcotics squad, here) for the purpose of alerting the officials to the patient’s death. XYZ Hospital needn’t get an authorization from the deceased patient’s personal representative to do so. Wrong answer explained: a. As explained above, a health care organization (like XYZ Hospital, here) that suspects that a patient’s death may have been caused by criminal activity may disclose the patient’s PHI to alert law enforcement officials to the patient’s death.

© 2004 by HCPro, Inc. Any reproduction is strictly prohibited. For more information call 800/650-6787 or visit www.hcmarketplace.com