Wisconsin Lawyer
Vol. 82, No. 7, July 2009
Basic Exceptions
There are basic permitted exceptions to the rule that protected health information (PHI) must not be disclosed. Some of the common exceptions when PHI may be disclosed are for disclosures:
- to the individual;
- to comply with a valid authorization;1
- in emergency situations and for disaster relief, when disclosure may be made whether or not the individual is present if it is in the individual’s best interest;2and
- when disclosure or use is made by law with no authorization.3 Examples of the federal law-permitted disclosures or uses under this section are for public health information, child abuse or neglect situations, injury or disease reporting, communicable disease exceptions, and domestic violence incidents.
Standards for Disclosure for Law Enforcement Purposes
What are the “uses and disclosures for which an authorization or opportunity to agree or object is not required?” Specifically, what are the standards for disclosures for law enforcement purposes?4 Under HIPAA, a covered entity may disclose PHI if:
- required by law, including laws for reporting of certain types of wounds or physical injuries; or
- to comply with a court order or a subpoena issued by a judicial officer.5
In either of the above two instances, however, the information must be relevant to a legitimate law enforcement inquiry, the request must be specific, and deidentified information could not be used.6
In addition, a covered entity may disclose PHI if:
- the identification is needed to locate a fugitive or suspect, but, in this case, only identifying information may be disclosed, not any PHI;7
- the case involves crime victims or deceased individuals or the crime was committed on medical premises;8
- a covered health-care provider provides emergency health care in response to a medical emergency, in which case it may disclose PHI to a law enforcement official if the disclosure appears necessary to alert law enforcement to the commission and nature of a crime, the location of the victims, and identity of the perpetrator;9
- disclosure is required to avert a serious threat to health or safety, in which case a covered entity may, consistent with standards of ethical conduct, disclose PHI if the entity has a good-faith belief that disclosure is necessary for law enforcement to apprehend an individual (a) because an individual made a statement admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim, or (b) when an individual has escaped from custody;10or
- the purpose is to notify family members or authorized persons as to the individual’s condition or death.11
Consent
The federal legal standard is that a covered health-care provider must obtain the individual’s consent before using or disclosing PHI to carry out treatment, payment, or health-care operations.12 In an emergency, the health-care provider must attempt to obtain such consent as soon as reasonably practicable after the treatment is delivered.
Disclosures to Law Enforcement13
If law enforcement officials request information to identify and locate a missing person, suspect, fugitive, or material witness, then the covered entity may disclose only the following information:
- the person’s name, address, date and place of birth, and Social Security number;
- the person’s ABO blood type and rh factor and the type of injury;
- the date and time of the person’s treatment or death; and
- descriptors of the person’s height, weight, gender, race, hair, eye color, facial hair, and tattoos.
Exceptions to this section include requests for DNA, dental records, and body fluid and tissue samples.14 [Note: If law enforcement officials require any of these samples, they must obtain a court order, subpoena, or summons.]
The law includes other provisions relating to crime victims and persons suspected of committing crimes.
Reporting Crime in an Emergency
Another major area of permitted disclosure is that of reporting a crime in an emergency. The law provides that a covered health-care provider providing emergency health care in response to a medical emergency may disclose PHI to a law enforcement official if the disclosure appears necessary to alert law enforcement to the:
- commission and nature of a crime;
- location of the crime or of the victim(s) of the crime; or
- identity, description, and location of the suspected
perpetrator of the crime.15
One of the more important disclosures occurs when a covered entity deems it necessary to avert a serious threat to health or safety. The legal standard is that a covered entity may, consistent with law and ethical conduct, disclose PHI if the covered entity in good faith believes the use or disclosure is necessary:
- to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (as regards a person, the covered entity must be reasonably able to prevent the threat), or
- for law enforcement to identify or apprehend a person.
In either of these events there is a limit on the amount of PHI that can be provided.
Endnotes
Wisconsin Lawyer