[Please label comments about this section with the subject: “Law enforcement”]
In § 164.510(f), we propose to permit covered entities to disclose protected health information without individual authorization to a law enforcement official conducting a law enforcement inquiry authorized by law if the request for protected health information is made pursuant to a judicial or administrative process, as described below. Similarly, we propose to permit covered entities to disclose protected health information to a law enforcement official without individual authorization for the conduct of lawful intelligence activities. We also propose to permit covered entities to disclose protected health information to a law enforcement official about the victim of a crime, abuse or other harm, if the information is needed to determine both whether a violation of law by a person other than the victim has occurred and whether an immediate law enforcement activity might be necessary. We would further permit such disclosure for the purpose of identifying a suspect, fugitive, material witness, or missing person, if the covered entity discloses only limited identifying information. Finally, we would permit disclosure of protected health information by a health plan or a health care provider without individual authorization to law enforcement officials if the plan or provider believed in good faith that the disclosed protected health information would constitute evidence of criminal conduct that constitutes health care fraud, occurred on the premises of the covered entity, or was witnessed by an employee of the covered entity.
Law enforcement officials need protected health information for their investigations in a variety of circumstances. Health information about a victim of a crime may be needed to investigate the crime, or to allow prosecutors to determine the proper charge. For some crimes, the severity of the victim's injuries will determine what charge should be brought against a suspect. The medical condition of a defendant could also be relevant to whether a crime was committed, or to the seriousness of a crime. The medical condition of a witness could be relevant to the reliability of that witness. Medical, billing, accounting or other documentary records in the possession of a covered entity can be important evidence relevant to criminal fraud or conspiracy investigations. Nor is this list of important uses by law enforcement exhaustive.
In many cases, the law enforcement official will obtain such evidence through legal process, such as judicially executed warrant, an administrative subpoena, or a grand jury subpoena. In other circumstances, time constraints preclude use of such process. For example, health information may be needed when a law enforcement official is attempting to apprehend an armed suspect who is rapidly fleeing. Health information may be needed from emergency rooms to locate a fleeing prison escapee or criminal suspect who was injured and is believed to have stopped to seek medical care.
Protected health information could be sought as part of a law enforcement investigation, to determine whether and who committed a crime, or it could be sought in conjunction with the trial to be presented as evidence. These uses of medical information are clearly in the public interest. Requiring the authorization of the subject prior to disclosure could impede important law enforcement activities by making apprehension and conviction of some criminals difficult or impossible.
As described above, this proposed rule seeks to respond appropriately to new risks to privacy that could emerge as the form of medical records changes in coming years. The administrative simplification mandated by HIPAA will lead to far greater exchanges of individually identifiable health information among covered entities in the future, increasingly in electronic form. If a misperception were to develop that law enforcement had instant and pervasive access to medical records, the goals of this proposed regulation could be undermined. For instance, individuals might become reluctant to seek needed care or might report inaccurately to providers to avoid revealing potentially embarrassing or incriminating information. In addition, popular concerns about government access to sensitive medical records might impede otherwise achievable progress toward administrative simplification. We believe that the proposed prophylactic and administrative rules governing disclosure to law enforcement officials, as described below, are justified in order to avoid these harms in the future.
In § 164.510(f), we propose to permit covered entities to disclose protected health information to law enforcement officials conducting or supervising a law enforcement inquiry or proceeding authorized by law if the request for protected health information is made:
In drafting the proposed rule, we have attempted to match the level of procedural protection for privacy with the nature of the law enforcement need for access. Therefore, access for law enforcement under this rule would be easier where other rules would impose procedural protections, such as where access is granted after review by an independent judicial officer. Access would also be easier in an emergency situation or where only limited identifying information would be provided. By contrast, this rule proposes stricter standards for administrative requests, where other rules could not impose appropriate procedural protections.
Under the first part of this proposal, we would authorize disclosure of protected health information pursuant to a request that has been reviewed by a judicial officer. Examples of such requests include State or federal warrants, subpoenas, or other orders signed by a judicial officer. Review by a judicial officer is significant procedural protection for the proper handling of individually identifiable health information. Where such review exists, we believe that it would be appropriate for covered entities to disclose individually identifiable health information pursuant to the order.
Under the second part of this proposal, we would authorize disclosure of protected health information pursuant to a State or federal grand jury subpoena. Information disclosed to a grand jury is covered by significant secrecy protections, such as under Federal Rule of Criminal Procedure 6(e) and similar State laws. Our understanding is that State grand juries have secrecy protections substantially as protective as the federal rule. We solicit comment on whether there are any State grand jury secrecy provisions that are not substantially as protective.
Under the third part of this proposal, we would set somewhat stricter standards than exist today for disclosure pursuant to administrative requests, such as an administrative subpoena or summons, civil investigative demand, or similar process authorized under law. These administrative actions do not have the same procedural protections as review by an independent judicial officer. They also do not have the grand jury secrecy protections that exist under federal and State law. For administrative requests, an individual law enforcement official can define the scope of the request, sometimes without any review by a superior, and present it to the covered entity. We propose, therefore, that a greater showing should be made for an administrative request before the covered entity would be permitted to release protected health information. We also believe that the somewhat stricter test for administrative requests would provide some reason for officials to choose to obtain protected health information through process that includes the protections offered by judicial review or grand jury secrecy.
We therefore propose that a covered entity could disclose protected health information pursuant to an administrative request, issued pursuant to a determination that: (i) the records sought are relevant and material to a legitimate law enforcement inquiry; (ii) the request is as specific and narrowly drawn as is reasonably practicable; and (iii) de- identified information could not reasonably be used to meet the purpose of the request.
Because our regulatory authority does not extend to law enforcement officials, we are seeking comment on how to create an administrable system for implementing this three-part test. We do not intend that this provision require a covered entity to second guess representations by an appropriate law enforcement official that the three part test has been met.
To verify that the three-part test has been met, we propose that a covered entity be permitted to disclose protected health information to an appropriate law enforcement official pursuant to a subpoena or other covered administrative request that on its face indicates that the three-part test has been met. In the alternative, where the face of the request does not indicate that the test has been met, a covered entity could disclose the information upon production of a separate document, signed by a law enforcement official, indicating that the three-part test has been met. Under either of these alternatives, disclosure of the information can also be made if the document applies any other standard that is as strict or stricter than the three-part test.
This approach would parallel the research provisions of proposed § 164.510(j). Under that section, disclosure would be authorized by a covered entity where the party seeking the records produces a document that states it has met the standards for the institutional review board process. We solicit comments on additional, administrable ways that a law enforcement official could demonstrate that the appropriate issuing authority has determined that the three-part test has been met.
We solicit comment on the burdens and benefits of the proposed three-part test for administrative requests. For covered entities, we are interested in comments on how burdensome it would be to determine whether the three-part test has been met, and we would explore suggestions for approaches that would be more easily administered. For law enforcement, we are interested in the potential impact that this approach might have on current law enforcement practices, and the extent to which law enforcement officials believe that their access to information critical to law enforcement investigations could be impaired. We solicit comment on the burden on law enforcement officials, compared to current practice, of writing the administrative requests. We would also like comments on whether there are any federal, State, or local laws that would create an impediment to application of this section, including the proposed three-part test. If there are such impediments, we would solicit comment on whether extending the effective date of this section could help to prevent difficulties. On the benefit side, we are interested in comments on the specific gains for privacy that would result from requiring law enforcement to comply with greater procedures than currently exist for gaining access to protected health information.
As the fourth part of this proposal, we address limited circumstances where the disclosure of health information by covered entities would not be made pursuant to lawful process such as judicial order, grand jury subpoena, or administrative request. In some cases law enforcement officials could seek limited but focused information needed to obtain a warrant. For example, a witness to a shooting may know the time of the incident and the fact that the perpetrator was shot in the left arm, but not the identity of the perpetrator. Law enforcement would then have a legitimate need to ask local emergency rooms whether anyone had presented with a bullet wound to the left arm near the time of the incident. Law enforcement may not have sufficient information to obtain a warrant, but instead would be seeking such information. In such cases, when only limited identifying information is disclosed and the purpose is solely to ascertain the identity of a person, the invasion of to privacy would be outweighed by the public interest.
In such instances, we propose to permit covered entities to disclose "limited identifying information" for purposes of identifying a suspect, fugitive, material witness, or missing person. We would define “limited identifying information” as the name, address, social security number, date of birth, place of birth, type of injury, date and time of treatment, and date of death. Disclosure of any additional information would cause the covered entity to be out of compliance with this provision, and subject to sanction. The request for such information could be made orally or in writing. Requiring the request to be in writing could defeat the purposes of this provision. We solicit comment on whether the list of “limited identifying information” is appropriate, or whether additional identifiers, such as blood type, also should be permitted disclosures under this section. Alternatively, we solicit comment on whether any of the proposed items on the list are sufficiently sensitive to warrant a legal process requirement before they should be disclosed.
Under the fifth part of the proposal, we would clarify that the protected health information of the victim of a crime, abuse or other harm could be disclosed to a law enforcement official if the information is needed to determine both whether a violation of law by a person other than the victim has occurred and whether an immediate law enforcement activity might be necessary. There could be important public safety reasons for obtaining medical records or other protected health information quickly, perhaps before there would be time to get a judicial order, grand jury subpoena, or administrative order. In particular, where the crime was violent, information about the victim’s condition could be needed to present to a judge in a bond hearing in order to keep the suspect in custody while further evidence is sought. Information about the victim also could be important in making an appropriate charging decision. Rapid access to victims’ medical records could reduce the risk of additional violent crimes, such as in cases of spousal or child abuse or in situations where the protected health information could reveal evidence of the identity of someone who is engaged in ongoing criminal activities.
In some of these instances, release of protected health information would be authorized under other sections of this proposed regulation, pursuant to provisions for patient consent, health oversight, circumstances, or disclosure pursuant to mandatory reporting laws for gunshot wounds or abuse cases. (As discussed later in section II.I, our rule would not be construed to invalidate or limit the authority, powers or procedures established under any law that provides for reporting of injury, child abuse or death.) In addition, §164.510(k) addressing emergency circumstances would permit covered entities to disclose protected health information in instances where the disclosure could prevent imminent harm to the individuals or to the public. However, we propose to include this fifth provision for law enforcement access to ensure that immediate need for law enforcement access to information about a victim would be permitted under this rule.
Under the sixth part of this proposal, we seek to assure that this rule would not interfere with the conduct of lawful security functions in protection of the public interest, as defined by the Congress. Therefore, we would allow disclosure of protected health information for the conduct of lawful intelligence activities conducted pursuant to the National Security Act of 1947. Similarly, we would allow disclosure of protected health information for providing protective services to the President or other individuals pursuant to section 3056 of title 18, United States Code. Where such disclosures are authorized by Federal or state law, we would not interfere with these important national security activities.
Under the final part of this proposal, we would permit covered entities that uncover evidence of health care fraud to disclose the protected health information that evidences such fraud to law enforcement officials without receiving a request from such officials. This provision would permit covered entities to make certain disclosures to law enforcement officials on their own initiative if the information disclosed constitutes evidence of criminal conduct that arises out of and is directly related to (i) the receipt of health care or payment for health care (including a fraudulent claim for health care) or (ii) qualification for or receipt of benefits, payments or services based on a fraudulent statement or material misrepresentation of the health of a patient. Similarly, we would permit covered entities on their own initiative to disclose to law enforcement officials protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that either occurred on the covered entity’s premises or was witnessed by an employee (or other workforce member) of the covered entity. In such situations, covered entities should be permitted to take appropriate steps to protect the integrity and safety of their operations or to assure that the such criminal conduct is properly prosecuted.
To be protected by this provision, the covered entity would have to have good faith belief that the disclosed protected health information was evidence of such conduct. If the covered entity disclosed protected health information in good faith but was wrong in its belief that the information evidenced a legal violation, the covered entity would not be subject to sanction under this regulation. We would not require the covered entity to accurately predict the outcome of a criminal investigation.
There also are situations where law enforcement officials would need access to information for emergency circumstances. In those cases, the disclosure could be made under §164.510(k), “Disclosure in emergency circumstances.”
Pursuant to §164.518(c), covered entities would have an obligation to verify the identity of the person seeking disclosure of protected health information and the legal authority behind the request. As described in section II.H.3. of this preamble, we would permit covered entities to rely on a badge or similar identification to confirm that the request for protected health information is being made by a law enforcement official. If the request is not made in person, we would permit the covered entity to rely on official letter head or similar proof.
Where the covered entity must verify that lawful process has been obtained, §164.518(c) would require the covered entity to review the document evidencing the order. The covered entity could not disclose more information than was authorized in the document.
Because the regulation applies to covered entities, and not to the law enforcement officials seeking the protected health information, the covered entity would not be in a position to determine with any certainty whether the underlying requirements for the process have been met. For instance, it may be difficult for the covered entity to determine whether the three-part test has been met for an administrative request. In light of this difficulty facing covered entities, the proposed rule would include a good faith provision. Under that provision, covered entities would not be liable under the rule for disclosure of protected health information to a law enforcement official where the covered entity or its business partners acted in a good faith belief that the disclosure was permitted under this title. We solicit comment on the extent to which this good faith provision would make the proposed rule less burdensome on covered entities and law enforcement officials. We also solicit comment on the extent to which the provision could undermine the effectiveness of the provision.
For requests for the conduct of intelligence activities or for protective services, covered entities would be required to verify the identity of the person or entity requesting the information, through a badge or other identification, or official letter head, as just described. If such verification of identity is obtained, covered entities would be permitted to reasonably rely on the representations of such persons that the request is for lawful national security or protective service activities and is authorized by law. Similarly, to disclose limited identifying information, covered entities would be required to obtain verification that the request comes from a law enforcement official, and would be permitted to reasonably rely on such official’s representation that the information is needed for the purpose of identifying a suspect, fugitive, material witness, or missing person and is authorized by law.
This section is not intended to limit or preclude a covered entity from asserting any lawful defense or otherwise contesting the nature or scope of the process when the procedural rules governing the proceeding so allow, although it is not intended to create a basis for appealing to federal court concerning a request by state law enforcement officials. Each covered entity would continue to have available legal procedures applicable in the appropriate jurisdiction to contest such requests where warranted. This proposed rule would not create any new affirmative requirement for disclosure of protected health information. Similarly, this section is not intended to limit a covered entity from disclosing protected health information for law enforcement purposes where other sections of the rule permit such disclosure, e.g., as permitted by § 164.510 under emergency circumstances, for oversight or public health activities, to coroners or medical examiners, and in other circumstances permitted by the rule.
In obtaining protected health information, law enforcement officials would have to comply with whatever other law was applicable. In certain circumstances, while this subsection could authorize a covered entity to disclose protected health information to law enforcement officials, there could be additional applicable statutes that further govern the specific disclosure. If the preemption provisions of this regulation do not apply, the covered entity must comply with the requirements or limitations established by such other law, regulation or judicial precedent. See proposed §§ 160.201 through 160.204. For example, if State law would permit disclosure only after compulsory process with court review, a provider or payer would not be allowed to disclose information to state law enforcement officials unless the officials had complied with that requirement. Similarly, disclosure of substance abuse patient records subject to, 42 U.S.C. 290dd-2, and the implementing regulations, 42 CFR part 2, would continue to be governed by those provisions.
In some instances, disclosure of protected health information to law enforcement officials would be compelled by other law, for example, by compulsory judicial process or compulsory reporting laws (such as laws requiring reporting of wounds from violent crimes, suspected child abuse, or suspected theft of prescription controlled substances). Disclosure of protected health information under such other mandatory law would be permitted under proposed § 164.510(n).
In developing our proposal, we considered permitting covered entities to disclose protected health information pursuant to any request made by a law enforcement official, rather than requiring some form of legal process or narrowly defined other circumstances. We rejected this option because we believe that in most instances some form of review should be required. Individuals’ expectation of privacy with respect to their health information is sufficiently strong to require some form of process prior to disclosure to the government. At the same time, we recognize that the public interest would not be served by requiring such formal process in every instance. Under our proposal, therefore, law enforcement could obtain certain identifying information in order to identify suspects and witnesses, and could obtain information for national security or protective services activities or in emergency circumstances. Similarly, we would not require process before a law enforcement official could obtain information about the victim of a crime, where the information is necessary as the basis for immediate action. In addition, in seeking an appropriate balance between public safety and individuals' expectation of privacy, we are proposing that covered entities not be subject to enforcement under this regulation if they disclose protected health information to law enforcement officials in a good faith belief that the disclosure was permitted under this title.
We solicit comment on what additional steps, if any, are appropriate for allowing law enforcement access to protected health information. We are interested in comments concerning situations where needed access to protected health information would not be available under these or other provisions of this proposed rule. We also seek comment on specific privacy or other concerns that would apply if the final regulation included provision for law enforcement access to protected health information without requiring a judicial order, grand jury subpoena, or administrative request, under such additional defined circumstances
In some of these instances, release of protected health information would be authorized under the proposed regulation pursuant to provisions for patient consent, health oversight, emergency circumstances, or under mandatory reporting laws for gunshot wounds or abuse cases. We are interested in comments concerning situations where needed access to protected health information would not be available under these or other provisions of this proposed rule. We also seek comment on specific privacy or other concerns that would apply if the final regulation included provision for law enforcement access to protected health information without requiring a judicial order, grand jury subpoena, or administrative request, under such additional defined circumstances
Our proposal with respect to law enforcement has been shaped by the limited scope of our regulatory authority under HIPAA, which applies only to the covered entities and not to law enforcement officials. We believe the proposed rule sets the correct standards for when an exception to the rule of non-disclosure is appropriate for law enforcement purposes. There may be advantages, however, to legislation that applies the appropriate standards directly to judicial officers, prosecutors in grand juries, and to those making administrative or other requests for protected health information, rather than to covered entities as in the proposed regulation. These advantages could include measures to hold officials accountable if they seek or receive protected health information contrary to the legal standard. In Congressional consideration of law enforcement access, there have also been useful discussions of other topics, such as limits on re-use of protected health information gathered in the court of oversight activities. These limitations on our regulatory authority provide additional reason to support comprehensive medical privacy legislation.