NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. Proposed requirements.

11/03/1999

In § 164.510(f), we propose to permit covered entities to disclose protected health information to law enforcement officials conducting or supervising a law enforcement inquiry or proceeding authorized by law if the request for protected health information is made:

  • pursuant to a warrant, subpoena, or order issued by a judicial officer;
  • pursuant to a grand jury subpoena;
  • pursuant to an administrative subpoena or summons, civil investigative demand, or similar certification or written order issued pursuant to federal or state law where (i) the records sought are relevant and material to a legitimate law enforcement inquiry; (ii) the request is as specific and narrowly drawn as is reasonably practicable to meet the purposes of the inquiry; and (iii) de-identified information could not reasonably be used to meet the purposes of the inquiry;
  • for limited identifying information where necessary to identify a suspect, fugitive, witness, or missing person;
  • by a law enforcement official requesting protected health information about an individual who is, or who is suspected to be, the victim of a crime, abuse or other harm, if such law enforcement official represents that (i) such information is needed to determine whether a violation of law by a person other than the victim has occurred and (ii) immediate law enforcement activity which depends on the official obtaining such information may be necessary;
  • for the conduct of lawful intelligence activities conducted pursuant to the National Security Act of 1947 (50 U.S.C. 401 et seq.) or in connection with providing protective services to the President or other individuals pursuant to section 3056 of title 18, United States Code, and the disclosure is otherwise authorized under Federal or state law; or
  • to law enforcement officials when a covered entity believes in good faith that the disclosed protected health information constitutes evidence of criminal conduct that: (i) arises out of and is directly related to the receipt of health care or payment for health care (including a fraudulent claim for health care) or qualification for or receipt of benefits, payments or services based on a fraudulent statement or material misrepresentation of the health of a patient; (ii) occurred on the premises of the covered entity; or (iii) was witnessed by an employee or other workforce member of the covered entity.

In drafting the proposed rule, we have attempted to match the level of procedural protection for privacy with the nature of the law enforcement need for access. Therefore, access for law enforcement under this rule would be easier where other rules would impose procedural protections, such as where access is granted after review by an independent judicial officer. Access would also be easier in an emergency situation or where only limited identifying information would be provided. By contrast, this rule proposes stricter standards for administrative requests, where other rules could not impose appropriate procedural protections.

Under the first part of this proposal, we would authorize disclosure of protected health information pursuant to a request that has been reviewed by a judicial officer. Examples of such requests include State or federal warrants, subpoenas, or other orders signed by a judicial officer. Review by a judicial officer is significant procedural protection for the proper handling of individually identifiable health information. Where such review exists, we believe that it would be appropriate for covered entities to disclose individually identifiable health information pursuant to the order.

Under the second part of this proposal, we would authorize disclosure of protected health information pursuant to a State or federal grand jury subpoena. Information disclosed to a grand jury is covered by significant secrecy protections, such as under Federal Rule of Criminal Procedure 6(e) and similar State laws. Our understanding is that State grand juries have secrecy protections substantially as protective as the federal rule. We solicit comment on whether there are any State grand jury secrecy provisions that are not substantially as protective.

Under the third part of this proposal, we would set somewhat stricter standards than exist today for disclosure pursuant to administrative requests, such as an administrative subpoena or summons, civil investigative demand, or similar process authorized under law. These administrative actions do not have the same procedural protections as review by an independent judicial officer. They also do not have the grand jury secrecy protections that exist under federal and State law. For administrative requests, an individual law enforcement official can define the scope of the request, sometimes without any review by a superior, and present it to the covered entity. We propose, therefore, that a greater showing should be made for an administrative request before the covered entity would be permitted to release protected health information. We also believe that the somewhat stricter test for administrative requests would provide some reason for officials to choose to obtain protected health information through process that includes the protections offered by judicial review or grand jury secrecy.

We therefore propose that a covered entity could disclose protected health information pursuant to an administrative request, issued pursuant to a determination that: (i) the records sought are relevant and material to a legitimate law enforcement inquiry; (ii) the request is as specific and narrowly drawn as is reasonably practicable; and (iii) de- identified information could not reasonably be used to meet the purpose of the request.

Because our regulatory authority does not extend to law enforcement officials, we are seeking comment on how to create an administrable system for implementing this three-part test. We do not intend that this provision require a covered entity to second guess representations by an appropriate law enforcement official that the three part test has been met.

To verify that the three-part test has been met, we propose that a covered entity be permitted to disclose protected health information to an appropriate law enforcement official pursuant to a subpoena or other covered administrative request that on its face indicates that the three-part test has been met. In the alternative, where the face of the request does not indicate that the test has been met, a covered entity could disclose the information upon production of a separate document, signed by a law enforcement official, indicating that the three-part test has been met. Under either of these alternatives, disclosure of the information can also be made if the document applies any other standard that is as strict or stricter than the three-part test.

This approach would parallel the research provisions of proposed § 164.510(j). Under that section, disclosure would be authorized by a covered entity where the party seeking the records produces a document that states it has met the standards for the institutional review board process. We solicit comments on additional, administrable ways that a law enforcement official could demonstrate that the appropriate issuing authority has determined that the three-part test has been met.

We solicit comment on the burdens and benefits of the proposed three-part test for administrative requests. For covered entities, we are interested in comments on how burdensome it would be to determine whether the three-part test has been met, and we would explore suggestions for approaches that would be more easily administered. For law enforcement, we are interested in the potential impact that this approach might have on current law enforcement practices, and the extent to which law enforcement officials believe that their access to information critical to law enforcement investigations could be impaired. We solicit comment on the burden on law enforcement officials, compared to current practice, of writing the administrative requests. We would also like comments on whether there are any federal, State, or local laws that would create an impediment to application of this section, including the proposed three-part test. If there are such impediments, we would solicit comment on whether extending the effective date of this section could help to prevent difficulties. On the benefit side, we are interested in comments on the specific gains for privacy that would result from requiring law enforcement to comply with greater procedures than currently exist for gaining access to protected health information.

As the fourth part of this proposal, we address limited circumstances where the disclosure of health information by covered entities would not be made pursuant to lawful process such as judicial order, grand jury subpoena, or administrative request. In some cases law enforcement officials could seek limited but focused information needed to obtain a warrant. For example, a witness to a shooting may know the time of the incident and the fact that the perpetrator was shot in the left arm, but not the identity of the perpetrator. Law enforcement would then have a legitimate need to ask local emergency rooms whether anyone had presented with a bullet wound to the left arm near the time of the incident. Law enforcement may not have sufficient information to obtain a warrant, but instead would be seeking such information. In such cases, when only limited identifying information is disclosed and the purpose is solely to ascertain the identity of a person, the invasion of to privacy would be outweighed by the public interest.

In such instances, we propose to permit covered entities to disclose "limited identifying information" for purposes of identifying a suspect, fugitive, material witness, or missing person. We would define “limited identifying information” as the name, address, social security number, date of birth, place of birth, type of injury, date and time of treatment, and date of death. Disclosure of any additional information would cause the covered entity to be out of compliance with this provision, and subject to sanction. The request for such information could be made orally or in writing. Requiring the request to be in writing could defeat the purposes of this provision. We solicit comment on whether the list of “limited identifying information” is appropriate, or whether additional identifiers, such as blood type, also should be permitted disclosures under this section. Alternatively, we solicit comment on whether any of the proposed items on the list are sufficiently sensitive to warrant a legal process requirement before they should be disclosed.

Under the fifth part of the proposal, we would clarify that the protected health information of the victim of a crime, abuse or other harm could be disclosed to a law enforcement official if the information is needed to determine both whether a violation of law by a person other than the victim has occurred and whether an immediate law enforcement activity might be necessary. There could be important public safety reasons for obtaining medical records or other protected health information quickly, perhaps before there would be time to get a judicial order, grand jury subpoena, or administrative order. In particular, where the crime was violent, information about the victim’s condition could be needed to present to a judge in a bond hearing in order to keep the suspect in custody while further evidence is sought. Information about the victim also could be important in making an appropriate charging decision. Rapid access to victims’ medical records could reduce the risk of additional violent crimes, such as in cases of spousal or child abuse or in situations where the protected health information could reveal evidence of the identity of someone who is engaged in ongoing criminal activities.

In some of these instances, release of protected health information would be authorized under other sections of this proposed regulation, pursuant to provisions for patient consent, health oversight, circumstances, or disclosure pursuant to mandatory reporting laws for gunshot wounds or abuse cases. (As discussed later in section II.I, our rule would not be construed to invalidate or limit the authority, powers or procedures established under any law that provides for reporting of injury, child abuse or death.) In addition, §164.510(k) addressing emergency circumstances would permit covered entities to disclose protected health information in instances where the disclosure could prevent imminent harm to the individuals or to the public. However, we propose to include this fifth provision for law enforcement access to ensure that immediate need for law enforcement access to information about a victim would be permitted under this rule.

Under the sixth part of this proposal, we seek to assure that this rule would not interfere with the conduct of lawful security functions in protection of the public interest, as defined by the Congress. Therefore, we would allow disclosure of protected health information for the conduct of lawful intelligence activities conducted pursuant to the National Security Act of 1947. Similarly, we would allow disclosure of protected health information for providing protective services to the President or other individuals pursuant to section 3056 of title 18, United States Code. Where such disclosures are authorized by Federal or state law, we would not interfere with these important national security activities.

Under the final part of this proposal, we would permit covered entities that uncover evidence of health care fraud to disclose the protected health information that evidences such fraud to law enforcement officials without receiving a request from such officials. This provision would permit covered entities to make certain disclosures to law enforcement officials on their own initiative if the information disclosed constitutes evidence of criminal conduct that arises out of and is directly related to (i) the receipt of health care or payment for health care (including a fraudulent claim for health care) or (ii) qualification for or receipt of benefits, payments or services based on a fraudulent statement or material misrepresentation of the health of a patient. Similarly, we would permit covered entities on their own initiative to disclose to law enforcement officials protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that either occurred on the covered entity’s premises or was witnessed by an employee (or other workforce member) of the covered entity. In such situations, covered entities should be permitted to take appropriate steps to protect the integrity and safety of their operations or to assure that the such criminal conduct is properly prosecuted.

To be protected by this provision, the covered entity would have to have good faith belief that the disclosed protected health information was evidence of such conduct. If the covered entity disclosed protected health information in good faith but was wrong in its belief that the information evidenced a legal violation, the covered entity would not be subject to sanction under this regulation. We would not require the covered entity to accurately predict the outcome of a criminal investigation.

There also are situations where law enforcement officials would need access to information for emergency circumstances. In those cases, the disclosure could be made under §164.510(k), “Disclosure in emergency circumstances.”

Pursuant to §164.518(c), covered entities would have an obligation to verify the identity of the person seeking disclosure of protected health information and the legal authority behind the request. As described in section II.H.3. of this preamble, we would permit covered entities to rely on a badge or similar identification to confirm that the request for protected health information is being made by a law enforcement official. If the request is not made in person, we would permit the covered entity to rely on official letter head or similar proof.

Where the covered entity must verify that lawful process has been obtained, §164.518(c) would require the covered entity to review the document evidencing the order. The covered entity could not disclose more information than was authorized in the document.

Because the regulation applies to covered entities, and not to the law enforcement officials seeking the protected health information, the covered entity would not be in a position to determine with any certainty whether the underlying requirements for the process have been met. For instance, it may be difficult for the covered entity to determine whether the three-part test has been met for an administrative request. In light of this difficulty facing covered entities, the proposed rule would include a good faith provision. Under that provision, covered entities would not be liable under the rule for disclosure of protected health information to a law enforcement official where the covered entity or its business partners acted in a good faith belief that the disclosure was permitted under this title. We solicit comment on the extent to which this good faith provision would make the proposed rule less burdensome on covered entities and law enforcement officials. We also solicit comment on the extent to which the provision could undermine the effectiveness of the provision.

For requests for the conduct of intelligence activities or for protective services, covered entities would be required to verify the identity of the person or entity requesting the information, through a badge or other identification, or official letter head, as just described. If such verification of identity is obtained, covered entities would be permitted to reasonably rely on the representations of such persons that the request is for lawful national security or protective service activities and is authorized by law. Similarly, to disclose limited identifying information, covered entities would be required to obtain verification that the request comes from a law enforcement official, and would be permitted to reasonably rely on such official’s representation that the information is needed for the purpose of identifying a suspect, fugitive, material witness, or missing person and is authorized by law.