Comment: Some commenters, particularly those representing health care providers, expressed concern that the proposed definition of "law enforcement official" could have allowed many government officials without health care oversight duties to obtain access to protected health information without patient consent.
Response: We do not intend for the definition of "law enforcement official" to be limited to officials with responsibilities directly related to health care. Law enforcement officials may need protected health information for investigations or prosecutions unrelated to health care, such as investigations of violent crime, criminal fraud, or crimes committed on the premises of health care providers. For these reasons, we believe it is not appropriate to limit the definition of "law enforcement official" to persons with responsibilities oversight of the health care system.
Comment: A few commenters expressed concern that the proposed definition could include any county or municipal official, even those without traditional law enforcement training.
Response: We do not believe that determining training requirements for law enforcement officials is appropriately within the purview of this regulation; therefore, we do not make the changes that these commenters requested.
Comment: Some commenters, particularly those from the district attorney community, expressed general concern that the proposed definition of "law enforcement official" was too narrow to account for the variation in state interpretations of law enforcement officials' power. One group noted specifically that the proposed definition could have prevented prosecutors from gaining access to needed protected health information.
Response: We agree that protected health information may be needed by law enforcement officials for both investigations and prosecutions. We did not intend to exclude the prosecutorial function from the definition of "law enforcement official ," and accordingly we modify the definition of law enforcement official to reflect their involvement in prosecuting cases. Specifically, in the final rule, we define law enforcement official as an official of any agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Comment: One commenter recommended making the definition of law enforcement official broad enough to encompass Medicaid program auditors, because some matters requiring civil or criminal law enforcement action are first identified through the audit process.
Response: We disagree. Program auditors may obtain protected health information necessary for their audit functions under the oversight provision of this regulation (§ 164.512(d)).
Comment: One commenter suggested that the proposed definition of "law enforcement official" could be construed as limited to circumstances in which an official "knows" that law has been violated. This commenter was concerned that, because individuals are presumed innocent and because many investigations, such as random audits, are opened without an agency knowing that there is a violation, the definition would not have allowed disclosure of protected health information for these purposes. The commenter recommended modifying the definition to include investigations into "whether" the law has been violated.
Response: We do not intend for lawful disclosures of protected health information for law enforcement purposes to be limited to those in which a law enforcement official knows that law has been violated. Accordingly, we revise the definition of "law enforcement official " to include investigations of "potential" violations of law.