HIPAA Regulations: Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required: Law Enforcement Purposes - § 164.512(f)

As Contained in the HHS HIPAA Privacy Rules

HHS Guidance: A Guide for Law Enforcement

 

HHS Regulations Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required: Disclosures for Law Enforcement Purposes - § 164.512(f)

 

(f) Standard: Disclosures for law enforcement purposes. A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this section are met, as applicable.

(1) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information:

(i) As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or

(ii) In compliance with and as limited by the relevant requirements of:

(A) A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;

(B) A grand jury subpoena; or

(C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:

(1) The information sought is relevant and material to a legitimate law enforcement inquiry;

(2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and

(3) De-identified information could not reasonably be used.

(2) Permitted disclosures: Limited information for identification and location purposes. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:

(i) The covered entity may disclose only the following information:

(A) Name and address;

(B) Date and place of birth;

(C) Social security number;

(D) ABO blood type and rh factor;

(E) Type of injury;

(F) Date and time of treatment;

(G) Date and time of death, if applicable; and

(H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

(ii) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.

(3) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if:

(i) The individual agrees to the disclosure; or

(ii) The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that:

(A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;

(B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

(C) The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.

(4) Permitted disclosure: Decedents. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.

(5) Permitted disclosure: Crime on premises. A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.

(6) Permitted disclosure: Reporting crime in emergencies. (i) A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to:

(A) The commission and nature of a crime;

(B) The location of such crime or of the victim(s) of such crime; and

(C) The identity, description, and location of the perpetrator of such crime.

(ii) If a covered health care provider believes that the medical emergency described in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, paragraph (f)(6)(i) of this section does not apply and any disclosure to a law enforcement official for law enforcement purposes is subject to paragraph (c) of this section

 

HHS Description Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required: Disclosures for Law Enforcement Purposes

 

Disclosures Pursuant to Process and as Otherwise Required by Law

In the NPRM we would have allowed covered entities to disclose protected health information without individual authorization as required by other law. However, as explained above, if a legally mandated use or disclosure fell into one or more of the national priority purposes expressly identified in other paragraphs of proposed § 164.510, the disclosure would have been subject to the terms and conditions specified by the applicable paragraph of proposed § 164.510. For example, mandatory reporting to law enforcement officials would not have been allowed unless such disclosures conformed to the requirements of proposed § 164.510(f) of the NPRM. Proposed § 164.510(f) did not explicitly recognize disclosures required by other laws, and it would not have permitted covered entities to comply with some state and other mandatory reporting laws that require covered entities to disclose protected health information to law enforcement officials, such as the reporting of gun shot wounds, stab wounds, and/or burn injuries.

We did not intend to preempt generally state and other mandatory reporting laws, and in § 164.512(f)(1)(i) of the final rule, we explicitly permit covered entities to disclose protected health information for law enforcement purposes as required by other law. This provision permits covered entities to comply with these state and other laws. Under this provision, to the extent that a mandatory reporting law falls under the provisions of § 164.512(c)(1)(i) regarding reporting of abuse, neglect, or domestic violence, the requirements of those provisions supersede.

In the final rule, we specify that covered entities may disclose protected health information pursuant to this provision in compliance with and as limited by the relevant requirements of legal process or other law. In the NPRM, for the purposes of this portion of the law enforcement paragraph, we proposed to define "law enforcement inquiry or proceeding" as an investigation or official proceeding inquiring into a violation of or failure to comply with law; or a criminal, civil or administrative proceeding arising from a violation of or failure to comply with law. In the final rule, we do not include this definition in § 164.512(f), because it is redundant with the definition of "law enforcement official" in § 164.501.

Proposed § 164.510(f)(1) of the NPRM would have authorized disclosure of protected health information to a law enforcement official conducting or supervising a law enforcement inquiry or proceeding authorized by law pursuant to process, under three circumstances.

First, we proposed to permit such disclosures pursuant to a warrant, subpoena, or other order issued by a judicial officer that documented a finding by the officer. The NPRM did not specify requirements for the nature of the finding. In the final rule, we eliminate the requirement for a "finding," and we make changes to the list of orders in response to which covered entities may disclose under this provision. Under the final rule, covered entities may disclose protected health information in compliance with and as limited by relevant requirements of: a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer. We made this change to the list to conform to the definition of "required by law" in § 164.501.

Second, we proposed to permit such disclosures pursuant to a state or federal grand jury subpoena. In the final rule, we leave this provision of the NPRM unchanged.

Third, we proposed to permit such disclosures pursuant to an administrative request, including an administrative subpoena or summons, a civil investigative demand, or similar process, under somewhat stricter standards than exist today for such disclosures. We proposed to permit a covered entity to disclose protected health information pursuant to an administrative request only if the request met three conditions, as follows: (i) the information sought was relevant and material to a legitimate law enforcement inquiry; (ii) the request was as specific and narrowly drawn as reasonably practicable; and (iii) de-identified information could not reasonably have been used to meet the purpose of the request.

The final rules generally adopts this provision of the NPRM. In the final rule, we modify the list of orders in response to which covered entities may disclose protected health information, to include administrative subpoenas or summons, civil or authorized investigative demands, or similar process authorized by law. We made this change to the list to conform with the definition of "required by law" in § 164.501. In addition, we slightly modify the second of the three conditions under which covered entities may respond to such requests, to allow disclosure if the request is specific and is limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.

Limited Information for Identification and Location Purposes

The NPRM would have allowed covered entities to disclose "limited identifying information" for purposes of identifying a suspect, fugitive, material witness, or missing person, in response to a law enforcement request. We proposed to define "limited identifying information" as (i) name; (ii) address; (iii) Social Security number; (iv) date of birth; (v) place of birth; (vi) type of injury or other distinguishing characteristic; and (vii) date and time of treatment.

The final rules generally adopts this provision of the NPRM with a few modifications. In the final rule, we expand the circumstances under which limited information about suspects, fugitives, material witnesses, and missing persons may be disclosed, to include not only cases in which law enforcement officials are seeking to identify such individuals, but also cases in which law enforcement officials are seeking to locate such individuals. In addition, the final rule modifies the list of data elements that may be disclosed under this provision, in several ways. We expand the list of elements that may be disclosed under these circumstances, to include ABO blood type and Rh factor, as well as date and time of death, if applicable. We remove "other distinguishing characteristic" from the list of items that may be disclosed for the location and identification purposes described in this paragraph, and instead allow covered entities to disclose only a description of distinguishing physical characteristics, such as scars and tattoos, height, weight, gender, race, hair and eye color, and the presence or absence of facial hair such as a beard or moustache. In addition, in the final rule, protected health information associated with the following cannot be disclosed pursuant to § 164.512(f)(2): DNA data and analyses; dental records; or typing, samples or analyses of tissues or bodily fluids other than blood (e.g., saliva). If a covered entity discloses additional information under this provision, the covered entity will be out of compliance and subject to sanction.

We clarify our intent not to allow covered entities to initiate disclosures of limited identifying information to law enforcement in the absence of a law enforcement request; a covered entity may disclose protected health information under this provision only in response to a request from law enforcement. We allow a " law enforcement official's request" to be made orally or in writing, and we intend for it to include requests by a person acting on behalf of law enforcement, for example, requests by a media organization making a television or radio announcement seeking the public's assistance in identifying a suspect. Such a request also may include a "Wanted" poster and similar postings.

Disclosure about a Victim of Crime

The NPRM would have allowed covered entities to disclose protected health information about a victim of a crime, abuse or other harm to a law enforcement official, if the law enforcement official represented that: (i) the information was needed to determine whether a violation of law by a person other than the victim had occurred; and (ii) immediate law enforcement activity that depended on obtaining the information may have been necessary.

The final rule modifies the conditions under which covered entities can disclose protected health information about victims. In addition, as discussed above, the final rule includes a new § 164.512(c), which establishes conditions for disclosure of protected health information about victims of abuse, neglect or domestic violence. In addition, as discussed above, we have added § 164.512(f)(1)(i) to this paragraph to explicitly recognize that in some cases, covered entities' disclosure of protected health information is mandated by state or other law. The rule's requirements for disclosure in situations not covered under mandatory reporting laws are different from the rule's provisions regarding disclosure pursuant to a mandatory reporting law.

The final rule requires covered entities to obtain individual agreement as a condition of disclosing the protected health information about victims to law enforcement, unless the disclosure is permitted under § 164.512(b) or (c) or § 164.512(f)(1) above. The required agreement may be obtained orally, and does not need to meet the requirements of § 164.508 of this rule (regarding authorizations). The rule waives the requirement for individual agreement if the victim is unable to agree due to incapacity or other emergency circumstance and: (1) the law enforcement official represents that the protected health information is needed to determine whether a violation of law by a person other than the victim has occurred and the information is not intended to be used against the victim; (2) the law enforcement official represents that immediate law enforcement activity that depends on such disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (3) the covered entity, in the exercise of professional judgment, determines that the disclosure is in the individual's best interests. We intend that assessing the individual's best interests includes taking into account any further risk of harm to the individual. This provision does not allow covered entities to initiate disclosures of protected health information to law enforcement; the disclosure must be in response to a request from law enforcement.

We do not intend to create a new legal duty on the part of covered entities with respect to the safety of their patients. Rather, we intend to ensure that covered entities can continue to exercise their professional judgment in these circumstances, on a case-by-case basis, as they do today.

In some cases, a victim may also be a fugitive or suspect. For example, an individual may receive a gunshot wound during a robbery and seek treatment in a hospital emergency room. In such cases, when law enforcement officials are requesting protected health information because the individual is a suspect (and thus the information may be used against the individual), covered entities may disclose the protected health information pursuant to § 164.512(f)(2) regarding suspects and not pursuant to § 164.512(f)(3) regarding victims. Thus, in these situations, covered entities may disclose only the limited identifying information listed in § 164.512(f)(2) – not all of the protected health information that may be disclosed under § 164.512(f)(3).

The proposed rule did not address whether a covered entity could disclose protected health information to a law enforcement official to alert the official of the individual's death.

Disclosures About Decedents

In the final rule, we add a new provision § 164.512(f)(4) in which we permit covered entities to disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death if the covered entity has a suspicion that such death may have resulted from criminal conduct. In such circumstances consent of the individual is not available and it may be difficult to determine the identity of a personal representative and gain consent for disclosure of protected health information. Permitting disclosures in this circumstance will permit law enforcement officials to begin their investigation into the death more rapidly, increasingly the likelihood of success.

Intelligence and National Security Activities

Section 164.510(f)(4) of the NPRM would have allowed covered entities to disclose protected health information to a law enforcement official without individual authorization for the conduct of lawful intelligence activities conducted pursuant to the National Security Act of 1947 (50 U.S.C. 401 et seq.) or in connection with providing protective services to the President or other individuals pursuant to section 3056 of Title 18, United States Code. In the final rule, we move provisions regarding disclosures of protected health information for intelligence and protective services activities to § 164.512(k) regarding uses and disclosures for specialized government functions.

Criminal Conduct on the Premises of a Covered Entity

The NPRM would have allowed covered entities on their own initiative to disclose to law enforcement officials protected health information that the covered entity believed in good faith constituted evidence of criminal conduct that arose out of and was directly related to: (A) the receipt of health care or payment for health care, including a fraudulent claim for health care; (B) qualification for or receipt of benefits, payments, or services based on a fraudulent statement or material misrepresentation of the health of the individual; that occurred on the covered entity's premises or was witnessed by a member of the covered entity's workforce.

In the final rule, we modify this provision substantially, by eliminating language allowing disclosures already permitted in other sections of the regulation. The proposed provision overlapped with other sections of the NPRM, in particular proposed § 164.510(c) regarding disclosure for health oversight activities. In the final regulation, we clarify that this provision applies only to disclosures to law enforcement officials of protected health information that the covered entity believes in good faith constitutes evidence of a crime committed on the premises. We eliminate proposed § 164.510(f)(5)(i) regarding health care fraud from the law enforcement section, because all disclosures that would have been allowed under that provision are allowed under § 164.512(d) of the final rule (health oversight). Similarly, in the final rule, we eliminate proposed § 164.510(f)(5)(iii) on disclosure of protected health information to law enforcement officials regarding criminal activity witnessed by a member of a health plan workforce. All disclosures that would have been permitted by that provision are included in § 164.512(f)(5), which allows disclosure of information to report a crime committed on the covered entity's premises, and by § 164.502, which provides that a covered entity is not in violation of the rule when a member of its workforce or person working for a business associate uses or discloses protected health information while acting as a "whistle blower." Thus, § 164.512(f)(5) allows covered entities to disclose health information only on the good faith belief that it constitutes evidence of a crime on their premises. The preamble to the NPRM said that if the covered entity disclosed protected health information in good faith but was wrong in its belief that the information was evidence of a violation of law, the covered entity would not be subject to sanction under this regulation. The final rule retains this approach.

Reporting Crime in Emergencies

The proposed rule did not address disclosures by emergency medical personnel to a law enforcement official intended to alert law enforcement about the commission of a crime. Because the provisions of proposed rule were limited to individually identifiable health information that was reduced to electronic form, many communications that occur between emergency medical personnel and law enforcement officials at the scene of a crime would not have been covered by the proposed provisions.

In the final rule we include a new provision § 164.512(f)(6) that addresses "911" calls for emergency medical technicians as well as other emergency health care in response to a medical emergency. The final rule permits a covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, to disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to (1) the commission and nature of a crime, (2) the location of such crime or of the victim(s) of such crime, and (3) the identity, description, and location of the perpetrator of such crime. A disclosure is not permitted under this section if health care provider believes that the medical emergency is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care. In such cases, disclosures to law enforcement would be governed by paragraph (c) of this section.

This added provision recognizes the special role of emergency medical technicians and other providers who respond to medical emergencies. In emergencies, emergency medical personnel often arrive on the scene before or at the same time as police officers, firefighters, and other emergency response personnel. In these cases, providers may be in the best position, and sometimes be the only ones in the position, to alert law enforcement about criminal activity. For instance, providers may be the first persons aware that an individual has been the victim of a battery or an attempted murder. They may also be in the position to report in real time, through use of radio or other mechanism, information that may immediately contribute to the apprehension of a perpetrator of a crime.

We note that disclosure under this provision is at the discretion of the health care provider. Disclosures in some instances may be governed more strictly, such as by applicable ethical standards and state and local laws.

Finally, the NPRM also included a proposed § 164.510(f)(5), which duplicated proposed § 164.510(f)(3). The final rule does not include this duplicate provision.

Additional Considerations

As stated in the NPRM, this paragraph is not intended to limit or preclude a covered entity from asserting any lawful defense or otherwise contesting the nature or scope of the process when the procedural rules governing the proceeding so allow. At the same time, it is not intended to create a basis for appealing to federal court concerning a request by state law enforcement officials. Each covered entity will continue to have available legal procedures applicable in the appropriate jurisdiction to contest such requests where warranted.

As was the case with the NPRM, this rule does not create any new affirmative requirement for disclosure of protected health information. Similarly, this section is not intended to limit a covered entity from disclosing protected health information to law enforcement officials where other sections of the rule permit such disclosure, e.g., as permitted by § 164.512(j) to avert an imminent threat to health or safety, for health oversight activities, to coroners or medical examiners, and in other circumstances permitted by the rule. For additional provisions permitting covered entities to disclose protected health information to law enforcement officials, see § 164.512(j)(1)(i) and (ii).

Under the NPRM and under the final rule, to obtain protected health information, law enforcement officials must comply with whatever other law is applicable. In certain circumstances, while this provision could authorize a covered entity to disclose protected health information to law enforcement officials, there could be additional applicable statutes or rules that further govern the specific disclosure. If the preemption provisions of this regulation do not apply, the covered entity must comply with the requirements or limitations established by such other law, regulation or judicial precedent. See §§ 160.201 through 160.205. For example, if state law permits disclosure only after compulsory process with court review, a provider or payor is not allowed to disclose information to state law enforcement officials unless the officials have complied with that requirement. Similarly, disclosure of substance abuse patient records subject to, 42 U.S.C. 290dd-2, and the implementing regulations, 42 CFR part 2, continue to be governed by those provisions.

In some instances, disclosure of protected health information to law enforcement officials will be compelled by other law, for example, by compulsory judicial process or compulsory reporting laws (such as laws requiring reporting of wounds from violent crimes, suspected child abuse, or suspected theft of controlled substances). As discussed above, disclosure of protected health information under such other mandatory law is permitted under § 164.512(a).

In the responses to comments we clarify that items such as cells and tissues are not protected health information, but that analyses of them is. The same treatment would be given other physical items, such as clothing, weapons, or a bloody knife. We note, however, that while these items are not protected health information and may be disclosed, some communications that could accompany the disclosure will be protected health information under the rule. For example, if a person provides cells to a researcher, and tells the researcher that these are an identified individual's cancer cells, that accompanying statement is protected health information about that individual. Similarly, if a person provides a bullet to law enforcement, and tells law enforcement that the bullet was extracted from an identified individual, the person has disclosed the fact that the individual was treated for a wound, and the additional statement is a disclosure of protected health information.

To be able to make the additional statement accompanying the provision of the bullet, a covered entity must look to the rule to find a provision under which a disclosure may be made to law enforcement. Section 164.512(f) of the rule addresses disclosures for law enforcement purposes. Under § 164.512(f)(1), the additional statement may be disclosed to a law enforcement official if required by law or with appropriate process. Under § 164.512(f)(2), we permit covered entities to disclose limited identifying information without legal process in response to a request from a law enforcement official for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Thus, in the case of bullet described above, the covered entity may, in response to a law enforcement request, provide the extracted bullet and such additional limited identifying information as is permitted under § 164.512(f)(2).

 

HHS Response to Comments Received Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required: Disclosures for Law Enforcement Purposes

 

General Comments on Proposed § 164.510(f)

Comment: Some commenters argued that current law enforcement use of protected health information was legitimate and important. These commenters cited examples of investigations and prosecutions for which protected health information is needed, from white collar insurance fraud to violent assault, to provide incriminating evidence or to exonerate a suspect, to determine what charges are warranted and for bail decisions. For example, one commenter argued that disclosure of protected health information for law enforcement purposes should be exempt from the rule, because the proposed regulation would hamper Drug Enforcement Administration investigations. A few commenters argued that effective law enforcement requires early access to as much information as possible, to rule out suspects, assess severity of criminal acts, and for other purposes. A few commenters noted the difficulties criminal investigators and prosecutors face when fighting complex criminal schemes. In general, these commenters argued that all disclosures of protected health information to law enforcement should be allowed, or for elimination of the process requirements proposed in § 164.510(f)(1).

Response: The importance and legitimacy of law enforcement activities are beyond question, and they are not at issue in this regulation. We permit disclosure of protected health information to law enforcement officials without authorization in some situations precisely because of the importance of these activities to public safety. At the same time, individuals' privacy interests also are important and legitimate. As with all the other disclosures of protected health information permitted under this regulation, the rules we impose attempt to balance competing and legitimate interests.

Comment: Law enforcement representatives stated that law enforcement agencies had a good track record of protecting patient privacy and that additional restrictions on their access and use of information were not warranted. Some commenters argued that no new limitations on law enforcement access to protected health information were necessary, because sufficient safeguards exist in state and federal laws to prevent inappropriate disclosure of protected health information by law enforcement.

Response: Disclosure of protected health information by law enforcement is not at issue in this regulation. Law enforcement access to protected health information in the first instance, absent any re-disclosure by law enforcement, impinges on individuals' privacy interests and must therefore be justified by a public purpose that outweighs individuals' privacy interests.

We do not agree that sufficient safeguards already exist in this area. We are not aware of, and the comments did not provide, evidence of a minimum set of protections for individuals relating to access by law enforcement to their protected health information. Federal and state laws in this area vary considerably, as they do for other areas addressed in this final rule. The need for standards in this area is no less critical than in the other areas addressed by this rule.

Comment: Many commenters argued that no disclosures of protected health information should be made to law enforcement (absent authorization) without a warrant issued by a judicial officer after a finding of probable cause. Others argued that a warrant or subpoena should be required prior to disclosure of protected health information unless the disclosure is for the purposes of identifying a suspect, fugitive, material witness, or missing persons, as described in proposed § 164.510(f)(2). Some commenters argued that judicial review prior to release of protected health information to law enforcement should be required absent the exigent and urgent circumstances identified in the NPRM in § 164.510(f)(3) and (5), or absent “a compelling need” or similar circumstances.

Response: In the final rule, we attempt to match the level of procedural protection for privacy required by this rule with the nature of the law enforcement need for access, the existence of other procedural protections, and individuals' privacy interests. Where other rules already impose procedural protections, this rule generally relies on those protections rather than imposing new ones. Thus, where access to protected health information is granted after review by an independent judicial officer (such as a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer), no further requirements are necessary. Similarly, because information disclosed to a grand jury is vital to law enforcement purposes and is covered by secrecy protection, this rule allows disclosure with no further process.

We set somewhat stricter standards for disclosure of protected health information pursuant to administrative process, such as administrative subpoenas, summonses, and civil or authorized investigative demands. In these cases, the level of existing procedural protections is lower than for judicially-approved or grand jury disclosures. We therefore require a greater showing, specifically, the three-part test described in § 164.512(f)(1)(ii), before the covered entity is permitted to release protected health information. Where the information to be disclosed is about the victim of a crime, privacy interests are heightened and we require the victim's agreement prior to disclosure in most instances.

In the limited circumstances where law enforcement interests are heightened, we allow disclosure of protected health information without prior legal process or agreement, but we impose procedural protections such as limits on the information that may lawfully be disclosed, limits on the circumstances in which the information may be disclosed, and requirements for verifying the identity and authority of the person requesting the disclosures. For example, in some cases law enforcement officials may seek limited but focused information needed to obtain a warrant. A witness to a shooting may know the time of the incident and the fact that the perpetrator was shot in the left arm, but not the identity of the perpetrator. Law enforcement would then have a legitimate need to ask local emergency rooms whether anyone had presented with a bullet wound to the left arm near the time of the incident. Law enforcement may not have sufficient information to obtain a warrant, but instead would be seeking such information. In such cases, when only limited identifying information is disclosed and the purpose is solely to ascertain the identity of a person, the invasion of privacy would be outweighed by the public interest. For such circumstances, we allow disclosure of protected health information in response to a law enforcement inquiry where law enforcement is seeking to identify a suspect, fugitive, material witness, or missing person, but allow only disclosure of a limited list of information.

Similarly, it is in the public interest to allow covered entities to take appropriate steps to protect the integrity and safety of their operations. Therefore, we permit covered entities on their own initiative to disclose to law enforcement officials protected health information for this purpose. However, we limit such disclosures to protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.

We shape the rule's provisions with respect to law enforcement according to the limited scope of our regulatory authority under HIPAA, which applies only to the covered entities and not to law enforcement officials. We believe the rule sets the correct standards for when an exception to the rule of non-disclosure is appropriate for law enforcement purposes. There may be advantages, however, to legislation that applies the appropriate standards directly to judicial officers, prosecutors in grand juries, and to those making administrative or other requests for protected health information, rather than to covered entities. These advantages could include measures to hold officials accountable if they seek or receive protected health information contrary to the legal standard. In Congressional consideration of law enforcement access, there have also been useful discussions of other topics, such as limits on re-use of protected health information gathered in the course of health oversight activities. The limitations on our regulatory authority provide additional reason to support comprehensive medical privacy legislation.

Comment: A few commenters cited existing sanctions for law enforcement officials who violate the rights of individuals in obtaining evidence, ranging from suppression of that evidence to monetary penalties, and argued that such sanctions are sufficient to protect patients' privacy interests.

Response: After-the-fact sanctions are important, but they are effective only when coupled with laws that establish the ground rules for appropriate behavior. That is, a sanction applies only where some other rule has been violated. This regulation sets such basic ground rules. Further, under the HIPAA statutory authority, we cannot impose sanctions on law enforcement officials or require suppression of evidence. We must therefore rely on rules that regulate disclosure of protected health information by covered entities in the first instance.

Comment: Several commenters argued that disclosure of protected health information under § 164.510(f) should be mandatory, not just permitted. Others argued that we should mandate disclosure of protected health information in response to Inspector General subpoenas. A few commenters argued that we should require all covered entities to include disclosure of protected health information to law enforcement in their required notice of privacy practices.

Response: The purpose of this regulation is to protect individuals' privacy interests, consistent with other important public activities. Other laws set the rules governing those public activities, including when health information is necessary for their effective operation. See discussion of § 164.512(a).

Comment: Some commenters questioned whether the Secretary had statutory authority to directly or indirectly impose new procedural or substantive requirements on otherwise lawful legal process issued under existing federal and state rules. They argued that, while the provisions are imposed on "covered entities," the rule would result in law enforcement officials being compelled to modify current practices to harmonize them with the requirements this rule imposes on covered entities. A number of state law enforcement agencies argued that the rule would place new burdens on state administrative subpoenas and requests that are intrusive in state functions. At least one commenter argued that the requirement for prior process places unreasonable restrictions on the right of the states to regulate law enforcement activities.

Response: This rule regulates the ability of health care clearinghouses, health plans, and covered health care providers to use and disclose health information. It does not regulate the behavior of law enforcement officials or the courts, nor does it prevent states from regulating law enforcement officials. All regulations have some effects on entities that are not directly regulated. We have considered those effects in this instance and have determined that the provisions of the rule are necessary to protect the privacy of individuals.

Comment: One commenter argued that state licensing boards should be exempt from restrictions placed on law enforcement officials, because state licensing and law enforcement are different activities.

Response: Each state's law determines what authorities are granted to state licensing boards. Because state laws differ in this regard, we cannot make a blanket determination that state licensing officials are or are not law enforcement officials under this regulation. We note, however, that the oversight of licensed providers generally is included as a health oversight activity at § 164.512(d).

Relationship to Existing Rules and Practices

Comment: Many commenters expressed concern that the proposed rule would have expanded current law enforcement access to protected health information. Many commenters said that the NPRM would have weakened their current privacy practices with respect to law enforcement access to health records. For example, some of the commenters arguing that a warrant or subpoena should be required prior to disclosure of protected health information unless the disclosure is for the purposes of identifying a suspect, fugitive, material witness, or missing persons, did so because they believed that such a rule would be consistent with current state law practices.

Response: This regulation does not expand current law enforcement access to protected health information. We do not mandate any disclosures of protected health information to law enforcement officials, nor do we make lawful any disclosures of protected health information which are unlawful under other rules and regulations. Similarly, this regulation does not describe a set of “best practices.” Nothing in this regulation should cause a covered entity to change practices that are more protective of privacy than the floor of protections provided in this regulation.

This regulation sets forth the minimum practices which a covered entity must undertake in order to avoid sanctions under the HIPAA. We expect and encourage covered entities to exercise their judgment and professional ethics in using and disclosing health information, and to continue any current practices that provide privacy protections greater than those mandated in this regulation.

Comment: Many commenters asserted that, today, consent or judicial review always is required prior to release of protected health information to law enforcement; therefore, they said that the proposed rule would have lessened existing privacy protections.

Response: In many situations today, law enforcement officials lawfully obtain health information absent any prior legal process and absent exigent circumstances. The comments we received on the NPRM, both from law enforcement and consumer advocacy groups, describe many such situations. Moreover, this rule sets forth minimum privacy protections and does not preempt more stringent, pre-existing standards.

Comment: Some commenters argued that health records should be entitled to at least as much protection as cable subscription records and video rental records.

Response: We agree. The Secretary, in presenting her initial recommendations on the protection of health information to the Congress in 1997, stated that, “When Congress looked at the privacy threats to our credit records, our video records, and our motor vehicle records, it acted quickly to protect them. It is time to do the same with our health care records” (Testimony of Donna E. Shalala, Secretary, U. S. Department of Health and Human Services, before the Senate Committee on Labor & Human Resources, September 11, 1997). However, the limited jurisdiction conferred on us by the HIPAA does not allow us to impose such restrictions on law enforcement officials or the courts.

Comment: At least one commenter argued that the regulation should allow current routine uses for law enforcement under the Privacy Act.

Response: This issue is discussed in the "Relationship to Other Federal Laws" preamble discussion of the Privacy Act.

Comment: A few commenters expressed concern that people will be less likely to provide protected health information for public health purposes if they fear the information could be used for law enforcement purposes.

Response: This regulation does not affect law enforcement access to records held by public health authorities, nor does it expand current law enforcement access to records held by covered entities. These agencies are for the most part not covered entities under HIPAA. Therefore, this regulation should not reduce current cooperation with public health efforts.

Relationship to Other Provisions of This Regulation

Comment: Several commenters pointed out an unintended interaction between proposed §§ 164.510(f) and 164.510(n). Because proposed § 164.510(n), allowing disclosures mandated by other laws, applied only if the disclosure would not fall into one of the categories of disclosures provided for in § 164.510 (b) - (m), disclosures of protected health information mandated for law enforcement purposes by other law would have been preempted.

Response: We agree, and in the final rule we address this unintended interaction. It is not our intent to preempt these laws. To clarify the interaction between these provisions, in the final rule we have specifically added language to the paragraph addressing disclosures for law enforcement that permits covered entities to comply with legal mandates, and have included a specific cross reference in the provision of the final rule that permits covered entities to make other disclosures required by law. See § 164.512(a).

Comment: Several commenters argued that, when a victim of abuse or of a crime has requested restrictions on disclosure, the restrictions should be communicated to any law enforcement officials who receive that protected health information.

Response: We do not have the authority to regulate law enforcement use and disclosure of protected health information, and therefore we could not enforce any such restrictions communicated to law enforcement officials. For this reason, we determined that the benefits to be gained from requiring communication of restrictions would not outweigh the burdens such a requirement would place on covered entities. We expect that professional ethics will guide health care providers' communications to law enforcement officials about the welfare of victims of abuse or other crime.

Comment: Some commenters argued against imposing the “minimum necessary” requirement on disclosure of protected health information to law enforcement officials. Some law enforcement commenters expressed concern that the “minimum necessary” test could be “manipulated” by a covered entity that wished to withhold relevant evidence. A number of covered entities complained that they were ill-equipped to substitute their judgment for that of law enforcement for what was the minimum amount necessary, and they also argued that the burden of determining the “minimum necessary”information should be transferred to law enforcement agencies. Some commenters argued that imposing such "uninformed" discretion on covered entities would delay or thwart legitimate investigations, and would result in withholding information that might exculpate an individual or might be necessary to present a defendant's case. One comment suggested that covered entities have “immunity” for providing too much information to law enforcement.

Response: The “minimum necessary” standard is discussed at § 164.514.

Comment: A few commenters asked us to clarify when a disclosure is for a “Judicial or Administrative Proceeding” and when it is for “Law Enforcement” purposes.

Response: In the final rule we have clarified that § 164.512(e) relating to disclosures for judicial or administrative proceedings does not supersede the authority of a covered entity to make disclosures under other provisions of the rule.

Use of Protected Health Information after Disclosure to Law Enforcement

Comment: Many commenters recommended that we restrict law enforcement officials' re-use and re-disclosure of protected health information. Some commenters asked us to impose such restrictions, while other commenters noted that the need for such restrictions underscores the need for legislation. Another argued for judicial review prior to release of protected health information to law enforcement because this regulation cannot limit further uses or disclosures of protected health information once it is in the hands of law enforcement agencies.

Response: We agree that there are advantages to legislation that imposes appropriate restrictions directly on the re-use and re-disclosure of protected health information by many persons who may lawfully receive protected health information under this regulation, but whom we cannot regulate under the HIPAA legislative authority, including law enforcement agencies.

Comment: A few commenters expressed concern that protected health information about persons who are not suspects may be used in court and thereby become public knowledge. These commenters urged us to take steps to minimize or prevent such protected health information from becoming part of the public record.

Response: We agree that individuals should be protected from unnecessary public disclosure of health information about them. However, we do not have the statutory authority in this regulation to require courts to impose protective orders. To the extent possible within the HIPAA statutory authority, we address this problem in § 164.512(e), Judicial and Administrative Proceedings.

Comment: Some commenters argued that evidence obtained in violation of the regulation should be inadmissible at trial.

Response: In this regulation, we do not have the authority to regulate the courts. We can neither require nor prohibit courts from excluding evidence obtain in violation of this regulation.

Comments Regarding Proposed § 164.510(f)(1), Disclosures to Law Enforcement Pursuant to Process

Comments Supporting or Opposing a Requirement of Consent or Court Order

Comment: Some commenters argued that a rule that required a court order for every instance that law enforcement sought protected health information would impose substantial financial and administrative burdens on federal and state law enforcement and courts. Other commenters argued that imposing a new requirement of prior judicial process would compromise the time-sensitive nature of many investigations.

Response: We do not impose such a requirement in this regulation.

Comment: Many commenters argued that proposed § 164.510(f)(1) would have given law enforcement officials the choice of obtaining records with or without a court order, and that law enforcement “will choose the least restrictive means of obtaining records, those that do not require review by a judge or a prosecutor.” Several commenters argued that this provision would have provided the illusion of barriers -- but no real barriers -- to law enforcement access to protected health information. A few argued that this provision would have allowed law enforcement to regulate itself.

Response: We agree with commenters that, in some cases, a law enforcement official may have discretion to seek health information under more than one legal avenue. Allowing a choice in these circumstances does not mean an absence of real limits. Where law enforcement officials choose to obtain protected health information through administrative process, they must meet the three-part test required by this regulation.

Comment: At least one commenter argued for judicial review prior to disclosure of health information because the rule will become the “de facto” standard for release of protected health information.

Response: We do not intend for this regulation to become the “de facto” standard for release of protected health information. Nothing in this regulation limits the ability of states and other governmental authorities to impose stricter requirements on law enforcement access to protected health information. Similarly, we do not limit the ability of covered entities to adopt stricter policies for disclosure of protected health information not mandated by other laws.

Comment: A few commenters expressed concern that proposed § 164.510(f)(1) would have overburdened the judicial system.

Response: The comments did not provide any factual basis for evaluating this concern.

Comment: Some commenters argued that, while a court order should be required, the standard of proof should be something other than “probable cause.” For example, one commenter argued that the court should apply the three-part test proposed in § 164.510(f)(1)(C). Another commenter suggested a three-part test: the information is necessary, the need cannot be met with non-identifiable information, and the need of law enforcement outweighs the privacy interest of the patient. Some commenters suggested that we impose a "clear and convincing" standard. Another suggested that we require clear and convincing evidence that: (1) the information sought is relevant and material to a legitimate criminal investigation; (2) the request is as specific and narrow as is reasonably practicable; (3) de-identified information, for example coded records, could not reasonably be used; (4) on balance, the need for the information outweighs the potential harm to the individuals and to patient care generally; and (5) safeguards appropriate to the situation have been considered and imposed. This comment also suggested the following as such appropriate safeguard: granting only the right to inspect and take notes; allowing copying of only certain portions of records; prohibiting removing records from the premises; placing limits on subsequent use and disclosure; and requiring return or destruction of the information at the earliest possible time.) Others said the court order should impose a “minimum necessary” standard.

Response: We have not revised the regulation in response to comments suggesting that we impose additional standards relating to disclosures to comply with court orders. Unlike administrative subpoenas, where there is no independent review of the order, court orders are issued by an independent judicial officer, and we believe that covered entities should be permitted under this rule to comply with them. Court orders are issued in a wide variety of cases, and we do not know what hardships might arise by imposing standards that would require judicial officers to make specific findings related to privacy.

Comment: At least one commenter argued that the proposed rule would have placed too much burden on covered entities to evaluate whether to release information in response to a court order. This comment suggested that the regulation allow disclosure to attorneys for assessment of what the covered entity should release in response to a court order.

Response: This regulation does not change current requirements on or rights of covered entities with respect to court orders for the release of health information. Where such disclosures are required today, they continue to be required under this rule. Where other law allows a covered entity to challenge a court order today, this rule will not reduce the ability of a covered entity to mount such a challenge. Under § 164.514, a covered entity will be permitted to rely on the face of a court order to meet this rule's requirements for verification of the legal authority of the request for information. A covered entity may disclose protected health information to its attorneys as needed, to perform health care operations, including to assess the covered entity's appropriate response to court orders. See definition of “health care operations” under § 164.501.

Comment: Many commenters argued that the regulation should prohibit disclosures of protected health information to law enforcement absent patient consent.

Response: We disagree with the comment. Requiring consent prior to any release of protected health information to a law enforcement official would unduly jeopardize public safety. Law enforcement officials need protected health information for their investigations in a variety of circumstances. The medical condition of a defendant could be relevant to whether a crime was committed, or to the seriousness of a crime. The medical condition of a witness could be relevant to the reliability of that witness. Health information may be needed from emergency rooms to locate a fleeing prison escapee or criminal suspect who was injured and is believed to have stopped to seek medical care.

These and other uses of medical information are in the public interest. Requiring the authorization of the subject prior to disclosure could make apprehension or conviction of some criminals difficult or impossible. In many instances, it would not be possible to obtain such consent, for example because the subject of the information could not be located in time (or at all). In other instances, the covered entity may not wish to undertake the burden of obtaining the consent. Rather than an across-the-board consent requirement, to protect individuals' privacy interests while also promoting public safety, we impose a set of procedural safeguards (described in more detail elsewhere in this regulation) that covered entities must ensure are met before disclosing protected health information to law enforcement officials.

In most instances, such procedural safeguards consist of some prior legal process, such as a warrant, grand jury subpoena, or an administrative subpoena that meets a three-part test for protecting privacy interests. When the information to be disclosed is about the victim of a crime, privacy interests are heightened and we require the victim's agreement prior to disclosure in most instances. In the limited circumstances where law enforcement interests are heightened and we allow disclosure of protected health information without prior legal process or agreement, the procedural protections include limits on the information that may lawfully be disclosed, the circumstances in which the information may be disclosed, and requirements for verifying the identity and authority of the person requesting the disclosures.

We also allow disclosure of protected health information to law enforcement officials without consent when other law mandates the disclosures. When such other law exists, another public entity has made the determination that law enforcement interests outweigh the individual's privacy interests in the situations described in that other law, and we do not upset that determination in this regulation.

Comment: Several commenters recommended requiring that individuals receive notice and opportunity to contest the validity of legal process under which their protected health information will be disclosed, prior to disclosure of their records to law enforcement. Some of these commenters recommended adding this requirement to provisions proposed in the NPRM, while others recommended establishing this requirement as part of a new requirement for a judicial warrant prior to all disclosures of protected health information to law enforcement. At least one of these commenters proposed an exception to such a notice requirement where notice might lead to destruction of the records.

Response: Above we discuss the reasons why we believe it is inappropriate to require consent or a judicial order prior to any release of protected health information to law enforcement. Many of those reasons apply here, and they lead us not to impose such a notice requirement.

Comment: A few commenters believed that the proposed requirements in § 164.510(f)(1) would hinder investigations under the Civil Rights for Institutionalized Persons Act (CRIPA).

Response: We did not intend that provision to apply to investigations under CRIPA, and we clarify in the final rule that covered entities may disclose protected health information for such investigations under the health oversight provisions of this regulation (see § 164.512(d) for further detail).

Comments Suggesting Changes to the Proposed Three-Part Test

Comment: Many commenters argued for changes to the proposed three-part test that would make the test more difficult to meet. Many of these urged greater, but unspecified, restrictions. Others argued that the proposed test was too stringent, and that it would have hampered criminal investigations and prosecutions. Some argued that it was too difficult for law enforcement to be specific at the beginning of an investigation. Some argued that there was no need to change current practices, and they asked for elimination of the three-part test because it was “more stringent” than current practices and would make protected health information more difficult to obtain for law enforcement purposes. These commenters urged elimination of the three-part test so that administrative bodies could continue current practices without additional restrictions. Some of these argued for elimination of the three-part test for all administrative subpoenas; others argued for elimination of the three-part test for administrative subpoenas from various Inspectors General offices. A few commenters argued that the provisions in proposed § 164.510(f)(1) should be eliminated because they would have burdened criminal investigations and prosecutions but would have served “no useful public purpose.”

Response: We designed the proposed three-part test to require proof that the government's interest in the health information was sufficiently important and sufficiently focused to overcome the individual's privacy interest. If the test were weakened or eliminated, the individual's privacy interest would be insufficiently protected. At the same time, if the test were significantly more difficult to meet, law enforcement's ability to protect the public interest could be unduly compromised.

Comment: At least one comment argued that, in the absence of a judicial order, protected health information should be released only pursuant to specific statutory authority.

Response: It is impossible to predict all the facts and circumstances, for today and into the future, in which law enforcement's interest in health information outweigh individuals' privacy interests. Recognizing this, states and other governments have not acted to list all the instances in which health information should be available to law enforcement officials. Rather, they specify some such instances, and rely on statutory, constitutional, and other limitations to place boundaries on the activities of law enforcement officials. Since the statutory authority to which the commenter refers does not often exist, many uses of protected health information that are in the public interest (described above in more detail) would not be possible under such an approach.

Comment: At least one commenter, an administrative agency, expressed concern that the proposed rule would have required its subpoenas to be approved by a judicial officer.

Response: This rule does not require judicial approval of administrative subpoenas. Administrative agencies can avoid the need for judicial review under this regulation by issuing subpoenas for protected health information only where the three-part test has been met.

Comment: Some commenters suggested alternative requirements for law enforcement access to protected health information. A few suggested replacing the three-part test with a requirement that the request for protected health information from law enforcement be in writing and signed by a supervisory official, and/or that the request “provide enough information about their needs to allow application of the minimum purpose rule.”

Response: A rule requiring only that the request for information be in writing and signed fails to impose appropriate substantive standards for release of health information. A rule requiring only sufficient information for the covered entity to make a “minimum necessary” determination would leave these decisions entirely to covered entities' discretion. We believe that protection of individuals' privacy interests must start with a minimum floor of protections applicable to all. We believe that while covered entities may be free to provide additional protections (within the limits of the law), they should not have the ability to allow unjustified access to health information.

Comment: Some commenters argued that the requirement for an unspecified "finding" for a court order should be removed from the proposed rule, because it would have been confusing and would have provided no guidance to a court as to what finding would be sufficient.

Response: We agree that the requirement would have been confusing, and we delete this language from the final regulation.

Comment: A few commenters argued that the proposed three-part test should not be applied where existing federal or state law established a standard for issuing administrative process.

Response: It is the content of such a standard, not its mere existence, that determines whether the standard strikes an appropriate balance between individuals' privacy interests and the public interest in effective law enforcement activities. We assume that current authorities to issue administrative subpoena are all subject to some standards. When an existing standard provides at least as much protection as the three-part test imposed by this regulation, the existing standard is not disturbed by this rule. When, however, an existing standard for issuing administrative process provides less protection, this rule imposes new requirements.

Comment: Some covered entities said that they should not have been asked to determine whether the proposed three-part test has been met. Some argued that they were ill-equipped to make a judgment on whether an administrative subpoena actually met the three-part test, or that it was unfair to place the burden of making such determinations on covered entities. Some argued that the burden should have been on law enforcement, and that it was inappropriate to shift the burden to covered entities. Other commenters argued that the proposal would have given too much discretion to the record holders to withhold evidence without having sufficient expertise or information on which to make such judgments. At least one comment said that this aspect of the proposal would have caused delay and expense in the detection and prevention of health care fraud. The commenter believed that this delay and expense could be prevented by shifting to law enforcement and health care oversight the responsibility to determine whether standards have been met.

At least one commenter recommended eliminating the three-part test for disclosures of protected health information by small providers.

Some commenters argued that allowing covered entities to rely on law enforcement representation that the three-part test has been met would render the test meaningless.

Response: Because the statute does not bring law enforcement officials within the scope of this regulation, the rule must rely on covered entities to implement standards that protect individuals' privacy interests, including the three-part test for disclosure pursuant to administrative subpoenas. To reduce the burden on covered entities, we do not require a covered entity to second-guess representations by law enforcement officials that the three part test has been met. Rather, we allow covered entities to disclose protected health information to law enforcement when the subpoena or other administrative request indicates on its face that the three-part test has been met, or where a separate document so indicates. Because we allow such reliance, we do not believe that it is necessary or appropriate to reduce privacy protections for individuals who obtain care from small health care providers.

Comment: Some commenters ask for modification of the three-part test to include a balancing of the interests of law enforcement and the privacy of the individual, pointing to such provisions in the Leahy-Kennedy bill.

Response: We agree with the comment that the balancing of these interests is important in this circumstance. We designed the regulation's three-part test to accomplish that result.

Comment: At least one commenter recommended that “relevant and material” be changed to “relevant,” because “relevant” is a term at the core of civil discovery rules and is thus well understood, and because it would be difficult to determine whether information is “material” prior to seeing the documents. As an alternative, this commenter suggested explaining what we meant by “material.”

Response: Like the term “relevant,” the term “material” is commonly used in legal standards and well understood.

Comment: At least one commenter suggested deleting the phrase “reasonably practical” from the second prong of the test, because, the commenter believed, it was not clear who would decide what is “reasonably practical” if the law enforcement agency and covered entity disagreed.

Response : We allow covered entities to rely on a representation on the face of the subpoena that the three-part test, including the “reasonably practical” criteria, is met. If a covered entity believes that a subpoena is not valid, it may challenge that subpoena in court just as it may challenge any subpoena that today it believes is not lawfully issued. This is true regardless of the specific test that a subpoena must meet, and is not a function of the “reasonably practical” criteria.

Comment : Some commenters requested elimination of the third prong of the test. One of these commenters suggested that the regulation should specify when de-identified information could not be used. Another recommended deleting the phrase “could not reasonably be used” from the third prong of the test, because the commenter believed it was not clear who would determine whether de-identified information “could reasonably be used” if the law enforcement agency and covered entity disagreed.

Response : We cannot anticipate in regulation all the facts and circumstances surrounding every law enforcement activity today, or in the future as technologies change. Such a rigid approach could not account for the variety of situations faced by covered entities and law enforcement officials, and would become obsolete over time. Thus, we believe it would not be appropriate to specify when de-identified information can or cannot be used to meet legitimate law enforcement needs.

In the final rule, we allow the covered entity to rely on a representation on the face of the subpoena (or similar document) that the three-part test, including the “could not reasonably be used” criteria, is met. If a covered entity believes that a subpoena is not valid, it may challenge that subpoena in court just as it may challenge today any subpoena that it believes is not lawfully issued. This is true regardless of the specific test that a subpoena must meet, and it is not a function of the “could not reasonably be used” criteria.

Comments Regarding Proposed § 164.510(f)(2), Limited Information for Identifying Purposes

Comment: A number of commenters recommended deletion of this provision. These commenters argued that the legal process requirements in proposed § 164.510(f)(1) should apply when protected health information is disclosed for identification purposes. At least one privacy group recommended that if the provision were not eliminated in its entirety, “suspects” should be removed from the list of individuals whose protected health information may be disclosed for identifying purposes. Many commenters expressed concern that this provision would allow compilation of large data bases of health information that could be use for purposes beyond those specified in this provision.

Response: We retain this provision in the final rule. We continue to believe that identifying fugitives, material witnesses, missing persons, and suspects is an important national priority and that allowing disclosure of limited identifying information for this purpose is in the public interest. Eliminating this provision – or eliminating suspects from the list of types of individuals about whom disclosure of protected health information to law enforcement is allowed – would impede law enforcement agencies' ability to apprehend fugitives and suspects and to identify material witnesses and missing persons. As a result, criminals could remain at large for longer periods of time, thereby posing a threat to public safety, and missing persons could be more difficult to locate and thus endangered.

However, as described above and in the following paragraphs, we make significant changes to this provision, to narrow the information that may be disclosed and make clear the limited purpose of the provision. For example, the proposed rule did not state explicitly whether covered entities would have been allowed to initiate – in the absence of a request from law enforcement – disclosure of protected health information to law enforcement officials for the purpose of identifying a suspect, fugitive, material witness or missing person. In the final rule, we clarify that covered entities may disclose protected health information for identifying purposes only in response to a request by a law enforcement official or agency. A “request by a law enforcement official or agency” is not limited to direct requests, but also includes oral or written requests by individuals acting on behalf of a law enforcement agency, such as a media organization broadcasting a request for the public's assistance in identifying a suspect on the evening news. It includes “Wanted” posters, public announcements, and similar requests to the general public for assistance in locating suspects or fugitives.

Comment: A few commenters recommended additional restrictions on disclosure of protected health information for identification purposes. For example, one commenter recommended that the provision should either (1) require that the information to be disclosed for identifying purposes be relevant and material to a legitimate law enforcement inquiry and that the request be as specific and narrowly drawn as possible; or (2) limit disclosures to circumstances in which (a) a crime of violence has occurred and the perpetrator is at large, (b) the perpetrator received an injury during the commission of the crime, (c) the inquiry states with specificity the type of injury received and the time period during which treatment would have been provided, and (d) “probable cause” exists to believe the perpetrator received treatment from the provider.

Response: We do not agree that these additional restrictions are appropriate for disclosures of limited identifying information for purposes of locating or identifying suspects, fugitives, material witnesses or missing persons. The purpose of this provision is to permit law enforcement to obtain limited time-sensitive information without the process requirements applicable to disclosures for other purposes. Only limited information may be disclosed under this provision, and disclosure is permitted only in limited circumstances. We believe that these safeguards are sufficient, and that creating additional restrictions would undermine the purpose of the provision and that it would hinder law enforcement's ability to obtain essential, time-sensitive information.

Comment: A number of law enforcement agencies recommended that the provision in the proposed rule be broadened to permit disclosure to law enforcement officials for the purpose of “locating” as well as “identifying” a suspect, fugitive, material witness or missing person.

Response: We agree with the comment and have changed the provision in the final rule. We believe that locating suspects, fugitives, material witnesses and missing persons is an important public policy priority, and that it can be critical to identifying these individuals. Further, efforts to locate suspects, fugitives, material witnesses, and missing persons can be at least as time-sensitive as identifying such individuals.

Comment: Several law enforcement agencies requested that the provision be broadened to permit disclosure of additional pieces of identifying information, such as ABO blood type and Rh factor, DNA information, dental records, fingerprints, and/or body fluid and tissue typing, samples and analysis. These commenters stated that additional identifying information may be necessary to permit identification of suspects, fugitives, material witnesses or missing persons. On the other hand, privacy and consumer advocates, as well as many individuals, were concerned that this section would allow all computerized medical records to be stored in a large law enforcement data base that could be scanned for matches of blood, DNA, or other individually identifiable information.

Response: The final rule seeks to strike a balance in protecting privacy and facilitating legitimate law enforcement inquiries. Specifically, we have broadened the NPRM's list of data elements that may be disclosed pursuant to this section, to include disclosure of ABO blood type and rh factor for the purpose of identifying or locating suspects, fugitives, material witnesses or missing persons. We agree with the commenters that these pieces of information are important to law enforcement investigations and are no more invasive of privacy than the other pieces of protected health information that may be disclosed under this provision.

However, as explained below, protected health information associated with DNA and DNA analysis; dental records; or typing, samples or analyses of tissues and bodily fluids other than blood (e.g., saliva) cannot be disclosed for the location and identification purposes described in this section. Allowing disclosure of this information is not necessary to accomplish the purpose of this provision, and would be substantially more intrusive into individuals' privacy. In addition, we understand commenters' concern about the potential for such information to be compiled in law enforcement data bases. Allowing disclosure of such information could make individuals reluctant to seek care out of fear that health information about them could be compiled in such a data base.

Comment: Many commenters argued that proposed § 164.510(f)(2) should be deleted because it would permit law enforcement to engage in “fishing expeditions” or to create large data bases that could be searched for suspects and others.

Response: Some of this fear may have stemmed from the inclusion of the phrase “other distinguishing characteristic” – which could be construed broadly – in the list of items that could have been disclosed pursuant to this section. In the final rule, we delete the phrase “other distinguishing characteristic” from the list of items that can be disclosed pursuant to § 164.512(f)(2). In its place, we allow disclosure of a description of distinguishing physical characteristics, such as scars, tattoos, height, weight, gender, race, hair and eye color, and the presence or absence of facial hair such as a beard or moustache. We believe that such a change, in addition to the changes described in the paragraph above, responds to commenters' concern that the NPRM would have allowed creation of a government data base of personal identifying information. Further, this modification provides additional guidance to covered entities regarding the type of information that may be disclosed under this provision.

Comment: At least one commenter recommended removing social security numbers (SSNs) from the list of items that may be disclosed pursuant to proposed § 164.510(f)(2). The commenter was concerned that including SSNs in the (f)(2) list would cause law enforcement agencies to demand that providers collect SSNs. In addition, the commenter was concerned that allowing disclosure of SSNs could lead to theft of identity by unscrupulous persons in policy departments and health care organizations.

Response: We disagree. We believe that on balance, the potential benefits from use of SSNs for this purpose outweigh the potential privacy intrusion from such use of SSNs. For example, SSNs can help law enforcement officials identify suspects are using aliases.

Comments Regarding Proposed § 164.510(f)(3), Information About a Victim of Crime or Abuse

Comment: Some law enforcement organizations expressed concern that proposed § 164.510(f)(3) could inhibit compliance with state mandatory reporting laws.

Response: We recognize that the NPRM could have preempted such state mandatory reporting laws, due to the combined impact of proposed §§ 164.510(m) and 164.510(f). As explained in detail in § 164.512(a) above, we did not intend that result, and we modify the final rule to make clear that this rule does not preempt state mandatory reporting laws.

Comment: Many commenters, including consumer and provider groups, expressed concern that allowing covered entities to disclose protected health information without authorization to law enforcement regarding victims of crime, abuse, and other harm could endanger victims, particularly victims of domestic violence, who could suffer further abuse if their abuser learned that the information had been reported. Provider groups also expressed concern about undermining provider-patient relationships. Some law enforcement representatives noted that in many cases, health care providers' voluntary reports of abuse or harm can be critical for the successful prosecution of violent crime. They argued, that by precluding providers from voluntarily reporting to law enforcement evidence of potential abuse, the proposed rule could make it more difficult to apprehend and prosecute criminals.

Response: We recognize the need for heightened sensitivity to the danger facing victims of crime in general, and victims of domestic abuse or neglect in particular. As discussed above, the final rule includes a new section (§ 164.512(c)) establishing strict conditions for disclosure of protected health information about victims of abuse, neglect, and domestic violence.

Victims of crime other than abuse, neglect, or domestic violence can also be placed in further danger by disclosure of protected health information relating to the crime. In § 164.512(f)(3) of the final rule, we establish conditions for disclosure of protected health information in these circumstances, and we make significant modifications to the proposed rule's provision for such disclosures. Under the final rule, unless a state or other government authority has enacted a law requiring disclosure of protected health information about a victim to law enforcement officials, in most instances, covered entities must obtain the victim's agreement before disclosing such information to law enforcement officials. This requirement gives victims control over decision making about their health information where their safety could be at issue, helps promote trust between patients and providers, and is consistent with health care providers' ethical obligation to seek patient authorization whenever possible before disclosing protected health information.

At the same time, the rule strikes a balance between protecting victims and providing law enforcement access to information about potential crimes that cause harm to individuals, by waiving the requirement for agreement in two situations. In allowing covered entities to disclose protected health information about a crime victim pursuant to a state or other mandatory reporting law, we defer to other governmental bodies' judgments on when certain public policy objectives are important enough to warrant mandatory disclosure of protected health information to law enforcement. While some mandatory reporting laws are written more broadly than others, we believe that it is neither appropriate nor practicable to distinguish in federal regulations between what we consider overly broad and sufficiently focused mandatory reporting laws.

The final rule waives the requirement for agreement if the covered entity is unable to obtain the individual's agreement due to incapacity or other emergency circumstance, and (1) the law enforcement official represents that the information is needed to determine whether a violation of law by a person other than the victim has occurred and the information is not intended to be used against the victim; (2) the law enforcement official represents that immediate law enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (3) the covered entity determines, in the exercise of professional judgment, that the disclosure is in the individual's best interests. By allowing covered entities, in the exercise of professional judgment, to determine whether such disclosures are in the individual's best interests, the final rule recognizes the importance of the provider-patient relationship.

In addition, the final rule allows covered entities to initiate disclosures of protected health information about victims without the victim's permission to law enforcement officials only if such disclosure is required under a state mandatory reporting law. In other circumstances, plans and providers may disclose protected health information only in response to a request from a law enforcement official. We believe that such an approach recognizes the importance of promoting trust between victims and their health care providers. If providers could initiate reports of victim information to law enforcement officials absent a legal reporting mandate, victims may avoid give their providers health information that could facilitate their treatment, or they may avoid seeking treatment completely.

Comment: Many commenters believed that access to medical records pursuant to this provision should occur only after judicial review. Others believed that it should occur only with patient consent or after notifying the patient of the disclosure to law enforcement. Similarly, some commenters said that the minimum necessary standard should apply to this provision, and they recommended restrictions on law enforcement agencies' re-use of the information.

Response: As discussed above, the final rule generally requires individual agreement as a condition for disclosure of a victim's health information; this requirement provides greater privacy protection and individual control than would a requirement for judicial review. We also discuss above the situations in which this requirement for agreement may be waived, and why that is appropriate. The requirement that covered entities disclose the minimum necessary protected health information consistent with the purpose of the disclosure applies to disclosures of protected health information about victims to law enforcement, unless the disclosure is required by law. (See § 164.514 for more detail on the requirements for minimum necessary use and disclosure of protected health information.) As described above, HIPAA does not provide statutory authority for HHS to regulate law enforcement agencies' re-use of protected health information that they obtain pursuant to this rule.

Comment: A few commenters expressed concern that the NPRM would not have required law enforcement agencies' requests for protected health information about victims to be in writing. They believed that written requests could promote clarity in law enforcement requests, as well as greater accountability among law enforcement officials seeking information.

Response: We do not impose this requirement in the final rule. We believe that such a requirement would not provide significant new protection for victims and would unduly impede the completion of legitimate law enforcement investigations.

Comment: A provider group was concerned that it would be difficult for covered entities to evaluate law enforcement officials' claims that information is needed and that law enforcement activity may be necessary. Some comments from providers and individuals expressed concern that the proposed rule would have provided open-ended access by law enforcement to victims' medical records because of this difficulty in evaluating law enforcement claims of their need for the information.

Response: We modify the NPRM in several ways that reduce covered entities' decision making burdens. The final rule clarifies that covered entities may disclose protected health information about a victim of crime where a report is required by state or other law, and it requires the victim's agreement for disclosure in most other instances. The covered entity must make the decision whether to disclose only in limited circumstances: when there is no mandatory reporting law; or when the victim is unable to provide agreement and the law enforcement official represents that: the protected health information is needed to determine whether a violation of law by a person other than the victim has occurred, that the information will not be used against the victim, and that immediate law enforcement activity that depends on such information would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. In these circumstances, we believe it is appropriate to rely on the covered entity, in the exercise of professional judgment, to determine whether the disclosure is in the individual's best interests. Other sections of this rule allow covered entities to reasonably rely on certain representations by law enforcement officials (see § 164.514, regarding verification,) and require disclosure of the minimum necessary protected health information for this purpose. Together, these provisions do not allow open-ended access or place undue responsibility on providers.

Comments Regarding Proposed § 164.510(f)(4), Intelligence and National Security Activities

In the final rule, we recognize that disclosures for intelligence and national security activities do not always involve law enforcement. Therefore, we delete the provisions of proposed § 164.510(f)(4), and we address disclosures for intelligence and national security activities in § 164.512(k), on uses and disclosures for specialized government functions. Comments and responses on these issues are included below, in the comments for that section.

Comments Regarding Proposed § 164.510(f)(5), Health Care Fraud, Crimes on the Premises, and Crimes Witnessed by the Covered Entity's Workforce

Comment: Many commenters noted that proposed § 164.510(f)(5)(i), which covered disclosures for investigations and prosecutions of health care fraud, overlapped with proposed § 164.510(c) which covered disclosures for health oversight activities.

Response: As discussed more fully in § 164.512(d) of this preamble, above, we agree that proposed § 164.510(f)(5)(i) created confusion because all disclosures covered by that provision were already permitted under proposed § 164.510(c) without prior process. In the final rule, therefore, we delete proposed § 164.510(f)(5)(i).

Comment: One commenter was concerned the proposed provision would not have allowed an emergency room physician to report evidence of abuse when the suspected abuse had not been committed on the covered entity's premises.

Response: Crimes on the premises are only one type of crime that providers may report to law enforcement officials. The rules for reporting evidence of abuse to law enforcement officials are described in § 164.512(c) of the rule, and described in detail in § 164.512(c) of the preamble. An emergency room physician may report evidence of abuse if the conditions in § 164.512(c) are met, regardless of where the abuse occurred.

Comment: One commenter argued that covered entities should be permitted to disclose information that “indicates the potential existence” of evidence, not just information that “constitutes evidence” of crimes on the premises or crimes witnessed by a member of the covered entity's workforce.

Response: We agree that covered entities should not be required to guess correctly whether information will be admitted to court as evidence. For this reason, we include a good-faith standard in this provision. Covered entities may disclose information that it believes in good faith constitutes evidence of a crime on the premises. If the covered entity discloses protected health information in good faith but is wrong in its belief that the information is evidence of a violation of law, the covered entity will not be subject to sanction under this regulation.