How HIPAA Rules Apply with Law Enforcement Investigations

HIPAA rules are meant to protect patient information, but what happens when there is a law enforcement investigation? Are police officers allowed to demand PHI without a warrant?

That issue was brought forth in August 2017 when video was released of a Salt Lake City, Utah nurse refusing to draw blood from an unconscious patient and give it to a detective. The University of Utah nurse, Alex Wubbels, said she could not draw blood unless the patient was under arrest, the patient consented, or that investigators had a warrant.

Salt Lake City Police Department Detective Jeff Payne claimed Wubbels was impeding an investigation and placed her in handcuffs.

Under HIPAA, covered entities may disclose PHI under the following circumstances in relation to law enforcement investigations:

• As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests
• To identify or locate a suspect, fugitive, material witness, or missing person
• In response to a law enforcement official’s request for information about a victim or suspected victim of a crime
• To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death
• When a covered entity believes that protected health information is evidence of a crime that occurred on its premises
• By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime

Per HIPAA regulations, a subpoena would be required to gather patient PHI, which would include drawn blood. However, if the patient were suspected to be involved in a crime, then a covered entity would be required to disclose certain information.

In the Utah case though, the patient was not suspected of having committed a crime.

With judicial and administrative proceedings, the PHI disclosure process is fairly similar.

“Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal,” the Privacy Rule states. “Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.”

However, if state law requires covered entities to follow a police officer’s directive, then it must comply.

For example, North Carolina only requires that a blood draw be done safely – not that a provider demand a warrant.

“In North Carolina, a nurse must comply with the directive of a law enforcement officer to withdraw blood from an unconscious patient, unless the nurse determines that the withdrawal will endanger the safety of either the nurse or the patient,” explained a Womble Carylyle Sandridge & Rice, PLLC blog post.

“If the courts later determine that the withdrawal was unjustified or illegal, the results of the blood draw may be excluded from evidence,” the authors continued. “However, the nurse, hospital and/or practice that employs the nurse may not be held criminally or civilly liable for following the officer’s directive, complying with the statute, and withdrawing blood using the applicable standard of care.”

Covered entities must ensure that employees at all levels are trained on the specific requirements with regard to PHI disclosure. Varied state law, along with federal regulation, should be considered as providers determine their policies and procedures. From there, staff members need to know what is required.

Utah-based McKay Dee Hospital, which is owned by Intermountain Healthcare, told the Standard-Examiner that its own internal policies have not changed following the University of Utah incident. Intermountain Healthcare maintained that its policy is based on federal law.

“[Policy] requires law enforcement to have a patient in custody, a warrant or a patient’s permission before we can provide any information from a blood draw or any other protected health information,” Intermountain said in a statement. “Without the patient’s permission — which can be expressed verbally or in writing — or a legal document, our caregivers will not provide lab samples or protected health information.”

It can be tricky for providers to determine when they are compromising patient privacy and when they are adhering to law enforcement requests. HIPAA regulations work by finding the right balance between protecting individual privacy and ensuring information can flow freely.

Covered entities and their business associates must review federal and state regulations in regards to permissible PHI disclosure and when patient information can be shared with other entities.

“The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes,” the Privacy Rule states. “Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.”