Hospitals have a duty to do more than just care for patients. Healthcare providers must also protect patient information—even from law enforcement officers who come knocking. Scenarios in which police arrive with a notebook in hand seeking to interview staff can put you in a tricky position. How do you work with authorities while also staying on the right side of the Health Insurance Portability and Accountability Act (HIPAA)?
Healthcare regulatory compliance expert Kim Stanger knows more than almost anyone about the unique laws healthcare providers must adhere to. He explains how to handle law enforcement demands while upholding your HIPAA compliance duties in his live webinar for ProfEdOnDemand, “HIPAA and Law Enforcement: How to Respond to Subpoenas, Orders, and Warrants.” The key is to know the rules (and their exceptions) inside and out—as well as how they apply in specific legal settings.
Arrested for HIPAA Compliance? It Can Happen
When it comes to the rock-and-a-hard-place position between police requests and HIPAA rules, you don’t have to go too far to find horror stories. One that grabbed headlines recently occurred in Utah, where a nurse refused to let an officer draw the blood of an unconscious patient who was the target of an investigation. Footage from the incident shows the nurse being roughed up by police for her refusal—even though she was right.
“The nurse was complying with her hospital’s policy, ethics policies developed by nursing associations, and HIPAA regulations governing patient privacy—as well as, potentially, Utah’s state privacy laws that in certain circumstances pre-empt HIPAA regulations,” noted the Journal of AHIMA. “The law was on [the nurse’s] side.”
The event highlighted common disputes between law enforcement officers and healthcare providers, with both sides occasionally crying foul. The release of protected health information is only allowed under certain narrowly defined circumstances, according to the American Health Information Management Association (AHIMA).
What to look for: For a release to be legal, providers need to be shown court-ordered documentation, a warrant, a subpoena, or a filled-out Request from Law Enforcement for Release of Protected Health Information (PHI) form.
Protect the Community v. Protect the Patient
The problem is that HIPAA does not cover every entity equally, note HIPAA compliance experts Jonathan B. Tomes and Alice M. McCart. In other words, while HIPAA is front and center for hospitals, it does not apply to most law enforcement agencies. And while physicians can be detained for not assisting law enforcement—as the Utah case shows—they can also be hit with massive HIPAA fines for running afoul of privacy rules.
Meanwhile, the public can argue that withholding some sorts of health information—for example, to use the Utah case again, information revealing if a person is or was intoxicated—puts regular citizens at risk.
Unfortunately, health care providers need to be able to think on their feet and act fast if officers show up, as there may not be time to consult hospital HIPAA experts.
What can be reported? According to Health IT Security, the quick list includes information that:
- Is required by law, as in the case of court-ordered mandates;
- Will be used to identify or locate a suspect, fugitive, witness, or missing person;
- Reveals criminal activity; and/or
- Addresses a medical emergency (that did not occur on the health care center’s property).
Providers can also look to the American Nurses Association (ANA) Code of Ethics, which includes following the informed consent process and acting in the patient’s interests. Even with all these tools, notes Nurse.com, walking the fine line between two competing legal interests is to cross an ethical and legal minefield.
Which means that knowing the law, says Stanger, is both your best defense and your best offense.