HIPAA:

1
HIPAA Fiction, Fact, and Function
Julie Risher Public Safety Attorney Winston-Salem
Police Department
2
What is HIPAA?
Health Lawyers Relief Act of 2003?
Health Insurance Portability and Accountability
Act
Congress passed HIPAA in an effort to protect the
privacy and security of individually identifiable
health information.
3
What does HIPAA have to do with law enforcement?
HIPAA affects the type and amount of information
obtained from medical providers, or covered
entities.
4
FICTION
All health care providers, first responders,
rescue squads, and even local Red Cross blood
drives are covered entities.
5
FACT
Covered entity is defined as
health plan, a health care clearing house, or a
health care provider who transmits any health
information in electronic form or connection. The
definition includes, but is not limited to
hospitals, physician practices, dentist offices,
medical equipment suppliers, nursing homes,
pharmacies and hospice organizations.
What else may be covered? Hybrid entities (EMTs?
Fire? More later)
6
Fiction
Protected Health Information (PHI) only includes
information that is electronically transmitted.
FACT
Protected health information is defined as
individually identifiable health information that
is transmitted by electronic media, maintained in
any medium described in the definition of
electronic media or transmitted or maintained in
ANY other form or medium This includes paper,
microfiche, microfilm, audio tape,CDs, etc.
7
HIPAA defines a Law Enforcement Official as
officer or employee of any agency or authority of
the United States, a state, or an Indian tribe,
who is empowered by law to investigate or conduct
an official inquiry into a potential violation of
law or prosecute or otherwise conduct a criminal,
civil, or administrative proceeding arising from
an alleged violation of law.
8
Identity of Law Enforcement Official
In order to identify a law enforcement official,
a covered entity may rely on In person
presentation of an agency identification badge,
other official credentials, or other proof of
government status In writing request on
appropriate government letterhead In person
acting on behalf of public official written
statement on appropriate government letterhead
that the person is acting under the government's
authority or other evidence or documentation of
agency that establishes that the person is acting
on behalf of the public official
9
FICTION
Requests for medical records or PHI must be
written.
FACT
An oral request is sufficient where a written
statement is impractical.
10
Authority
In order to establish authority to request
records a covered entity may rely on A written
statement of the legal authority under which the
information is requested, or, if a written
statement would be impractical, an oral statement
of such legal authority or If the request is
made pursuant to legal process, warrant,
subpoena, order, or other legal process issued by
a grand jury or a judicial or administrative
tribunal, the request is presumed to constitute
legal authority.
11
When may covered entities give information to law
enforcement?

1. To locate a suspect
2. Victim consents
3. The crime is on the premises of the covered
   entity
4. Emergency is occurring elsewhere
5. Abuse, Neglect, and Domestic Violence

12
Locating Suspect
Officer must have subpoena, warrant, grand jury
subpoena, court order, or disclosure is otherwise
required by law to identify or locate suspect,
fugitive, material witness or missing
person. (Medicaid investigations, etc.)
Covered entity can disclose Name, address, SSN,
date and place of birth, ABO blood type and RH
factor, type of injury, date and time for
treatment, date and time of death, and
description of distinguishing physical
characteristics. (No DNA or DNA analysis, dental
records or typing, samples or analyses of body
fluids or tissue) (Search warrant should
override)
13
Victim Information
Law enforcement may obtain crime victims PHI if
Victim consents or Victim is dead and covered
entity suspects criminal conduct or Crime occurs
on the premises of the covered entity
14
Victim Information
If victim is unable to consent, the officer must
state that 1. PHI is necessary to determine if
a crime has occurred 2. PHI is not intended to
be used against victim 3. That immediate law
enforcement activity depends on the information
and will be materially, adversely affected by
delay AND The covered entity must conclude
that disclosure is in the victims best interest.
15
Crime on Premises
A covered entity may disclose PHI that the
covered entity in good faith believes to be
evidence of criminal conduct that occurred on the
premises of the covered entity.
16
Emergencies
Covered entity MAY disclose PHI if good faith
belief that use or disclosure is necessary to
prevent or lessen serious AND imminent threat to
someones or the publics health or safety
b/c 1. Individual admitted participation in a
violent crime (disclosure limited to statement
made) OR 2. Individual has escaped from a
correctional institute or from lawful custody
17
Emergencies
If an emergency is occurring elsewhere and PHI is
necessary to inform officer of the crime in
commission, the covered entity may reveal 1.
Location of the crime 2. Nature of the crime
3. Identity of victims 4. Identity,
description, and location of perpetrator
Information revealed is only what is necessary
for an officer to identify or apprehend an
individual because of his statement or because he
has escaped from custody.
18
Emergencies
A covered entity that uses or discloses protected
health information pursuant to an emergency is
presumed to have acted in good faith with regard
to its belief that disclosure is appropriate
19
Abuse, Neglect, or Domestic Violence

• A covered entity may disclose PHI if the covered
  entity reasonably believes the individual to be a
  victim of abuse, neglect, or domestic violence
  if
• Victim consents
• Pursuant to legal requirement
• Authorized by law and covered entity believes
  disclosure is necessary to prevent harm to
  patient or others
• 4. Person is incapacitated and officer states
  the information will not be used against the
  person and law enforcement action will be
  materially and adversely affected by the delay

20
Accounting
An individual has a right to receive an
accounting of disclosures of PHI made by a
covered entity in the six years prior to the date
on which the accounting is requested unless The
agency or official provides the covered entity
with a written statement that such an accounting
to the individual would be reasonably likely to
impede the agencys activities and specifying the
time for which such a suspension is required
21
Coping with HIPAA
Have privacy officer contact members for area
hospitals

• Obtain a search warrant to search hospital
  records with contempt provision for failure to
  comply
• Advance policy with the hospital for release of
• BAC/Toxicology
• Rape kit
• Encourage hospital to have a neutral HIPAA
  officer
• Educate your officers that they no longer
  automatically will get what they want

22
Judicial and Administrative Proceedings Civil
Lawsuits
Covered entity may disclose information at a
judicial or administrative hearing in response
to a court or administrative tribunal
order OR in response to a subpoena, discovery
request, or other lawful process
Requests must be specific and limited in scope.
23
Judicial and Administrative Proceedings

• If request is not accompanied by a court order,
• covered entities must receive satisfactory
  assurance that seeking parties have made
  reasonable efforts to
• ensure the individual subject to protection has
  been given notice
• (Notice includes good faith attempt at written
  notification that the parties have agreed to a
  qualified protective order or an order has been
  requested from a court or administrative tribunal
  to allow the individual to raise an objection)
  and

24
Judicial and Administrative Proceedings Continued
2. secure a qualified protective order (Covered
entity must receive written documentation that
parties have agreed to or requested an order that
prohibits the parties from disclosing the
information for any purpose other than the
litigation or proceeding and requires the
destruction of the information at the end of the
litigation or proceeding) The covered entity may
give notice and secure the order on its own.
25
Hypothetical
An informant sees Smith using drugs. Smith is
arrested for heroin possession. Officers place
him in the backseat of a patrol car. While in
the patrol car, Smith dies of a drug overdose.
Smiths estate files suit against the police
department. May the police department gain
Smiths PHI in the wrongful death case? Yes must
obtain protective order and must destroy at end
of litigation.
26
Can Your Agency or Officers Be Sued Under
HIPPA? HIPAA does not create a private cause of
action.
(Source legislative intent see ODonnell v.
Blue Cross and Blue Shield of Wyoming, 173,
F.Supp.2d 1176 (D.Wyo. 2001), Means v. Indep.
Life and Acc. Ins. Co., 963 F.Supp. 1131, 1135
(M.D. Ala. 1997), Brock v. Provident America Ins.
Co., 144 F.Supp.2d 652, 654 (N.D. Tex. 2001),
Wright v. Combined Ins. Co. of America, 959
F.Supp. 356, 362-363 (N.D. Miss. 1997))
27
Fiction
Employers cannot gain any health care information
about employees.
28
FACT

• There are limited circumstances in which a
  covered entity can disclose PHI to an employer
  without employee authorization.
• The covered entity must provide service at the
  request of the employee (as a member of the
  employers workforce) or the employer
• 2. The covered entity must provide service
  related to the medical surveillance of the
  workplace or an evaluation to determine whether
  the individual has a work-related illness AND
• 3. The employer must have duty under OSHA (or
  similar state law) to keep records or act on such
  information.

29
Fiction
Pre-placement tests, drug tests, and fitness for
duty examinations are not performed for the
previous reasons, so PHI related to these tests
cannot be revealed.
FACT
It remains to be seen whether an employer can
condition employment on the individual giving
authorization.
30
FACTS CONTINUED
Probably employers CAN condition continued
employment on disclosure of results of fitness
for duty examinations (disclosures of the
analysis/basis for the result is less clear).
Nothing in the statute prohibits an employer from
making employment contingent on an individual
authorizing disclosure of relevant PHI.
31
FACT
TIP Employers should keep medical documentation
separate from personnel files and any files used
for health insurance purposes.
If a division of a police or fire department
provides emergency medical care, then it is a
covered entity.
A hybrid entity is one that uses or discloses
protected health information for only part of its
business operations.
Hybrid entities are required to create adequate
firewalls between their health care components
and other components disclosure rules for
covered entities apply.
32
FICTION
Prisoners and detainees have all the same rights
as other individuals under HIPAA.
33
FACT
Inmates do not have a right to notice and are
given only limited rights regarding release of
their PHI.
HIPAA Definitions
Inmate person incarcerated in or otherwise
confined to a correctional institution. (not
pretrial release, probation, or parole).
Correctional Institution Very broad, including
halfway houses and residential community
programs.
Medical care providers may disclose inmate PHI
for treatment, payment, or health care operations
without inmates authorization.
34
Inmate PHI can be revealed when.
PHI may be disclosed to a correctional
institution or a law enforcement official having
lawful custody of an inmate without written
authorization if the institution or official
represents that the PHI is needed for the
provision of health care to such
individuals, the health and safety of such
individual or other inmates, the health and
safety of officers or employees or others at the
correctional institution, the health and
safety of such individuals and officers or other
persons responsible for the transport of
inmates or their transfer from one institution,
facility or setting to another enforcement on
the premises of the correctional institution,
the administration and maintenance of the safety,
security, and good order of the correctional
institutional.
35
Inmates PHI
Covered entities do not have to provide inmates
with Notices of Privacy during their
incarceration. An inmate who asks may inspect
his PHI unless a basis for denial exists.
Covered entities may deny inmate inspection of
PHI if it would jeopardize the health, safety,
security, custody, or rehabilitation of the
individual or other inmates or the safety of any
person transporting the inmate.
36
If you remember nothing else about HIPAA,
remember that

• HIPAA is here for the patient, not for law
  enforcement and
• Establishing relationships and determining what
  information health care providers will release is
  essential preparation BEFORE you need the
  information.