When exploring medical privacy issues, it's very useful to have an overview of the laws that affect control and privacy of medical information. We encourage you to read our legal overview.
Federal and state laws define some privacy rights for people who want to keep their medical records out of the hands of law enforcement. But law enforcement has many ways to access medical data when investigating crimes, identifying victims, or tracking down a fugitive. Often, the police are able to seek out sensitive medical records without an individual's consent—and sometimes without a judge's authorization.
To understand this, it's useful to compare the federal standards set by the Health Insurance Portability and Accountability Act (HIPAA) to the more privacy-protective legal standards in the State of California. We'll be jumping back and forth between the two throughout this discussion. Note: this discussion doesn’t cover access to health records relating to treatment in federally funded substance abuse facilities and programs under 42 U.S.C. § 290dd-2 and its “Part 2” regulations, which has stricter rules.
Disclosures of medical information to law enforcement by covered entities
Under HIPAA, medical information can be disclosed to law enforcement officials without an individual’s permission in a number of ways. Disclosures for law enforcement purposes apply not only to doctors or hospitals, but also to health plans, pharmacies, health care clearinghouses, and medical research labs. That's because under the HITECH Act, as implemented by the HIPAA Omnibus Rule, both a "covered entity" and any business associate (BA) are directly subject to these law enforcement access rules.
California has somewhat stronger privacy rules that require more court involvement, because HIPAA does not preempt more privacy-protective state laws. In California, search warrants for medical records are generally authorized under the Penal Code and require judicial approval based on probable cause. Less stringent court orders based on a showing of good cause can also be used. And in California, even if a mere administrative subpoena is used, the California Penal Code requires an authorizing court order.
By contrast, HIPAA permits1 the police to use an administrative subpoena or other written request with no court involvement, as long as police include a written statement that the information they want is relevant, material, and limited in scope, and that de-identified information is insufficient.
Law enforcement can also bypass judicial and administrative processes under HIPAA to get access to medical records. For example, the police may request medical information directly to identify or locate a suspect, fugitive, witness, or missing person; when a crime has been committed at a health care facility; or when there is a medical emergency involved in a crime. In general, these are permissive disclosures—the covered entity or business associate may refuse.
Much information may be disclosed about a suspect or victim of a crime: name, address, date and place of birth, Social Security number, blood type and Rh factor, type of injury, date and time of treatment, date and time of death, and any distinguishing physical characteristics. DNA test results, dental records, body fluid or tissue typing (other than blood type) or samples or analysis still require a court order, warrant, or written administrative request.
California’s Confidentiality of Medical Information Act (CMIA) has an exception to the consent requirement for disclosures of health information if they are made to a "law enforcement agency or a regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law."2 All of the California consent exceptions are in the Civil Code, while disclosures to law enforcement are controlled by the Penal Code.
Mandatory reporting to law enforcement
Certain types of reporting to law enforcement are mandatory. All states require health care providers to report child abuse or neglect and most states require reporting of elder abuse and neglect. All but four states (Alabama, New Mexico, Washington and Wyoming) have laws for mandatory reporting of domestic violence injuries and sexual assaults that are treated in a health care facility, although they vary greatly as to who must report, what data, and to what agency. Certain licensed professionals, like psychiatrists and psychologists, may be required by ethical standards or law to report individuals to law enforcement whom they believe are likely to commit a violent crime.
A trend toward protecting privacy?
There are signs that courts may be willing to impose greater restrictions on law enforcement access to medical records under both state and federal law. A 2010 New Hampshire Supreme Court decision found that even when police obtain a search warrant to obtain medical records from a hospital, additional procedures designed to honor the state-law physician-patient privilege were required.
More recently, a federal district court in Oregon held that the Drug Enforcement Administration (DEA) must use a search warrant to obtain prescription drug records from the Oregon Prescription Drug Monitoring Program. Oregon law requires a search warrant, but the DEA asserted that an administrative subpoena was sufficient—partly because DEA claimed that individuals have no reasonable expectation of privacy in these records. Rejecting that argument, the court stated: "Although there is not an absolute right to privacy in prescription information, as patients must expect that physicians, pharmacists, and other medical personnel can and must access their records, it is more than reasonable for patients to believe that law enforcement agencies will not have unfettered access to their records."
Notice of disclosure
Individuals are notified about law enforcement access to medical records only in a general way—by a HIPAA-mandated notice of privacy practices (NPP) they’re asked to read and sign when registering for treatment by a doctor or at a health facility for the first time or that they receive annually from their health insurer. This excerpt from the University of California San Francisco’s Notice of Privacy Practices is typical:
If asked to do so by law enforcement, and as authorized or required by law, we may release medical information:
- to identify or locate a suspect, fugitive, material witness, or missing person;
- about a suspected victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
- about a death suspected to be the result of criminal conduct;
- about criminal conduct at UCSF; and
- in case of a medical emergency, to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
If a patient requests it in writing, health care providers are required to account for disclosures of medical information to law enforcement. However, law enforcement may request that such disclosures be kept out of an accounting of disclosures. If the request is in writing, that ban can be for any length of time; if the request is verbal, the ban is for 30 days after the request.
For more details on law enforcement access to medical information:
U.S. Department of Health and Human Services (HHS) website, “When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?”
Washington State Hospital Association’s “Hospital and Law Enforcement Guide to Disclosure of Protected Health Information”