VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

THE LAW ENFORCEMENT

HIPAA REFERENCE GUIDE

Please Note:

Any organization that stores, processes or transmits personal health information (PHI) is required to comply with the Health Insurance Portability

and Accountability Act (HIPAA) and safeguard all protected data.

1 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

INTRODUCTION:

Law Enforcement Officers do not technically fall under the provisions of HIPAA.

However, they have to deal with protected health information on a constant basis. It is

crucial for them to know what their responsibilities are under HIPAA, under what

circumstances they can request access to an individual’s health record, and what

information they are able to obtain.

The Law Enforcement HIPAA Reference Guide is specifically written and designed for

this purpose. The Guide is brief, but it covers the relevant aspects of HIPAA that LEO’s

need to know. Topics include the legal background on HIPAA and the Privacy Rule. Of

most importance is the section on Law Enforcement, which contains specific details

covering the circumstances under which PHI may be disclosed to law enforcement.

This Reference Guide is available in PDF format, but is designed to be used as a desk

reference, as each section is tabbed for quick reference. We are certain you will find it

useful and informative.

2 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

TABLE OF CONTENTS

Introduction: .................................................................................................................... 1

About HIPAA / HITECH ................................................................................................... 3

HIPAA Privacy Rule ........................................................................................................ 4

Protected Health Information (PHI) .............................................................................. 4

Use and Disclosure of PHI ........................................................................................... 6

Law Enforcement ............................................................................................................ 8

i

3 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

ABOUT HIPAA / HITECH

HIPAA is U.S. Public Law 104-191 — the Health Insurance Portability and Accountability Act of 1996. Congress created the Act to improve health care enabled by the nation's health plans and providers. HIPAA mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health

information (PHI). The HIPAA Security Rule governs protection of PHI. Organizations must certify their security programs via self-certification or by a private accreditation entity. Non-compliance can trigger various civil penalties, including fines and/or imprisonment. HITECH is the Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. It is directly related to HIPAA, and was part of the American Recovery and Reinvestment Act of 2009. HITECH requires healthcare organizations to apply "meaningful use" of security technology to ensure the confidentiality, integrity, and availability of protected data. Detailed requirements for HIPAA and HITECH are managed by Department of Health and Human Services (HHS).

On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the

“HIPAA Omnibus Rule,” a set of final regulations modifying the Health Insurance

Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to

implement various provisions of the Health Information Technology for Economic and

Clinical Health (HITECH) Act.

Security is a crucial part of HIPAA / HITECH. The Department of Health and Human

Services states, "[It] is important to recognize that security is not a one-time project, but

rather an ongoing, dynamic process." HIPAA therefore requires security-related

processes. HIPAA regulations do not mandate particular security technologies. Instead,

they specify a set of principles for guiding technology choices.

4 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

HIPAA PRIVACY RULE

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

The Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patient’s rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

PROTECTED HEALTH INFORMATION (PHI)

PHI falls under the Privacy Rule. However, as e-PHI is simply PHI in electronic form, it is pertinent to include this section to review exactly what HHS considers PHI. According to the US Department of Health and Human Services, protected health information (PHI) is individually identifiable information that is:

1. Except as provided in item 2 of this definition,

i. Transmitted by electronic media; ii. Maintained in electronic media; or iii. Transmitted or maintained in any other form or medium (includes paper

and oral communication).

2. Protected health information excludes individually identifiable health information:

i. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

ii. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); iii. In employment records held by a covered entity (see below for definition)

In its role as employer; and iv. Regarding a person who has been deceased for more than 50 years.

5 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and

1. Is created, or received by a health care provider, health plan, or health care clearing house; and

2. Relates to past, present, or future physical or mental health conditions of an individual; the provision of health care to the individual; or past, present, or future payment for health care to an individual, and

i. That identifies the individual; or ii. With respect to which there is a reasonable basis to believe the

information can be used to identify the individual.

Individually identifiable health information (i.e., PHI) is subject to state and federal privacy and security rules including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA).

A covered entity is any health plan, health care clearing house, or health care provider who transmits any health information in electronic form in connection with a qualified transaction as well as any business associates.

Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual.

These identifiers are:

Name Address (all geographic subdivisions smaller than state, including street address,

city, county, or ZIP code) All elements (except years) of dates related to an individual (including birth date,

admission date, discharge date, date of death, and exact age if over 89) Telephone numbers FAX number Email address Social Security number Medical record number Health plan beneficiary number Account number Certificate/license number

6 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

Vehicle identifiers and serial numbers, including license plate numbers Device identifiers or serial numbers Web URLs IP address Biometric identifiers, including finger or voice prints Full-face photographic images and any comparable images Any other unique identifying number, characteristic, or code

All protected health information is subject to federal Health Insurance Portability and Accountability Act (HIPAA) regulation.

USE AND DISCLOSURE OF PHI

According to the US Department of Health and Human Services, the general rules governing use and disclosure of PHI are as follows: (1) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:

(i) To the individual; (ii) For treatment, payment, or healthcare operations, as permitted by and in

compliance with § 164.506; (iii) Incident to a use or disclosure otherwise permitted or required by this

subpart, provided that the covered entity has complied with the applicable requirements of §§ 164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure;

(iv) Except for uses and disclosures prohibited under § 164.502(a)(5)(i)pursuant to and in compliance with valid authorization under § 164.508

(v) Pursuant to an agreement under, or as otherwise permitted by, § 164.510; (vi) As permitted by and in compliance with this section, § 164.512, § 164.514(e),

(f), or (g). (2) Covered entities: Required disclosures. A covered entity is required to disclose protected health information:

(i) To an individual, when requested under, and required by § 164.524 or§ 164.528; and

(ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter.

7 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

(3) Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to § 164.504(or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under § 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. (4) Business associates: Required uses and disclosures. A business associate is required to disclose protected health information:

(i) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate's compliance with this subchapter.

(ii) To the covered entity, individual, or individual's designee, as necessary to satisfy a

covered entity's obligations under § 164.524(c)(2)(ii) and (3)(ii) with respect to an

individual's request for an electronic copy of protected health information.

8 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

LAW ENFORCEMENT

Law Enforcement neither falls under the definition of a “covered entity”, nor a “business associate” under HIPAA. Therefore, they are not governed by same regulations and safeguards as the above categories. However, they are only granted access to PHI by covered entities in limited cases as outlined below.

These circumstances include:

To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that the legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)-(B)).

To respond to an administrative request, such as an administrative subpoena

or investigative demand or other written request from a law enforcement official. Because an administrative request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used (45 CFR 164.512(f)(1)(ii)(C)).

To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person; but the covered entity must limit disclosures of PHI to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request (45 CFR 164.512(f)(2)).

9 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

About a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 CFR 164.502(j)(2));

To identify or apprehend an individual who has admitted participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)).

To respond to a request for PHI about a victim of a crime, and the victim agrees. If, because of an emergency or the person’s incapacity, the individual

cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in the best interests of the individual whose information is requested (45 CFR 164.512(f)(3)).

Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports and the agreement of the individual is not required (45 CFR 164.512(b)(1)(ii)).

Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)):

If the individual agrees

If the report is required by law

If expressly authorized by law, and based on the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations (see 45 CFR 164.512(c)(1)(iii)(B)).

10 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)). For example, state laws commonly require health care providers to report incidents of gunshot or stab wounds, or other violent injuries; and the Rule permits disclosures of PHI as necessary to comply with these laws.

To alert law enforcement to the death of the individual, when there is a

suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)).

Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties(45 CFR 164.512(g)(1)).

To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).

When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity, specifically, the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime (45 CFR 164.512(f)(6)). This provision does not apply if the covered health care provider believes that the individual in need of the emergency medical care is the victim of abuse, neglect or domestic violence; see above Adult abuse, neglect, or domestic violence for when reports to law enforcement are allowed under 45 CFR 164.512(c).

To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public (45 CFR 164.512(j)(1)(i))

To identify or apprehend an individual who appears to have escaped from lawful custody (45 CFR 164.512(j)(1)(ii)(B)).

To federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act (45 CFR 164.512(k)(2)) or to provide protective services to the President and others and conduct related investigations (45 CFR 164.512(k)(3));

11 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

To respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody of an inmate or others if they represent such PHI is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement on the premises of the facility (45 CFR 164.512(k)(5)).

Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2)).

Except when required by law, the disclosures to law enforcement summarized above are subject to the minimum necessary standard under HIPAA (45 CFR 164.502(b), 164.514(d)). When reasonable to do so, the covered entity may rely upon the representations of the law enforcement official (as a public officer) as to what information is the minimum necessary for their lawful purpose (45 CFR 164.514(d)(3)(iii)(A)). Moreover, if the law enforcement official making the request for information is not known to the covered entity, the covered entity must verify the identity and authority of such person prior to disclosing the information (45 CFR 164.514(h)).

12 | P a g e VITECH | 800-536-2156 | vitechpros.com | COPYRIGHT © 2016 VITECH

FOR MORE INFORMATION:

CONTACT VITECH TO LEARN HOW WE CAN HELP YOUR DEPARTMENT WITH

HIPAA COMPLIANCE.

PHONE: 800-536-2156

EMAIL: hipaa@vitechpros.com

WEB: VITECHPROS.COM

i Sources: http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html http://www.hhs.gov/hipaa/for-professionals/privacy/index.html http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html