How HIPAA protects privacy while addressing unidentified individuals

For unidentified individuals,  the Health Insurance Portability and Accountability Act (HIPAA) guarantees the protection of their privacy even as healthcare providers and law enforcement collaborate to determine their identity.  By limiting disclosures to the minimum necessary and requiring proper documentation, HIPAA upholds its mission of safeguarding personal health information, even in complex situations.

Unidentified individuals in healthcare settings

When healthcare providers encounter unidentified individuals, such as unconscious patients or those unable to confirm their identity, HIPAA still applies to any PHI collected during their care. Providers must handle this information with the same level of confidentiality as they would for identified patients.

See also: HIPAA Compliant Email: The Definitive Guide

HIPAA and unidentified individuals in legal contexts

Providers may encounter situations where law enforcement seeks information about unidentified individuals. The New York State Division of Criminal Justice Services outlines strict conditions under which this information may be shared:

• Court order, warrant, subpoena, or administrative process: a Provider may disclose information in response to a court order, warrant, subpoena or other administrative process if certain conditions are satisfied. (45 CFR § 164.512(f)(1)(ii));
• Identify person: if law enforcement requests information to help identify or locate a suspect, fugitive, material witness or missing person, a Provider may disclose the following limited information: (a) name and address, (b) date and place of birth, (c) social security number, (d) ABO blood type and rh factor, (e) type of injury, (f) date and time of treatment, (g) date and time of death, and (h) a description of distinguishing physical characteristics. Other information related to the individual's DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request. (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a "wanted" poster or bulletin;
• Death: a Provider may disclose information to notify law enforcement about the death of an individual if the Provider believes the death may have resulted from a crime;
• Fugitive: a Provider may disclose information to law enforcement to identify or apprehend an individual who appears to have escaped from lawful custody. (45 CFR § 164.512(j)(1)(ii)(B));
• Medical examiners and coroners: a Provider may disclose information about a decedent to medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties. (45 CFR § 164.512(g)(1)).”

Read also: Protocols for safeguarding patient information during emergencies

FAQs

What is considered “minimal necessary information” for unidentified individuals?

Minimal necessary information includes only the data required to achieve the intended purpose, such as a name, address, or basic physical description. Sensitive data, like DNA or dental records, cannot be shared without a court order.

Learn more: What is the Minimum Necessary Standard?

What should a healthcare provider do before disclosing PHI to law enforcement?

Providers should:

• Verify the identity and authority of the requesting law enforcement official.
• Limit disclosures to the minimum necessary information.
• Document the circumstances of the disclosure in compliance with HIPAA regulations.