Rights and responsibilities of law enforcement regarding HIPAA

Law enforcement’s responsibilities under HIPAA include ensuring requests for PHI are narrowly tailored to the investigation’s scope. They gain access to PHI through HIPAA’s exceptions, which permit but do not require disclosures under specific conditions. For example, a clinic may disclose PHI in response to a valid court order but is not obligated to comply with informal requests lacking legal process. 

It should be noted that ambiguities in the law create challenges. The Journal of Law and the Biosciences study Forensic Genetics in the Shadows’ notes, "The scope of [HIPAA’s] language has not been fully vetted by the courts," leaving healthcare providers uncertain about when to deny overly broad requests.

Situations where law enforcement can access PHI without a warrant

HIPAA’s Privacy Rule allows for disclosures of PHI in cases where PHI is needed to identify or locate suspects, witnesses, or missing persons, report crimes occurring on healthcare premises, or respond to medical emergencies linked to criminal activity. For example, the HIPAA Privacy Rule allows healthcare providers to disclose PHI pursuant to the law enforcement process and as otherwise required by law, such as in response to a court order, subpoena, or administrative request. However, these disclosures are subject to conditions, like the request must be relevant and material to a legitimate law enforcement inquiry and specific and limited in scope.

Newborn screening programs (NSPs), for example, have become a contentious area. Law enforcement agencies have accessed residual blood spots from NSPs without warrants, relying on HIPAA exceptions that permit disclosures if state law authorizes such access. The Journal of Law and the Biosciences study mentioned above provides that "the HIPAA Privacy Rule contains several exceptions that permit disclosures of medical data to law enforcement without a warrant,” particularly when PHI is sought for “serious and ongoing crimes.”

Role of the USA PATRIOT Act in broadening access to medical records

According to a journal article on genome sequencing in outbreak situations from the Clinical Microbiology Reviews, “The USA Patriot Act expanded law enforcement’s ability to access medical records under the guise of national security. Under Section 215, federal officials can obtain tangible things, including PHI, for intelligence investigations without demonstrating probable cause. This has led to concerns that public health officials could inadvertently become conduits for warrantless surveillance, eroding trust in medical institutions.”

The provision has been criticized for creating a loophole in patient privacy protections, as public health agencies, which are not HIPAA covered entities, may share data with law enforcement during national security emergencies.

The Patriot Act allows covered entities to disclose PHI to authorized federal officials for lawful intelligence, counterintelligence, and other national security proceedings. This has led to concerns that public health officials could inadvertently become conduits for warrantless surveillance, eroding trust in medical institutions. 

The notice requirements for disclosures to law enforcement

• Notification for breaches: Healthcare organizations must notify individuals if their unsecured PHI is disclosed due to a breach, as required by the HITECH Act and HIPAA Omnibus Rule.
• No obligation for routine disclosures: Generally, healthcare organizations are not required to notify individuals when PHI is disclosed to law enforcement under HIPAA's permitted exceptions.
• Accounting of disclosures: While individuals have the right to request an accounting of disclosures made by a covered entity, this does not apply to disclosures made for law enforcement purposes, as these are exempt from the accounting requirement.
• Privacy practices notice: All patients must receive a Notice of Privacy Practices, which outlines how PHI may be used and disclosed, including to law enforcement under certain conditions. However, this notice does not specifically address each instance of disclosure.
• Data use agreements: When sharing PHI with law enforcement or other entities, healthcare organizations must ensure that appropriate agreements are in place to safeguard the data, though these agreements do not necessarily involve direct patient notification.

Could warrantless access violate Fourth Amendment protections? 

Courts have grappled with whether accessing genetic databases like NSPs without a warrant violates this right. The third-party doctrine, which historically allowed warrantless access to data shared with third parties (e.g., cell phone records), was limited by the Supreme Court in Carpenter v. United States (2018). 

The legal summary of the Carpenter case provided that, “The Fourth Amendment protects "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." The "basic purpose of this Amendment," the cases have recognized, "is to safeguard the privacy and security of individuals against arbitrary invasions by governmental officials." The Court ruled that individuals retain privacy rights over data revealing detailed, encyclopedic, and compellingly personal information, even if shared with third parties.

Applying Carpenter to health data, the Carpenter factors tip in the direction of requiring a warrant to search the NSP database. Loopholes exist, like if a state statute permits law enforcement access to NSPs, they can do so, and run chemical analyses on the blood spots, without needing a warrant. It creates a patchwork of protections dependent on state law, undermining uniform Fourth Amendment protections.

Responsibilities of healthcare organizations when dealing with law enforcement

The Journal of the American Medical Informatics Association journal article Dobbs and the Future of Health Data Privacy for Patients and Healthcare Organizations states, “The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes ‘pursuant to process and as otherwise required by law,’ under certain conditions. For example, a covered entity may respond to a law enforcement request made through such legal processes as a court order or court-ordered warrant, or a subpoena or summons, by disclosing only the requested PHI, provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.”

If a clinic receives a court order for abortion records, it may disclose only the information expressly authorized by the order. Conversely, requests lacking enforceable legal mandates (e.g., informal police inquiries) must be denied to avoid HIPAA violations. Organizations also face ethical dilemmas when PHI could reveal sensitive information, such as genetic predispositions to diseases.

Authority granted under the HITECH Act for state-level enforcement

The ‘Virtual Mentor’ published in the American Medical Association Journal of Ethics notes, “While HITECH is a federal law, it grants both the Department of Health and Human Services and state attorneys general the authority to enforce the law. This dual enforcement authority raises the specter of politically motivated investigations of PHI disclosures.”

The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened HIPAA enforcement by empowering state attorneys general to pursue legal actions against violations. Under HITECH, states can file civil lawsuits on behalf of residents harmed by HIPAA breaches, seeking injunctions or damages. 

Decentralized enforcement allows states to address local privacy concerns more effectively. For example, the HITECH Act amended HIPAA’s penalty structure to include tiered ranges of civil money penalties based on violation severity. States can leverage these provisions to penalize covered entities that improperly disclose PHI to law enforcement.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What types of healthcare information are protected under HIPAA?

PHI includes any individually identifiable health data, such as medical records, lab results, treatment details, and even billing information, held by healthcare providers, health plans, and related entities.

Are mental health records treated differently from other types of healthcare information?

Yes, mental health records are subject to additional protections under HIPAA and sometimes even stricter state laws. Even when law enforcement presents valid legal documentation, extra caution is typically exercised in disclosing psychiatric information due to its highly sensitive nature.

What should a patient do if they believe their healthcare data was inappropriately disclosed to law enforcement?

Patients who suspect that their PHI has been disclosed without proper legal authority should first request a detailed explanation from their healthcare provider. If the issue is not resolved, they may consider filing a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) or seeking independent legal counsel to explore further action.

How do emergency situations affect the disclosure of PHI to law enforcement?

In emergencies, such as situations involving imminent harm or major public safety incidents, healthcare providers may disclose PHI to law enforcement without prior patient consent.