When does the Privacy Rule let covered entities disclose PHI to law enforcement? 

The HIPAA Privacy Rule permits PHI disclosure to law enforcement without patient authorization in specific situations, like complying with court orders or subpoenas, addressing crimes, preventing imminent threats, or ensuring safety in correctional facilities or national security contexts. 

General rules for disclosing PHI to law enforcement

Under HIPAA, covered entities may disclose PHI to law enforcement without patient authorization only under specific circumstances, 

According to the HHS, "The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances such as responding to court orders, subpoenas, or legal mandates." These disclosures must adhere to two principles: the minimum necessary standard, which requires limiting the shared information to what is strictly necessary for the stated purpose, and verification, which involves confirming the identity and legal authority of the law enforcement official making the request. 

Specific circumstances for PHI disclosure

• Legal orders and processes: Healthcare providers must disclose PHI in compliance with court orders or warrants and judicial subpoenas. These processes carry inherent legal protections, ensuring the request is lawful and justifiable.
• Administrative requests: PHI can be disclosed under administrative subpoenas or investigative demands if the request is relevant to a legitimate law enforcement inquiry, specific and limited in scope, and when de-identified information would not fulfill the purpose.
• Identifying or locating individuals: Providers may share limited details such as a person’s name, address, date of birth, and physical description to help locate suspects, fugitives, or missing persons. More sensitive information, like DNA or dental records, requires a court order.
• Victims of crime: PHI can be disclosed if the victim consents or when the victim is incapacitated if law enforcement ensures the information will not be used against them. The provider must believe sharing is in the victim's best interest.
• Abuse, neglect, and domestic violence: Child abuse reporting is mandatory under state law. Adult abuse may be disclosed with patient consent, when required by law, or to prevent serious harm, based on professional judgment.
• Violent injuries: State laws often require reporting gunshot wounds, stab wounds, or similar injuries. HIPAA allows such disclosures when necessary to comply with these legal obligations.
• Deaths related to criminal conduct: If a death is suspected to result from criminal activity, PHI may be disclosed to law enforcement officials investigating the case.
• Crime evidence on premises: Healthcare providers can share PHI if it indicates a crime occurred on the premises to help law enforcement investigate the incident.
• Medical emergencies involving crimes: When responding to off-site medical emergencies, providers may disclose PHI to describe the nature and location of a crime, but only when it is directly relevant to law enforcement efforts.
• Preventing imminent threats: PHI may be disclosed to law enforcement if necessary to prevent a serious and immediate threat to the health or safety of individuals or the public.
• National security and correctional institutions: PHI can be disclosed for national security activities, including intelligence operations or protective services. Additionally, information may be shared with correctional institutions to maintain safety and security for those in lawful custody.

Best practices for healthcare professionals

• Verify requests: Always confirm the identity and legal authority of the requesting law enforcement official.
• Limit information: Share only what is necessary under the circumstances.
• Document disclosures: Maintain a clear record of what was disclosed, to whom, and why.
• Consult legal counsel: If unsure, seek guidance from your organization’s legal team to ensure compliance.

Related: How to become HIPAA compliant

FAQs

Can a covered entity disclose PHI to law enforcement if the patient is unconscious or unable to consent?

Yes, but only if the disclosure is necessary to determine if a crime occurred, law enforcement assures the PHI will not be used against the patient, and the provider determines it is in the patient’s best interest.

Are verbal requests from law enforcement enough to justify disclosing PHI?

Not always. Verbal requests must meet HIPAA’s verification requirements, and the covered entity must confirm the law enforcement official's authority and the legitimacy of the request.

Can PHI be disclosed to law enforcement during a public health emergency?

Only if the disclosure is necessary for public health purposes, such as addressing a bioterrorism threat or ensuring public safety, following specific legal guidelines.