On September 17, 2021, Juliana Reno was quoted in For the Record on the parameters for releasing protected health information (PHI) to law enforcement.
According to the article, the healthcare industry has been well versed in the parameters of sharing PHI with law enforcement, but even with the best training, health information management (HIM) professionals, compliance staff, and clinicians can find themselves facing confusing situations. Often it comes down to understanding the relationship between the Health Insurance Portability and Accountability Act (HIPAA) and state laws.
Reno says there are two basic rules regarding how federal and state laws interact. “One rule is that if state law requires a disclosure, then HIPAA permits you to make that disclosure,” she says, emphasizing that state law does not “override” HIPAA, but HIPAA specifically provides this permission. “The second rule is that HIPAA is a floor, not a ceiling. If state law provides greater protection, then state law applies.”
Often, best practices dictate having a single role identified for responding to law enforcement, unless it’s a routine request. A healthcare organization’s compliance or privacy officer is a natural choice for centralizing requests, Reno says.
“If there are a lot of routine disclosures, an organization will generally want to have a specific policy because you don't want to bug the privacy officer for something that happens all the time,” she points out. If it happens frequently, it should come down to training appropriate staff such that “if the cop says ABC, you can give him 123,” Reno says.
Click here to access the article.