Senior Symposium Editor
Loyola University Chicago School of Law, J.D. 2018
It happens in every emergency department: a law enforcement officer comes into the ER at two o’clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient’s PHI without authorization from the patient? In some situations, is it even required?
There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient’s PHI to law enforcement without the patient’s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.
The University of Utah Hospital Incident
While the scenario might be different each time, the threat of a law enforcement officer demanding information about a patient is very real. On July 26th, 2017, police entered the University of Utah Hospital burn unit and demanded that the victim of a recent crash have his blood drawn, and that the results be handed over to the officers. A nurse refused, citing the hospital’s policy on blood draws, which referenced the patient’s right to privacy under both HIPAA and state law. The nurse told the officers that absent a court order, the patient’s consent, or official notification patient was under arrest, she could not comply with the request. Since none of these criteria applied, the nurse refused to give any information without authorization from the patient. The law enforcement officers proceeded to arrest the nurse.
The arrest was recorded, and the video posted online, where it went viral. The incident quickly became headline news. This high-profile situation opened the door to a conversation about HIPAA and patient’s privacy rights throughout the country.
45 C.F.R. § 164.512(f) is the regulation within HIPAA that governs disclosures of PHI to law enforcement officers. This regulation allows for disclosures to be made under six circumstances: 1) pursuant to process and as otherwise required by law, 2) giving limited information for identification and location purposes, 3) when the PHI concerns victims of a crime, 4) informing decedents, 5) notifying police regarding crime on the premises, and 6) reporting crime in emergencies.
In the situation at the University of Utah, the nurse stated that she could give the law enforcement officers the blood draw information if the law enforcement officers had a court order, the patient gave consent, or the law enforcement officers placed the patient under arrest. In light of HIPAA and state law, she was correct.
As to her first statement: under 45 C.F.R. § 164.512(f)(1), a court order would allow the nurse to give the police officers the blood draw information.
While the nurse used the phrase “patient consent,” as the second set of circumstances under which she could release the information, “authorization” is actually the correct term. HIPAA does allows for the release of patient information (that isn’t allowed under treatment, payment or healthcare operations) with the patient’s prior written authorization.
Finally, as for the third statement from the nurse, there is a Utah law allowing for blood draws of patients who police have reasonable belief were driving under the influence. This brings to light the fact that not only was federal privacy law important during this scenario but that state privacy law was as well.
While these HIPAA provisions may seem straightforward and easy to implement through policies and procedures, state law complicates things. If state privacy laws are more restrictive than the HIPAA privacy regulations, then state law preempts that section of HIPAA. For example, Illinois has very restrictive mental health, AIDS, and genetic information privacy acts. Therefore, entities in Illinois have to abide by both HIPAA privacy regulations and the more restrictive privacy laws mentioned above.
In the Utah scenario discussed above, there was an applicable state law. However, the Utah state law added a wrinkle to HIPAA privacy law as it allowed police to order a blood draw when the police have reasonable belief an individual was driving under the influence. In this situation, the police were actually attempting to prove that the driver had not been operating a vehicle while under the influence and thus, the statute did not apply in this situation.
The situation at the University of Utah Hospital is extremely troubling, since the nurse followed HIPAA and state law exactly as written, and was still arrested. In order to ensure that this never happens again, states and hospitals can take preventative steps. For instance, in Utah the state legislature is drafting a new provision to clarify when law enforcement officers can require a blood draw. The University of Utah Hospital itself has banned law enforcement officers from patient care areas and from interacting with nurses.