{"id":1392,"date":"2017-11-14T14:39:45","date_gmt":"2017-11-14T19:39:45","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=1392"},"modified":"2017-11-14T14:39:45","modified_gmt":"2017-11-14T19:39:45","slug":"what-happens-when-the-police-demand-phi","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=1392","title":{"rendered":"What Happens When The Police Demand PHI"},"content":{"rendered":"

Alexander Thompson
\nSenior Symposium Editor
\nLoyola University Chicago School of Law, J.D. 2018<\/em><\/p>\n

 <\/p>\n

It happens in every emergency department: a law enforcement officer comes into the ER at two o\u2019clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient\u2019s PHI without authorization from the patient? In some situations, is it even required?<\/p>\n

There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient\u2019s PHI to law enforcement without the patient\u2019s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.<\/p>\n

<\/p>\n

The University of Utah Hospital Incident <\/strong><\/p>\n

While the scenario might be different each time, the threat of a law enforcement officer demanding information about a patient is very real. On July 26th, 2017<\/a>, police entered the University of Utah Hospital burn unit and demanded that the victim of a recent crash have his blood drawn, and that the results be handed over to the officers. A nurse refused, citing the hospital\u2019s policy on blood draws, which referenced the patient\u2019s right to privacy under both HIPAA and state law. The nurse told<\/a> the officers that absent a court order, the patient\u2019s consent, or official notification patient was under arrest, she could not comply with the request. Since none of these criteria applied, the nurse refused to give any information without authorization from the patient. The law enforcement officers proceeded to arrest the nurse.<\/p>\n

The arrest was recorded, and the video posted online, where it went viral. The incident quickly became headline news. This high-profile situation opened the door to a conversation about HIPAA and patient\u2019s privacy rights throughout the country.<\/p>\n

HIPAA <\/strong><\/p>\n

45 C.F.R. \u00a7 164.512(f)<\/a> is the regulation within HIPAA that governs disclosures of PHI to law enforcement officers. This regulation allows for disclosures to be made under six circumstances: 1) pursuant to process and as otherwise required by law, 2) giving limited information for identification and location purposes, 3) when the PHI concerns victims of a crime, 4) informing decedents, 5) notifying police regarding crime on the premises, and 6) reporting crime in emergencies.<\/p>\n

In the situation at the University of Utah, the nurse stated that she could give the law enforcement officers the blood draw information if the law enforcement officers had a court order, the patient gave consent, or the law enforcement officers placed the patient under arrest. In light of HIPAA and state law, she was correct.<\/p>\n

As to her first statement: under 45 C.F.R. \u00a7 164.512(f)(1), a court order would allow the nurse to give the police officers the blood draw information.<\/p>\n

While the nurse used the phrase \u201cpatient consent,\u201d as the second set of circumstances under which she could release the information, \u201cauthorization<\/a>\u201d is actually the correct term. HIPAA does allows for the release of patient information (that isn\u2019t allowed under treatment, payment or healthcare operations) with the patient\u2019s prior written authorization<\/a>.<\/p>\n

Finally, as for the third statement from the nurse, there is a Utah law<\/a> allowing for blood draws of patients who police have reasonable belief were driving under the influence. This brings to light the fact that not only was federal privacy law important during this scenario but that state privacy law was as well.<\/p>\n

State Law <\/strong><\/p>\n

While these HIPAA provisions may seem straightforward and easy to implement through policies and procedures, state law complicates things. If state privacy laws are more restrictive<\/a> than the HIPAA privacy regulations, then state law preempts that section of HIPAA. For example, Illinois has very restrictive mental health<\/a>, AIDS<\/a>, and genetic information<\/a> privacy acts. Therefore, entities in Illinois have to abide by both HIPAA privacy regulations and the more restrictive privacy laws mentioned above.<\/p>\n

In the Utah scenario discussed above, there was an applicable state law. However, the Utah state law added a wrinkle to HIPAA privacy law as it allowed police<\/a> to order a blood draw when the police have reasonable belief an individual was driving under the influence. In this situation, the police were actually attempting to prove<\/a> that the driver had not been operating a vehicle while under the influence and thus, the statute did not apply in this situation.<\/p>\n

Conclusion <\/strong><\/p>\n

The situation at the University of Utah Hospital is extremely troubling, since the nurse followed HIPAA and state law exactly as written, and was still arrested. In order to ensure that this never happens again, states and hospitals can take preventative steps. For instance, in Utah the state legislature is drafting a new provision<\/a> to clarify when law enforcement officers can require a blood draw. The University of Utah Hospital itself has banned law enforcement officers<\/a> from patient care areas and from interacting with nurses.<\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

It happens in every emergency department: a law enforcement officer comes into the ER at two o\u2019clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient\u2019s PHI without authorization from the patient? In some situations, is it even required?<\/p>\n

There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient\u2019s PHI to law enforcement without the patient\u2019s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[321,1032,1228,1577,1597,1622,1623],"class_list":["post-1392","post","type-post","status-publish","format-standard","hentry","category-hipaa-health-information","tag-breach","tag-hipaa-2","tag-law-enforcement","tag-phi","tag-police","tag-privacy","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/1392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1392"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/1392\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}