For years, law enforcement has bypassed traditional means of securing evidence by informal requests for documents from witnesses of crimes. At some point, that practice bled over into informal requests for healthcare providers’ documents, including documents reflecting protected health information (PHI). Healthcare providers, for the most part, have complied with these informal requests because, as the logic goes, law enforcement couldn’t possibly prosecute me for complying with law enforcement, right? Isn’t that entrapment?

This cooperative, well-intentioned practice by healthcare providers now appears to be drawing scrutiny from Congress. On December 12, 2023, members of Congress sent a letter to Health & Human Services Secretary Xavier Becerra announcing the results of a Congressional inquiry into the practice of pharmacies handing over patient information without legal process. In the face of that new scrutiny, which is sure to extend beyond pharmacies to all healthcare providers, what are healthcare providers to do when asked for PHI through informal means?

The Law Enforcement Exception to HIPAA

As a baseline, HIPAA-covered entities may disclose PHI to law enforcement with a patient’s signed HIPAA authorization. But what about when the patient has not authorized release?

HIPAA regulations list several scenarios in which covered entities can provide PHI to law enforcement absent patient authorization. Those include instances where there is a serious and imminent threat to someone’s health or safety, where a crime has occurred on the premises of the covered entity and the covered entity believes in good faith that PHI is evidence of that crime, or where there is some other legal obligation to report something involving PHI (like reporting gunshots).

HIPAA regulations also permit covered entities to provide PHI to law enforcement in response to (1) a court order, (2) a court-ordered warrant, (3) a subpoena or summons issued by a “judicial officer,” (4) a grand jury subpoena, or (5) an “administrative request.”

That fifth basis under the law enforcement carveout to HIPAA—an “administrative request”—is subject to many interpretations. The exact language of the carveout reads:

(C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:

1. The information sought is relevant and material to a legitimate law enforcement inquiry;

2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and

3. De-identified information could not reasonably be used.

45 C.F.R. § 164.512(f)(1)(ii)(C).

It is clear from that language that a Civil Investigative Demand, which is the most commonly used tool used by Justice Department attorneys in False Claims Act investigations, is adequate for releasing PHI to the Justice Department attorneys indicated on the Civil Investigative Demand. It is also clear that an administrative subpoena under 18 U.S.C. § 3486, commonly known as a HIPAA subpoena within the Justice Department, is also a proper vehicle for PHI release. But what is less clear is an informal request by law enforcement for PHI. If that informal request by law enforcement makes clear that it is relevant and material to a law enforcement inquiry, should healthcare providers acquiesce and turn over PHI as requested?

The answer has long been “yes,” recognizing that (1) the term “administrative request” is not defined in 45 C.F.R. § 164.512, (2) the portion of the regulation that lists out examples of administrative requests is non-exhaustive because of the word “including,” and (3) perhaps most importantly, healthcare providers do not want to anger the law enforcement officer making the request by saying “no.” And so healthcare providers have long provided PHI to law enforcement in the absence of a formal legal process under the rationale that an informal request suffices as an “administrative request.”

Congress’s Objection to Turning Over PHI Absent Formal Legal Process

In July of 2023, 44 members of Congress wrote a letter to Secretary of Health and Human Services Secretary Xavier Becerra asking for more stringent HIPAA regulations relating to “warrantless” requests by law enforcement for PHI. Those members of Congress specifically sought modifications to 45 C.F.R. § 164.512 that would only permit covered entities to provide PHI to law enforcement “only when that agency obtains a search warrant, issued by a judge upon finding of probable cause” of a crime.

A subset of those members of Congress followed up on December 12, 2023, to alert Secretary Becerra that they had inquired of pharmacies and found that many of the pharmacies turn over PHI to law enforcement without what those members of Congress believed to be sufficient legal grounds.

What Healthcare Providers Should Do When They Receive an Informal Request for PHI?

While HHS works on finalizing new regulations relating to the HIPAA standard for complying with law enforcement requests, healthcare providers should pay extra attention to their processes for turning PHI over to law enforcement. In the absence of some listed legal process in 45 C.F.R. § 164.512(f)(1)(ii)(C), healthcare providers should think carefully about whether to turn over PHI, given increased Congressional scrutiny. The best practice would be to have experienced counsel contact the law enforcement agent or officer making the request and explain the increased level of scrutiny by Congress, and instead ask for some legal process to satisfy the current regulations.

Healthcare providers should also establish procedures to run law enforcement requests through a legal professional. Part of the December 12, 2023 letter to HHS protested some pharmacy procedures in which staff members in stores respond to law enforcement requests with no involvement of any lawyer or paralegal. One best practice could be to route law enforcement PHI requests and proposed disclosures through a trained legal professional prior to disclosure, to ensure that providers are abiding by the current regulations. Clearer regulations are likely coming soon, but until then, to stay out of a Congressional hearing room, healthcare providers would be wise to check their PHI protections when it comes to informal law enforcement requests.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jonathan Porter Jonathan Porter

Jonathan uses his years of experience as a federal prosecutor to guide clients through the challenges associated with government investigations and regulatory compliance.

Jonathan brings to clients a thorough working knowledge of how the U.S. government targets and pursues criminal and civil investigations,

Jonathan uses his years of experience as a federal prosecutor to guide clients through the challenges associated with government investigations and regulatory compliance.

Jonathan brings to clients a thorough working knowledge of how the U.S. government targets and pursues criminal and civil investigations, particularly those involving the healthcare industry. He is a former Assistant U.S. Attorney for the Southern District of Georgia, and in that capacity, he brought charges against numerous individuals and companies under federal law, including criminal charges of health care fraud, wire fraud, and violation of the Anti-Kickback Statute, and civil complaints alleging violations of the False Claims Act.

At the Department of Justice, Jonathan was a key member of multiple international health care fraud takedowns, in which Jonathan charged dozens of doctors, nurses, and other licensed medical professionals, along with marketers and health care executives for alleged participation in healthcare fraud schemes involving billions of dollars in false billings. In total, these charges resulted in more than 30 guilty pleas plus a conviction in the nation’s first trial of a medical professional charged as part of Operation Brace Yourself, which Jonathan first-chaired. Jonathan also was active in dozens of civil investigations brought under the False Claims Act. Jonathan resolved tens of millions of dollars in civil settlements and judgments for False Claims Act violations.

Jonathan also advises clients on a range of regulatory issues, along with the development and implementation of corporate compliance programs. He uses his unique perspective as a former AUSA, providing a prosecutor’s eye for detail in helping clients understand how DOJ and other agencies view compliance, particularly in light of the changing standards for compliance as outlined in the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) and implemented in the Department’s white-collar crime enforcement initiative.