For years, law enforcement has bypassed traditional means of securing evidence by informal requests for documents from witnesses of crimes. At some point, that practice bled over into informal requests for healthcare providers’ documents, including documents reflecting protected health information (PHI). Healthcare providers, for the most part, have complied with these informal requests because, as the logic goes, law enforcement couldn’t possibly prosecute me for complying with law enforcement, right? Isn’t that entrapment?
This cooperative, well-intentioned practice by healthcare providers now appears to be drawing scrutiny from Congress. On December 12, 2023, members of Congress sent a letter to Health & Human Services Secretary Xavier Becerra announcing the results of a Congressional inquiry into the practice of pharmacies handing over patient information without legal process. In the face of that new scrutiny, which is sure to extend beyond pharmacies to all healthcare providers, what are healthcare providers to do when asked for PHI through informal means?
The Law Enforcement Exception to HIPAA
As a baseline, HIPAA-covered entities may disclose PHI to law enforcement with a patient’s signed HIPAA authorization. But what about when the patient has not authorized release?
HIPAA regulations list several scenarios in which covered entities can provide PHI to law enforcement absent patient authorization. Those include instances where there is a serious and imminent threat to someone’s health or safety, where a crime has occurred on the premises of the covered entity and the covered entity believes in good faith that PHI is evidence of that crime, or where there is some other legal obligation to report something involving PHI (like reporting gunshots).
HIPAA regulations also permit covered entities to provide PHI to law enforcement in response to (1) a court order, (2) a court-ordered warrant, (3) a subpoena or summons issued by a “judicial officer,” (4) a grand jury subpoena, or (5) an “administrative request.”
That fifth basis under the law enforcement carveout to HIPAA—an “administrative request”—is subject to many interpretations. The exact language of the carveout reads:
(C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
1. The information sought is relevant and material to a legitimate law enforcement inquiry;
2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
3. De-identified information could not reasonably be used.
45 C.F.R. § 164.512(f)(1)(ii)(C).
It is clear from that language that a Civil Investigative Demand, which is the most commonly used tool used by Justice Department attorneys in False Claims Act investigations, is adequate for releasing PHI to the Justice Department attorneys indicated on the Civil Investigative Demand. It is also clear that an administrative subpoena under 18 U.S.C. § 3486, commonly known as a HIPAA subpoena within the Justice Department, is also a proper vehicle for PHI release. But what is less clear is an informal request by law enforcement for PHI. If that informal request by law enforcement makes clear that it is relevant and material to a law enforcement inquiry, should healthcare providers acquiesce and turn over PHI as requested?
The answer has long been “yes,” recognizing that (1) the term “administrative request” is not defined in 45 C.F.R. § 164.512, (2) the portion of the regulation that lists out examples of administrative requests is non-exhaustive because of the word “including,” and (3) perhaps most importantly, healthcare providers do not want to anger the law enforcement officer making the request by saying “no.” And so healthcare providers have long provided PHI to law enforcement in the absence of a formal legal process under the rationale that an informal request suffices as an “administrative request.”
Congress’s Objection to Turning Over PHI Absent Formal Legal Process
In July of 2023, 44 members of Congress wrote a letter to Secretary of Health and Human Services Secretary Xavier Becerra asking for more stringent HIPAA regulations relating to “warrantless” requests by law enforcement for PHI. Those members of Congress specifically sought modifications to 45 C.F.R. § 164.512 that would only permit covered entities to provide PHI to law enforcement “only when that agency obtains a search warrant, issued by a judge upon finding of probable cause” of a crime.
A subset of those members of Congress followed up on December 12, 2023, to alert Secretary Becerra that they had inquired of pharmacies and found that many of the pharmacies turn over PHI to law enforcement without what those members of Congress believed to be sufficient legal grounds.
What Healthcare Providers Should Do When They Receive an Informal Request for PHI?
While HHS works on finalizing new regulations relating to the HIPAA standard for complying with law enforcement requests, healthcare providers should pay extra attention to their processes for turning PHI over to law enforcement. In the absence of some listed legal process in 45 C.F.R. § 164.512(f)(1)(ii)(C), healthcare providers should think carefully about whether to turn over PHI, given increased Congressional scrutiny. The best practice would be to have experienced counsel contact the law enforcement agent or officer making the request and explain the increased level of scrutiny by Congress, and instead ask for some legal process to satisfy the current regulations.
Healthcare providers should also establish procedures to run law enforcement requests through a legal professional. Part of the December 12, 2023 letter to HHS protested some pharmacy procedures in which staff members in stores respond to law enforcement requests with no involvement of any lawyer or paralegal. One best practice could be to route law enforcement PHI requests and proposed disclosures through a trained legal professional prior to disclosure, to ensure that providers are abiding by the current regulations. Clearer regulations are likely coming soon, but until then, to stay out of a Congressional hearing room, healthcare providers would be wise to check their PHI protections when it comes to informal law enforcement requests.