HIPAA Compliance Strategies

Hospitals Struggle With How Much Patient Information to Disclose to Police

Reprinted from the August 2007 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

After years of wrestling with how to contain errant cops who hang out in the emergency room (ER), pressuring nurses and doctors into releasing information they are not entitled to under HIPAA, Greg Young came up with a simple solution.

Young, a former police detective and SWAT team member, is the privacy and security officer at Mammoth Hospital in Mammoth Lakes, Calif. Although the privacy rule has been in effect for four years, Young put in place a policy one month ago to address disclosures to law enforcement officials as a way to help his staff set boundaries with the pushy ones.

The policy was issued with a new form that is filled out by both the employee giving out the information and the law enforcement official requesting it. Complete with checkboxes, the form is an easy way for Mammoth to control the release of information in compliance with HIPAA.

"We are a small town, maybe 9,000 residents, but we have a highway patrol, and county and local police departments. They will come in and tend to pressure the nurses who feel really uncomfortable," Young said. "I saw the need here" and took steps to address it.

The idea of introducing a new policy so long after HIPAA went into effect might strike some as odd. But experts advise keeping on top of compliance issues and refining policies and procedures. And in this case, Young has tackled an issue that many HIPAA covered entities (CEs) still find vexing: how to properly interpret the provisions of the privacy rule as it applies to law enforcement agencies.

Policy Outlines What Can Be Revealed

The police, sheriffs and others have a job to do. But so does the hospital staff. And in Mammoth's case, a lot of the "action" takes place in its ER.

"We are a small, rural hospital that has an unusually high number of patients that are seen in our clinics and ER, well over 50,000 a year," Young tells RPP. "That contrasts sharply with the fact that we are a hospital with only 14 beds for inpatients."

Mammoth, part of the Southern Mono Healthcare District (SMHD), also operates a number of outpatient clinics, including pediatrics, women's health, family medicine, orthopedics and physical therapy.

Young began the new policy by noting that HIPAA allows CEs "to be able to release protected health information (PHI) to law enforcement without patient authorization under specific circumstances." It also addresses the fact that other disclosures may be required by state laws and that this policy includes only those to be made under HIPAA.

"The scope of this policy includes all instances of law enforcement seeking any form of PHI held by the [health district] without the authorization of the patient and not required by state law (e.g., required reporting of child abuse or neglect)," it states.

The policy defines "law enforcement" broadly as "any governmental agency or official authorized to investigate, prosecute or conduct an inquiry into a potential violation of law." Young created the policy to delineate the specific circumstances under which SMHD may release PHI to law enforcement officials, and to "provide a process for documenting instances of release of PHI to law enforcement personnel."

The policy defines PHI as "any information, whether oral, ocular or recorded in any form or medium that is created or received by operations [the health district] and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."

Various Requests May Be Received

The policy delineates that a legitimate, "formal written demand or request from a judicial or law enforcement agency" might come in various forms, including a court order; a warrant; a subpoena or summons issued by a judicial officer; a grand-jury subpoena; or an administrative subpoena, summons or investigative demand.

Superficially not considered a legitimate request under the policy is a subpoena issued by an attorney. And according to the policy, all disclosures "must be strictly limited to the scope of the request."

The policy makes the point that HIPAA "does not require the disclosure of PHI without an individual's consent or authorization in any circumstance. Rather, HIPAA permits nonconsensual or unauthorized disclosures in specified circumstances."

Mammoth hospitals and employees of SMHD may release limited identifying information to law enforcement for the purpose of identifying a suspect, a victim, a fugitive, a material witness or a missing person, the policy explains.

"All questions must be completed by the requesting law enforcement person, to include a reasonable explanation for the reason for the request, prior to the release of information. The reasonableness [of the request] shall be determined by the SMHD workforce member releasing the information," it states.

In an emergency, "such as a rapidly fleeing dangerous suspect," the policy allows employees to cooperate with the official by at least identifying the law official, providing the requested information, and then immediately documenting the release using the form, which should be completed within 48 hours.

The employee must obtain the signature of the requesting official, and the document number of "any reports reflecting the use of the PHI released, such as an incident report, arrest report or crime report. In all cases, completed forms are to be sent to the district's health information manager.

Extra Care Required for Phone Requests

In general, CEs are required to verify the identity of the person requesting PHI, and Young's policy reflects this. "Workforce members may rely on a badge or similar identification to confirm the request is being made by a law enforcement official," the policy states. If the request comes in over the phone, it must be accompanied soon afterward by an official letterhead or similar document faxed to the hospital.

In addition, phoned-in requests must be double-checked. The policy requires that "phone requests shall only be completed after obtaining the name and phone number of the requesting party, terminating the call, then calling back the number provided. No PHI shall be released without performing this callback procedure," the policy states.

Aware that there may be instances where employees may need to tip off the police or other law enforcement officials, the policy allows SMHD employees to release PHI if the worker "believes in good faith that the information constitutes evidence of criminal conduct that occurred on the premises" of the district.

Specifically, emergency health workers "may release PHI to law enforcement if such release appears necessary to alert law enforcement to" the:

• commission and nature of a crime;
• location of such crime or of the victim(s) of such crime; and
• identity, description and location of the perpetrator of such crime.

In these instances, the information released "shall be the minimum necessary to inform law enforcement of the three elements described above," the policy states.

The policy tells SMHD workers to report possible violations to Young, who is responsible for enforcement. In addition, the policy specifies that "all SMHD department and clinic managers shall be responsible for the training of appropriate subordinates for implementation in compliance with this policy."

To help familiarize employees with the policy, Young wrote about it in his monthly column in SMHD's employee newsletter. He said it has been well-received — even by local law enforcement officials.

In Phoenix, Cops Have Their Own Room

A privacy official at another hospital also said the form in particular was very useful for dealing with law enforcement officials, and that he will probably use at least parts of it in his own policy.

Frank Ruelas, privacy officer for 239-bed Maryvale Hospital in Phoenix, praised the form, saying "the use of checkboxes eliminates any ambiguity over what disclosures are made, if any, and the policy indicates examples of what type of legal document may trigger a disclosure, which is helpful from a `here are some examples' perspective."

"By stressing that a disclosure may be made and is not required, it gives someone following the policy in the heat of the moment some comfort that they can defer the disclosure until he or she asks someone for guidance if need be," he said. "You have a staff person in a position where they are able to help a police officer do his job. They look at them like they look at a person from the clergy. This form will let them be more comfortable in knowing what they can disclose. They don't have to be the ones making the decision."

He added that for the past several years, Maryvale has made a room available near its ER just for the officers to use when writing reports or other activities. The room is marked with a city emblem and it has a television and a microwave, Ruelas said. The door is locked and has a keypad that the officers have the code for.

"We have a very good relationship with the Phoenix police department," said Ruelas.

Advertise With AIS

Privacy

Site Map