Staying compliant with HIPAA can be complicated. HIPAA prohibits the sharing of patient information except in certain cases. You are allowed to share information for law enforcement purposes. Lets look at a recent incident experienced by a TLD Systems client.
There was an incident recently in the parking lot of a medical provider where there was a hit and run. The individual whose car was hit asked the provider if they had any information on the accident.
The question is, can the provider give information regarding the accident to the owner of the car?
(f) Standard: Disclosures for law enforcement purposes. A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this section are met, as applicable.
(1) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information:
(i) As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or
(ii) In compliance with and as limited by the relevant requirements of:
(A) A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;
(B) A grand jury subpoena; or
(C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
(1) The information sought is relevant and material to a legitimate law enforcement inquiry;
(2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
(3) De-identified information could not reasonably be used.
Under HIPAA regulations, 34 45 C.F.R. § 164.512(f), in this scenario, the provider should not disclose details of the accident to the car owner. They should tell the owner of the car, “Because this is a hit and run, report it to the police and we’d be happy to speak to law enforcement.”
Under point (3), a provider is permitted to disclose PHI in response to a law enforcement official’s request for information. It is best to only disclose any pertinent information relating to the accident to law enforcement.
For all of your HIPAA questions, contact TLD Systems at firstname.lastname@example.org or (631) 403 6687.