HIPAA FAQ – Disclosures for Law Enforcement Purposes2020-09-08T13:30:06-04:00

HIPAA FAQ – Disclosure for Law Enforcement Purposes

May a health plan disclose protected health information to a state child support enforcement (IV-D) agency in response to a National Medical Support Notice?2020-09-06T17:49:47-04:00

The Privacy Rule permits a health plan to respond to a request for information by a IV-D agency pursuant to a National Medical Support Notice (NMSN), as described below.

The Privacy Rule at 45 CFR 164.512(f) permits a covered entity to disclose protected health information to a “law enforcement official” for law enforcement purposes in compliance with court orders, grand jury subpoenas, or certain written administrative requests. 45 CFR 164.512(f)(1)(ii). As defined in 45 CFR 164.501, a “law enforcement official” means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law or to prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. An employee of a IV-D agency, including a contract employee, who is empowered by state or federal law to enforce a medical child support order, meets this definition of a law enforcement official.

The NMSN, a nationally uniform form which is sent by the IV-D agency to the employer and health plan for completion, constitutes a written administrative request by a law enforcement official. As such, the Privacy Rule allows a health plan to disclose protected health information in response to the NMSN, provided it includes or is accompanied by written assurances by the law enforcement official that (1) the information sought is material and relevant to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope; and (3) de-identified information cannot reasonably be used. 45 CFR 164.512(f)(1)(ii)(C).

The Privacy Rule requires the covered entity to verify that these three conditions are met, as well as the identity and authority of the public official making the request, unless already known to the covered entity. The covered entity must also limit the disclosures to the minimum necessary for the purpose. To meet these requirements, the covered entity may reasonably rely on the following:

  • the NMSN, or a separate written statement that, on its face, demonstrates that the three assurances required for these disclosures have been met. 45 CFR 164.514(h)(2)(i)(A).
  • the NMSN is sufficient to verify the identity and legal authority of the public official requesting the protected health information. 45 CFR 164.514(h)(2)(ii) and (iii).
  • the NMSN is sufficient as a request from a public official for the minimum information needed to meet the law enforcement purpose of the request. 45 CFR 164.514(d)(3)(iii)(A).
State public records laws, also known as open records or freedom of information laws, all provide for certain public access to government records. How does the HIPAA Privacy Rule relate to these state laws?2020-09-09T00:05:17-04:00

If a state agency is not a “covered entity”, as that term is defined at 45 CFR 160.103, it is not required to comply with the HIPAA Privacy Rule and, thus, any disclosure of information by the state agency pursuant to its state public records law would not be subject to the Privacy Rule.

If a state agency is a covered entity, however, the Privacy Rule applies to its disclosures of protected health information. The Privacy Rule permits a covered entity to use and disclose protected health information as required by other law, including state law. See 45 CFR 164.512(a). Thus, where a state public records law mandates that a covered entity disclose protected health information, the covered entity is permitted by the Privacy Rule to make the disclosure, provided the disclosure complies with and is limited to the relevant requirements of the public records law.

However, where a state public records law only permits, and does not mandate, the disclosure of protected health information, or where exceptions or other qualifications apply to exempt the protected health information from the state law’s disclosure requirement, such disclosures are not “required by law” and thus, would not fall within § 164.512(a) of the Privacy Rule. For example, if a state public records law includes an exemption that affords a state agency discretion not to disclose medical or other information where such disclosure would constitute a clearly unwarranted invasion of personal privacy, the disclosure of such records is not required by the public records law, and therefore is not permissible under § 164.512(a). In such cases, a covered entity only would be able to make the disclosure if permitted by another provision of the Privacy Rule.

As an example of how the Privacy Rule would apply in the case where an exemption exists in a freedom of information law, see the December 2000 Privacy Rule preamble discussion regarding the relationship of the Privacy Rule with the federal Freedom of Information Act (64 FR 82482).

When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?2020-09-10T20:17:19-04:00

The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized below. For a complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the citations provided. Disclosures for law enforcement purposes are permitted as follows:

  • To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that the legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)-(B)).
  • To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request from a law enforcement official. Because an administrative request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used (45 CFR 164.512(f)(1)(ii)(C)).
  • To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person; but the covered entity must limit disclosures of PHI to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request (45 CFR 164.512(f)(2)).

This same limited information may be reported to law enforcement:

    • About a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 CFR 164.502(j)(2));
    • To identify or apprehend an individual who has admitted participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)).


  • To respond to a request for PHI about a victim of a crime, and the victim agrees. If, because of an emergency or the person’s incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in the best interests of the individual whose information is requested (45 CFR 164.512(f)(3)).


Where child abuse victims or adult victims of abuse, neglect or domestic violence are concerned, other provisions of the Rule apply:

    • Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports and the agreement of the individual is not required (45 CFR 164.512(b)(1)(ii)).
    • Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)):
      • If the individual agrees;
      • If the report is required by law; or
      • If expressly authorized by law, and based on the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations (see 45 CFR 164.512(c)(1)(iii)(B)).
      • Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2)).


  • To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)). For example, state laws commonly require health care providers to report incidents of gunshot or stab wounds, or other violent injuries; and the Rule permits disclosures of PHI as necessary to comply with these laws.
  • To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)).
    • Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties(45 CFR 164.512(g)(1)).
  • To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
  • When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity, specifically, the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime (45 CFR 164.512(f)(6)). This provision does not apply if the covered health care provider believes that the individual in need of the emergency medical care is the victim of abuse, neglect or domestic violence; see above Adult abuse, neglect, or domestic violence for when reports to law enforcement are allowed under 45 CFR 164.512(c).
  • When consistent with applicable law and ethical standards:
    • To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public (45 CFR 164.512(j)(1)(i)); or
    • To identify or apprehend an individual who appears to have escaped from lawful custody (45 CFR 164.512(j)(1)(ii)(B)).
  • For certain other specialized governmental law enforcement purposes, such as:
    • To federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act (45 CFR 164.512(k)(2)) or to provide protective services to the President and others and conduct related investigations (45 CFR 164.512(k)(3));
    • To respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody of an inmate or others if they represent such PHI is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement on the premises of the facility (45 CFR 164.512(k)(5)).

Except when required by law, the disclosures to law enforcement summarized above are subject to a minimum necessary determination by the covered entity (45 CFR 164.502(b), 164.514(d)). When reasonable to do so, the covered entity may rely upon the representations of the law enforcement official (as a public officer) as to what information is the minimum necessary for their lawful purpose (45 CFR 164.514(d)(3)(iii)(A)). Moreover, if the law enforcement official making the request for information is not known to the covered entity, the covered entity must verify the identity and authority of such person prior to disclosing the information (45 CFR 164.514(h)).


Does the HIPAA Privacy Rule permit covered entities to disclose protected health information, without individuals’ authorization, to public officials responding to a bio-terrorism threat or other public health emergency?2020-09-10T21:41:08-04:00

Yes. The Rule recognizes that various agencies and public officials will need protected health information to deal effectively with a bio-terrorism threat or emergency. To facilitate the communications that are essential to a quick and effective response to such events, the Privacy Rule permits covered entities to disclose needed information to public officials in a variety of ways.

Covered entities may disclose protected health information, without the individual’s authorization, to a public health authority acting as authorized by law in response to a bio-terrorism threat or public health emergency (see 45 CFR 164.512(b)), public health activities). The Privacy Rule also permits a covered entity to disclose protected health information to public officials who are reasonably able to prevent or lessen a serious and imminent threat to public health or safety related to bio-terrorism (see 45 CFR 164.512(j)), to avert a serious threat to health or safety). In addition, disclosure of protected health information, without the individual’s authorization, is permitted where the circumstances of the emergency implicates law enforcement activities (see 45 CFR 164.512(f)); national security and intelligence activities (see 45 CFR 164.512(k)(2)); or judicial and administrative proceedings (see 45 CFR 164.512(e)).

Will this HIPAA Privacy Rule make it easier for police and law enforcement agencies to get my medical information?2020-09-06T17:17:05-04:00

No. The Rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists, since the Rule establishes new procedures and safeguards that restrict the circumstances under which a covered entity may give such information to law enforcement officers.

For example, the Rule limits the type of information that covered entities may disclose to law enforcement, absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. It specifically prohibits disclosure of DNA information for this purpose, absent some other legal requirements such as a warrant. Similarly, under most circumstances, the Privacy Rule requires covered entities to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement.

In most States, such permission is not required today. Where State law imposes additional restrictions on disclosure of health information to law enforcement, those State laws continue to apply. This Rule sets a national floor of legal protections; it is not a set of “best practices.” Even in those circumstances when disclosure to law enforcement is permitted by the Rule, the Privacy Rule does not require covered entities to disclose any information. Some other Federal or State law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances.

Why would HIPAA Privacy Rule require covered entities to turn over anybody’s personal health information as part of a government enforcement process?2020-09-06T17:52:08-04:00

An important ingredient in ensuring compliance with the Privacy Rule is the Department of Health and Human Services’ (HHS) responsibility to investigate complaints that the Rule has been violated and to follow up on other information regarding noncompliance. At times, this responsibility entails seeing personal health information, such as when an individual indicates to the Department that they believe a covered entity has not properly handled their medical records.

What information would be needed depends on the circumstances and the alleged violations. The Privacy Rule limits HHS Office for Civil Rights’ (OCR) access to information that is “pertinent to ascertaining compliance.” In some cases, no personal health information may be needed. For instance, OCR would need to review only a business contract to determine whether a health plan included appropriate language to protect privacy when it hired an outside company to help process claims.

Examples of investigations that may require OCR to have access to protected health information include:

  • Allegations that a covered entity refused to note a request for correction in a patient’s medical record, or did not provide complete access to a patient’s medical records to that patient.
  • Allegations that a covered entity used health information for marketing purposes without first obtaining the individuals’ authorization when required by the Rule. OCR may need to review information in the marketing department that contains personal health information, to determine whether a violation has occurred.
Does the HIPAA Privacy Rule require my doctor to send my medical records to the government?2020-09-06T17:51:43-04:00

No. The Rule does not require a physician or any other covered entity to send medical information to the government for a government data base or similar operation. This Rule does not require or allow any new government access to medical information, with one exception: the Rule does give the Department of Health and Human Services Office for Civil Rights (OCR) the authority to investigate complaints that Privacy Rule protections or rights have been violated, and otherwise to ensure that covered entities comply with the Rule.

For enforcement purposes, OCR may need to look at how a covered entity handled medical records and other personal health information, as is typical in many enforcement settings. This investigative authority is needed so that the Rule can be enforced, and to ensure the independent review of consumers’ concerns over privacy violations.

Even so, the Privacy Rule limits disclosures to OCR to information that is “pertinent to ascertaining compliance.” OCR will maintain stringent controls to safeguard any individually identifiable health information that it receives. If covered entities could avoid or ignore enforcement requests, consumers would not have a way to ensure an independent review of their concerns about privacy violations under the Rule.

Go to Top