Federal Rule Restricts Administrative Requests by Law Enforcement for HIPAA-Protected Medical Records

by Michael Castaldo, III

The United States Department of Health and Human Services just made it harder for law enforcement officers to obtain medical records from entities covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Under HIPAA’s Privacy Rule, covered entities (including fire departments, hospitals, and other healthcare firms) are required to safeguard their patients’ Protected Health Information (“PHI”) and refrain from disclosing it to third parties without authorization. However, there are exceptions. Among other things, a covered entity can disclose PHI to law enforcement officers:

  • To report PHI to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
  • To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity.
  • To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct.
  • To alert law enforcement to criminal activity when responding to an off-site medical emergency.
  • To report PHI to law enforcement when required by law to do so (such as reporting gunshots or stab wounds).
  • To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person (so long as the information is limited to basic demographic and health information about the person).
  • To comply with a court order, warrant, subpoena, or an “administrative request.”

By issuing a new regulation, the Department has changed the landscape concerning the “administrative request” exemption.

Previously, covered entities could give PHI to law enforcement agencies in response to an “administrative request,” provided the request: (i) was relevant and material to a legitimate law enforcement inquiry; (ii) was specific and limited in scope to the extent reasonably practicable; and (iii) stated that de-identified information could not reasonably be used. 45 CFR §164.512(f)(1)(ii)(C). This exception was commonly understood to mean that a request on letterhead by a law enforcement agency affirming these three requirements was sufficient to permit disclosure of the requested protected health information to law enforcement.

Through its new rule, the Department clarified that a mere letter reciting this magic language was not enough to circumvent the Privacy Rule’s guarantee of confidentiality. Indeed, the Department found that the widely accepted interpretation of the “administrative request” exemption was incorrectly applied and inconsistent with HIPAA’s goals. The Department explained that clarification was necessary to ensure that any disclosures of PHI to law enforcement agencies are necessary and limited in scope.

A neon sign on a brick wall Description automatically generated Therefore, as of June 25, 2024, the “administrative request” exception now only permits the disclosure of PHI by covered entities where a response to such request is required by law. Thus, the days of boilerplate law enforcement letters seeking HIPAA protected medical records are over.

To properly use the administrative request exemption, the request must now come in the form of an administrative subpoena, summons, or an authorized investigative demand authorized by statute. In addition, such request by a law enforcement agency has to affirm that it: (i) is relevant and material to a legitimate law enforcement inquiry; (ii) is specific and limited in scope to the extent reasonably practicable; and (iii) states that de-identified information could not reasonably be used.

Failure to properly observe the new administrative request exception may result in fines by the Department. Thankfully, the Department has given covered entities a 180-day grace period to adopt updated policies and procedures that align with this clarification before it will assess any penalties.

Importantly, this update is specific only to administrative requests for PHI. It does not affect the other exceptions that would allow disclosing HIPAA-protected materials to law enforcement without violating the Privacy Rule.

Moving forward, it is imperative to review your current procedures to ensure that these changes are fully understood. Municipalities should ensure their police departments are no longer issuing old school “administrative request” letters. Similarly, fire departments should carefully analyze law enforcement requests for PHI, as they may not be compliant with the Department’s new rule. For any additional questions regarding how this final rule might affect your existing practices, please reach out to one of the attorneys.