From Quarles & Brady LLP, by Simone Colgan Dunlap, Sarah Coyne, Kaitlyn Fydenkevez, Meghan O’Connor:
- Current HIPAA rules permit healthcare providers to disclose protected health information (PHI) to law enforcement under specific circumstances, such as to comply with a court order, respond to an administrative request, or in cases of identifying a suspect or victim, among others.
- Providers must also be aware of more stringent state laws, particularly when it comes to “sensitive” categories of data like mental health records or sexual/reproductive health data. Any disclosure must meet the requirements of both HIPAA and state law.
- Providers should ensure that staff understand organizational policies and procedures regarding law enforcement requests, and should watch for the final rule on HIPAA disclosure requirements. The Senate Finance Committee’s letter calls for broader protection, which may influence the final rule, particularly in relation to pharmacy disclosure of prescription data to law enforcement.