Law Enforcement Access [to Medical Records]
Electronic Frontier Foundation no date
When exploring medical privacy issues, it's very useful to have an overview of the laws that affect control and privacy of medical information. We encourage you to read our legal overview.
Federal and state laws define some privacy rights for people who want to keep their medical records out of the hands of law enforcement. But law enforcement has many ways to access medical data when investigating crimes, identifying victims, or tracking down a fugitive. Often, the police are able to seek out sensitive medical records without an individual's consent—and sometimes without a judge's authorization.
To understand this, it's useful to compare the federal standards set by the Health Insurance Portability and Accountability Act (HIPAA) to the more privacy-protective legal standards in the State of California. We'll be jumping back and forth between the two throughout this discussion. Note: this discussion doesn’t cover access to health records relating to treatment in federally funded substance abuse facilities and programs under 42 U.S.C. § 290dd-2 and its “Part 2” regulations, which has stricter rules.
Disclosures of medical information to law enforcement by covered entities
The HIPAA Privacy Rule broadly defines law enforcement as "any government official at any level of government authorized to either investigate or prosecute a violation of the law."
Under HIPAA, medical information can be disclosed to law enforcement officials without an individual’s permission in a number of ways. Disclosures for law enforcement purposes apply not only to doctors or hospitals, but also to health plans, pharmacies, health care clearinghouses, and medical research labs. That's because under the HITECH Act, as implemented by the HIPAA Omnibus Rule, both a "covered entity" and any business associate (BA) are directly subject to these law enforcement access rules.
California has somewhat stronger privacy rules that require more court involvement, because HIPAA does not preempt more privacy-protective state laws. In California, search warrants for medical records are generally authorized under the Penal Code and require judicial approval based on probable cause. Less stringent court orders based on a showing of good cause can also be used. And in California, even if a mere administrative subpoena is used, the California Penal Code requires an authorizing court order.
By contrast, HIPAA permits1 the police to use an administrative subpoena or other written request with no court involvement, as long as police include a written statement that the information they want is relevant, material, and limited in scope, and that de-identified information is insufficient. . . .
California,Federal, Electronic Frontier Foundation, Health Insurance Portability and Accountability Act (HIPAA), Health Records, Law Enforcement, Medical, Medical Records, Notice of Privacy Practices (NPP), Privacy, State
NEWS and publications
Links to articles in transition. If the title is in red, click title. If the title is only in blue, click the hyperlink with the periodical's name/publication date.
Disclaimer: Targeted America is not a law firm. The information contained in this website is provided for informational purposes only and should not be construed as legal advice on any matter.