Can HIPAA Information Be Given to Law Enforcement Officials?

James L. Lindon, PharmD, PhD, JD


February 20, 2014


Is it a HIPAA violation to release prescription medication information to law enforcement officials?

Response from James L. Lindon, PharmD, PhD, JD
Pharmacy Law Attorney, Lindon & Lindon, LLC, Cleveland, Ohio

The question is directed to the "law enforcement exception" to laws that protect health information from being improperly disclosed. Private health information (PHI) should not be disclosed unless there is a recognized exception. The question also raises a more general question as to what sort of right to privacy we may have from improper or overreaching governmental inquiries or searches.

The Fourth Amendment of the US Constitution[1] protects citizens from unreasonable searches and seizures. The Fourth Amendment states, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Although the word "privacy" does not appear in the text, the Fourth Amendment is often viewed as protecting an individual's "expectation of privacy" from government intrusion, including intrusion by law enforcement officials.

Medical records contain some of the most sensitive information that can be searched for any person. There are significant criminal and civil sanctions for improperly disclosing such information, at both the state and federal levels. Law enforcement searches and use of medical records may be "reasonable" in defined situations. Both regulators and courts provide guidance to determine what is reasonable and what is unreasonable.

In general, the type and amount of information that might be disclosed will depend upon the circumstances and purposes for the disclosure. Title 45 (Public Welfare) of the Code of Federal Regulations, Part 164 (Security and Privacy),[2] describes current law. For example, the law recognizes that the legal process in obtaining a court order provides protections for the individual's private information [45 CFR 164.512(f)(1)(ii)(A)-(B)]. A trained judge is involved in the decision.

Disclosures are permitted in order to respond to an administrative request, such as an administrative subpoena or investigative demand from the Board of Medicine, Board of Pharmacy, or similar entities. Because this administrative request is made without a judge, the law requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific, and limited in scope; in addition, deidentified information cannot be used [45 CFR 164.512(f)(1)(ii)(C)].

A more limited privacy intrusion may be permitted for purposes of identifying or locating a suspect, fugitive, material witness, or missing person. In such instances, generally only the following may be disclosed: the person's name and address, date and place of birth, Social Security Number, blood type, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual's DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this limited provision, but may be disclosed in response to a court order, warrant, or written administrative request [45 CFR 164.512(f)(2)].

For healthcare professionals, such as physicians, nurses, and pharmacists, examples permitting release of medical records might include:

A healthcare professional being treated for drug overdose, in view of drugs missing from a facility where the professional worked;

Treatment of an alleged victim of sexual assault by a healthcare professional, in view of allegations that drugs were used to incapacitate victim;

Suspicion of "doctor shopping" to obtain prescription opioids by a healthcare professional who is clearly impaired at work;

A car crash by a healthcare professional with clear evidence of impairment while driving.

Investigating child abuse and domestic violence, reporting instances of gunshot wounds, and alerting law enforcement agencies of the death of a person may also substantiate privacy intrusion. See 45 CFR 164.512(b)(1)(ii), 45 CFR 164.512(f)(1)(i), and 45 CFR 164.512(f)(4).

In the event that PHI is requested, clinicians should consider the following:

Obtain the request in writing, having the requestor provide a legal justification including a citation to HIPAA law allowing the disclosure;

Review the requestor's government-issued identification, which should be legitimate and confirmable;

Review the request with the manager to make sure it meets legal requirements; and

Review the request with the institution's lawyer.

Thirty days may be allowed to respond to the request for PHI.[3]

In conclusion, the strength of the reason for the intrusion, and the amount of information released, will generally guide the decision whether and how much private information will be released.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: