FORMAL OPINION

Attorney General of Colorado — Opinion
September 30, 2003

This opinion describes the types of health information that may be disclosed to law enforcement officials under the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d
1320d-8 (2003) (“HIPAA”). It is issued at the request of Lieutenant Colonel Gary L. Coe, of the Colorado State Patrol.

KEN SALAZAR, Attorney General

Question Presented and Answer
Question: When may a health care provider disclose protected health information to law enforcement officials under HIPAA?

Answer: HIPAA permits health care providers to disclose protected health information to law enforcement officials under several complicated disclosure rules. Highlights of these rules include:

Providers are required under Colorado law to report certain bullet and other wounds and injuries to law enforcement, and HIPAA expressly permits these types of mandatory disclosures to law enforcement.

Disclosures of limited identifying information are permitted in response to an official inquiry from law enforcement to identify or locate a suspect or fugitive.

Health care providers may voluntarily alert law enforcement of a suspicious death or a crime on their premises.

Emergency medical personnel may advise law enforcement officials of information concerning the nature and commission of a crime and the location of the crime, victims or perpetrators.

HIPAA permits disclosures to law enforcement to avert a serious threat to public health or safety and to report child abuse or neglect, domestic violence, and adult abuse or neglect.

HIPAA’s varied and complex disclosure rules may also permit other public health and public interest disclosure in particular circumstances, depending upon the purpose of the disclosure.

Discussion
HIPAA is a comprehensive federal statute that is designed, in part, to provide national standards for the protection of certain health information.[1] These statutory privacy provisions have been interpreted in a highly complex regulation issued by the federal Department of Health and Human Services and known as the HIPAA Privacy Rule.[2] The HIPAA Privacy Rule plays a central role in the discussion that follows.

Colorado’s law enforcement personnel sometimes require medical information that is covered by HIPAA protections in order to carry out their public safety functions. These law enforcement needs raise difficult questions of federal law concerning the types of medical information that health care providers can disclose to law enforcement officials. This opinion addresses those questions.

This opinion is accompanied by a comprehensive attachment that sets forth a chart explaining the legal rules concerning HIPAA and law enforcement. This chart is included to provide easier access for law enforcement officials to the complex rules discussed below.

Finally, this opinion is limited in important respects. It addresses HIPAA’s rules in the abstract, but a conclusion as to whether a specific disclosure is permitted under the HIPAA Privacy Rule in a specific circumstance typically depends upon who is making the disclosure, the facts and circumstances of the disclosure, and the purpose of the disclosure. Also, this opinion does not address other federal laws that may impose restrictions upon the release of confidential medical information in particular circumstances. For these reasons, and assuming time is available, law enforcement officials are encouraged to seek legal guidance when specific circumstances arise.

Application of HIPAA. HIPAA’s health information disclosure rules apply to “covered entities.” This term is defined to include a health plan, a health care clearinghouse, and a health care provider who transmits protected health information in electronic form in connection with a covered transaction.[3] (Covered entities are referred to below collectively as “health care providers.”) Most emergency medical and other health care personnel are covered and are required to comply with the HIPAA Privacy Rule.

As a general rule, the HIPAA Privacy Rule forbids a health care provider from using or disclosing a patient’s protected health information without written authorization from the patient, except for treatment, payment, and health care operations. 45 C.F.R. § 164.506(a). The rule restricts only the disclosure of “protected health information,” which is defined as individually identifiable health information that is transmitted or received by a covered entity, excluding certain educational and employment records. 45 C.F.R. § 164.501. This opinion discusses the exceptions to the general rule that permit public interest disclosures to law enforcement officials.

The HIPAA Privacy Rule allows the disclosure of protected health information by health care providers — absent a patient’s authorization — for a variety of public interest reasons. 45 C.F.R. § 164.512. When a disclosure is permitted by the rule, a health care provider must also determine whether a law makes that disclosure mandatory. Non-mandatory public interest disclosure provisions are permissive, and the disclosing health care provider then generally has discretion to choose not to disclose even though it legally could do so.[4]

The HIPAA Privacy Rule is not concerned solely with the need for law enforcement officials’ access to protected health information.[5]
Rather, it balances the competing interests of law enforcement and individual privacy. The preamble to the HIPAA Privacy Rule explains:

The importance and legitimacy of law enforcement activities are beyond question, and they are not at issue in this regulation. We permit disclosure of protected health information to law enforcement officials without authorization in some situations precisely because of the importance of these activities to public safety. At the same time, individuals’ privacy interests also are important and legitimate. As with all other disclosures of protected health information permitted under this regulation, the rules we impose attempt to balance competing and legitimate interests.

65 Fed. Reg. 82,678 (Dec. 28, 2000).

The requirement of an official request by law enforcement. An official request from law enforcement is needed by a health care provider in order to prompt certain disclosures. 45 C.F.R. § 164.512(f)(2) and (3). These include disclosures of protected health information needed to identify or locate a suspect, fugitive, material witness or missing person and disclosures concerning the victim of a crime. Id. Other disclosures to law enforcement can be made by a health care provider without an official request. 45 C.F.R. § 164.512(f)(1), (4), (5) and (6). These include disclosures required by law; to report a suspicious death; to report crime on the premises; during a medical emergency about a crime, victim or suspect. Id.

Accounting to the individual involved for disclosures to law enforcement officials. The HIPAA Privacy Rule requires that health care providers give an accounting of certain disclosures to the individual involved upon that individual’s request. 45 C.F.R. § 164.528. Disclosures to law enforcement under section 512 of the HIPAA Privacy Rule are one of the types of disclosures that require such an accounting.

It is the responsibility of the health care provider to account for disclosures to law enforcement officials. A summary accounting can be provided for multiple disclosures to the same entity under section 512 of the HIPAA Privacy Rule. 45 C.F.R. § 164.528(b)(3).

The significant accounting burden associated with disclosures by health care providers to law enforcement officials undoubtedly contributes to a reluctance to make disclosures under the HIPAA Privacy Rule.

Bullet wounds and injuries. Health care providers may disclose protected health information on their own when that disclosure is required by law. 45 C.F.R. § 164.512(a) and 45 C.F.R. § 164.512(f)(1)(i). This exception includes laws that require the reporting of certain types of wounds or other physical injuries. Id. The use of the information and the disclosure must comply with and be limited to the requirements of the particular law involved. Id.

In Colorado, licensed physicians are required by state law to notify law enforcement of certain bullet wounds and other injuries:

It shall be the duty of every licensee [physician] who attends or treats a bullet wound, a gunshot wound, a powder burn, or any other injury arising from the discharge of a firearm, or an injury caused by a knife, an ice pick, or any other sharp or pointed instrument that the licensee believes to have been intentionally inflicted upon a person, or any other injury that the licensee has reason to believe involves a criminal act, including injuries resulting from domestic violence, to report such injury at once to the police of the city, town, or city and county or the sheriff of the county in which the licensee is located . . . .

Section 12-36-135(1), C.R.S. (2002). This statutory duty to report injuries overcomes the physician-patient privilege which would ordinarily protect information the physician observes during an examination. See Section 12-36-135(3), C.R.S. (2002); People v. Covington, 19 P.3d 15
(Colo. 2001).

In Colorado, therefore, licensed health care providers must disclose information to law enforcement officials concerning gunshot and other wounds and injuries they believe involves a criminal act. Nothing in HIPAA prohibits this disclosure, and the HIPAA Privacy Rule permits disclosures required by state law. 45 C.F.R. § 164.512(f)(1)(i). Colorado law requires the reporting of these injuries to law enforcement “at once” and without further procedural requirements.

A health care provider need not limit its disclosures required by law to a minimum necessary amount of information, which is a limit that applies in other circumstances under HIPAA.[6] Nevertheless, the disclosure is limited to the amount of information mandated by State law. Under Colorado’s mandatory reporting law, disclosures required by law are limited to a physician’s observations of the injury.[7]

In general, disclosures required by law are subject to the verification procedures of the HIPAA Privacy Rule. This requires a health care provider to verify the identity and authority of a law enforcement official prior to making a disclosure.

Court orders and other legal process. Other disclosures required by state law and expressly allowed by HIPAA include responses to court orders and warrants; subpoenas or summons issued by a judicial officer; grand jury subpoenas; administrative and civil subpoenas; and civil or investigative demands authorized by law if the information is relevant, specific, limited and material to a legitimate law enforcement inquiry and de-identified information cannot be used under the provisions of 45 C.F.R. § 164.512(f)(1)(ii). These disclosures are subject to ordinary legal process and are limited to the requirements of the court order or subpoena.[8]

Disclosures to identify or locate a suspect, fugitive, material witness or missing person. The HIPAA Privacy Rule permits disclosure of limited information in response to a law enforcement request for information that is to be used to identify or locate a suspect, fugitive, material witness or missing person. 45 C.F.R. § 164.512(f)(2). Requests made on behalf of law enforcement are permitted and include providing the media with information in order to request the public’s assistance in identifying a suspect, or information to include on a “wanted” poster.[9]

Only limited information may be released by a health care provider to law enforcement under this rule: name; address; date and place of birth; social security number; ABO blood type and rh factor; type of injury; date and time of treatment; date and time of death; and description of distinguishing physical characteristics including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars and tattoos. 45 C.F.R. § 164.512(f)(2)(i). No DNA information may be disclosed. Disclosure of other information is a violation of HIPAA, unless it is allowed under some other provision of the HIPAA Privacy Rule.

This section of the HIPAA Privacy Rule does not allow a health care provider to reveal the hospital location of a victim or perpetrator of a crime, since this is not included in the list of information that may be disclosed. Nevertheless, other sections of the HIPAA Privacy Rule do allow a health care provider to disclose the location of a victim or perpetrator when law enforcement is investigating a crime. 45 C.F.R. § 164.512(f)(6).

Victims of a crime. Following an official inquiry from law enforcement, the HIPAA Privacy Rule permits disclosure of protected health information to law enforcement about the victim of a crime — if the victim consents to the disclosure. 45 C.F.R. § 164.512(f)(3).[10] If a victim’s consent cannot be obtained due to incapacity or emergency, health care providers may disclose information only upon a specific representation by law enforcement that the information is needed to determine if a crime has occurred, is not intended to be used against the victim, and that immediate law enforcement activity depends upon the disclosure and would be materially and adversely affected by waiting for the victim’s consent. 45 C.F.R. § 164.512(f)(3)(ii). Also, the disclosure must be in the best interest of the victim, as decided in the health provider’s professional judgment. Id.

Colorado’s mandatory reporting law broadly requires reporting of any “injury that the licensee has reason to believe involves a criminal act” and includes injuries resulting from sexual assault.[11] This law only permits disclosure of injuries the physician observes during an examination, and not statements made to a physician during the examination. To obtain information from victims other than an observed injury, the victim’s consent is generally required. Consent for such disclosures may be made orally.[12]

Deaths. The HIPAA Privacy Rule permits disclosure of information to law enforcement about decedents if the health care provider suspects that death may be the result of criminal conduct. 45 C.F.R. § 164.512(f)(4). Disclosures concerning suspicious deaths need not be made in response to an official law enforcement inquiry; health care providers may voluntarily disclose information about suspicious deaths to law enforcement if they have a good faith basis for believing the death may have resulted from criminal conduct. Colorado’s mandatory reporting law also requires licensed health care providers to report injuries, including death, they believe resulted from a criminal act. Section 12-36-135(1), C.R.S. (2002).

Crime on the premises of a health care provider. The HIPAA Privacy Rule permits disclosure of information to law enforcement when a health care provider has a good faith belief the information is evidence of criminal conduct on the premises of the provider. 45 C.F.R. § 164.512(f)(5). This disclosure does not require an official request from law enforcement, and permits the covered health care provider voluntarily to disclose such information.

Reporting crime in emergencies. The HIPAA Privacy Rule permits disclosure of information to law enforcement concerning a crime in a medical emergency. 45 C.F.R. § 164.512(f)(6). The emergency must be off the premises of the health care provider and the disclosure must be to alert law enforcement to the commission and nature of a crime; location of a crime or victim; and identity, description and location of the perpetrator of the crime.

Emergency personnel may reveal the location of a victim or suspect if this information is related to the investigation of a crime.

Comments to the final HIPAA Privacy Rule regulations indicate this disclosure provision was specifically added to permit such disclosures to law enforcement:

This added provision [45 C.F.R. § 164.512(f)(6)] recognized the special role of emergency medical technicians and other providers who respond to medical emergencies. In emergencies, emergency medical personnel often arrive on the scene before or at the same time as police officers, firefighters, and other emergency personnel. In these cases, providers may be in the best position and sometimes the only ones in the position, to alert law enforcement about criminal activity. For instance, providers may be the first persons aware that an individual has been the victim of a battery or an attempted murder. They may also be in the position to report in real time, through use of radio or other mechanism, information that may immediately contribute to the apprehension of a perpetrator of a crime.

65 Fed. Reg. 82,533 (Dec. 28, 2000).

The HIPAA Privacy Rule does not prohibit disclosures to law enforcement related to the commission of a crime during an emergency and does not limit the type of information that can be disclosed if it is related to the commission of a crime. Health care providers can disclose the location of a victim or perpetrator of a crime when law enforcement is investigating a crime. An official request from law enforcement is not required if law enforcement is investigating a crime.

Child abuse. The HIPAA Privacy Rule permits disclosure of health information to appropriate governmental entities that are authorized by law to receive reports of child abuse. 45 C.F.R. § 164.512(b)(1)(ii). Colorado law requires that health care providers and other individuals report suspected child abuse to county social services or local law enforcement. Section 19-3 — 304, C.R.S. (2002). Thus, Colorado law requires, and the HIPAA Privacy Rule permits, covered entities to disclose reports of child abuse or neglect to appropriate governmental authorities.[13]

Abuse and neglect, including domestic violence. The HIPAA Privacy Rule contains special provisions to permit disclosures to report abuse, neglect or domestic violence other than child abuse. 45 C.F.R. § 164.512(c).

The disclosure must be to a government entity authorized by law to receive reports of abuse. If the disclosure is required by law, and limited to the relevant requirement of law the victim’s consent is not required. Again, Colorado law mandates the reporting of certain wounds and injuries, including those resulting from acts of domestic violence, and disclosures mandated by state law are permitted by the HIPAA Privacy Rule under 45 C.F.R. § 164.512(c)(1)(i) and do not require the consent of the victim.[14]

Information other than the observed injury concerning abuse and domestic violence is not required to be reported to law enforcement under Colorado law. It is a permissible disclosure under the HIPAA Privacy Rule if the victim consents to the disclosure. The victim’s consent may be oral. If the individual does not consent to the disclosure, the disclosure is allowed if it is expressly authorized by statute and the covered entity believes in the exercise of their professional judgment that the disclosure is necessary to prevent serious harm. If an individual is unable to consent because of incapacity, a government official must assure that the information is not intended to be used against the individual, and that immediate enforcement activity depends on the disclosure and would be materially and adversely affected by waiting for the individual’s consent.

A covered entity must promptly inform the individual involved of such a disclosure unless (a) it would risk serious harm to the individual or (b) the covered entity reasonably believes a personal representative is responsible for the abuse and informing the representative would not be in the best interest of the individual.

Disclosures to avert a serious threat to health or safety. The HIPAA Privacy Rule permits health care providers to disclose information to law enforcement to avert a serious threat to health or safety. 45 C.F.R. § 164.512(j). The health care provider must have a good faith belief that the disclosure: (a) is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and is to a person reasonably able to prevent or lessen the threat, or (b) is necessary for law enforcement to identify or apprehend an individual because of their admission to participation in a crime or because they appear to have escaped from a correctional institution or from lawful custody. The disclosure is limited to the admission and limited identifying information (section 164.512(f)(2)(i)), and may not include statements made to initiate treatment, counseling or therapy to affect the propensity to commit a crime.

This provision of the HIPAA Privacy Rule permits disclosures consistent with the duty to warn third persons at risk established in Tarasoff v. Regents of the University of California, 17 Cal.3d 425 (1976).[15]
Colorado courts impose a duty to warn upon physicians and therapists based upon a determination of several factors including the risk involved, the foreseeability and likelihood of injury as weighed against the social utility of the defendant’s conduct, the magnitude of the burden of guarding against the harm, and the consequences of placing the burden of a duty on the defendant. Ryder v. Mitchell, 54 P.3d 885 (Colo. 2002).

Patient authorization. Disclosure of protected health information may be made under the HIPAA Privacy Rule if the health care provider has the express, HIPAA-compliant authorization of the individual whose protected health information is being disclosed, except for the disclosure of certain psychotherapy notes. 45 C.F.R. § 164.502(a)(1)(iv). A HIPAA authorization must be specific, limited in time and meet several requirements set forth in 45 C.F.R. § 164.508.

An authorization form that complies with HIPAA, developed by and for law enforcement officials, is attached to this opinion as Attachment B.[16]

Enforcement of the HIPAA Privacy Rule. Violators of the HIPAA Privacy Rule are subject to government enforcement.[17] If disclosure is not permitted under the rule but information is released anyway, the disclosing health care provider is subject to civil penalties and potential criminal sanctions.

Civil penalties are $100 for each violation, up to a maximum of $25,000 per year for all violations of the HIPAA Privacy Rule. 42 U.S.C. § 1320d-5(a)(1). Criminal penalties include one to ten years of prison with penalties ranging from $50,000 to $250,000 for knowing violations committed under false pretenses or with the intent to use protected health information for malicious harm, personal gain, or commercial advantage. 42 U.S.C. § 1320d-6.

As described in this opinion, HIPAA’s disclosure rules are complex and sometimes difficult to apply. In circumstances in which a disclosure can invite civil or criminal penalties, unsure health care providers understandably may be reluctant to make the disclosure.

The agency that enforces the HIPAA Privacy Rule has described its approach to enforcement. It says:

. . . [T]o the extent practicable, OCR will seek the cooperation of covered entities in obtaining compliance with the Privacy Rule, and may provide technical assistance to help covered entities voluntarily comply with the Rule. See 45 C.F.R. § 160.304. As further provided in 45 C.F.R. § 160.312(a)(2), OCR will seek to resolve matters by informal means before issuing findings of non — compliance, under its authority to investigate and resolve complaints, and to engage in compliance review.

68 Fed. Reg. 18,897 (April 17, 2003) (preamble to interim enforcement regulations).

Finally, an individual whose privacy rights are violated by improper disclosure under the HIPAA Privacy Rule does not have an ability — under this statute — to recover damages for his or her injury. There is no private right of action under HIPAA. The legal recourse for an individual about whom a disclosure has been made is either to file a complaint with the Office of Civil Rights or to proceed under some other legal theory.

HIPAA preemption of state law. The HIPAA Privacy Rule preempts contrary state laws relating to the privacy of individually identifiable health information. 42 U.S.C. § 1320d-7. The HIPAA Privacy Rule does not preempt state laws that protect more strictly the disclosure of medical information. Also, HIPAA does not preempt state laws that provide for reports of disease, injury, child abuse, birth, or death. 45 C.F.R. § 160.203(c) (2003). The HIPAA Privacy Rule therefore does not preempt Colorado laws that require health care providers to notify law enforcement of bullet wounds and other injuries resulting from criminal conduct.

Historically, patient consent was obtained by law enforcement officials to avoid violating Colorado’s theft-of-medical-record statute. The Colorado theft-of-medical-record statute, 18-4 — 412, C.R.S. (2002), was recently amended to exempt disclosures by health care providers and health plans that are covered entities under HIPAA.[18]
Disclosures by a covered health care provider which are permitted under HIPAA are now permissible disclosures under Colorado law. Disclosures under Colorado’s theft-of-medical-record statute are limited for entities that are not covered under HIPAA, unless the disclosure is with the written authorization of the patient or an appropriate court order. Section 18-4-412, C.R.S. (2002).

Conclusion
HIPAA is a complex set of federal statutory and regulatory rules that regulate the disclosure of medical information to law enforcement officials. This opinion describes several of the most important portions of these rules.

Issued this 30th day of September, 2003.

[1] 65 Fed. Reg. 82,464 (Dec. 28, 2000).
[2] 45 C.F.R. Parts 160 and 164 (“HIPAA Privacy Rule”). Available at www.hhs.gov/ocr/hipaa.
[3] 45 C.F.R. § 160.102(a) (2003).
[4] The only disclosures required by the HIPAA Privacy Rule are disclosures at the request of the individual or by the federal Department of Health and Human Services. 45 C.F.R. § 164.502(a)(2) (2003), and neither is likely to be important to law enforcement officials.
[5] The HIPAA Privacy Rule broadly defines a law enforcement official to include an officer or employee of the United States, a State, territory, political subdivision or Indian tribe who is empowered by law to investigate an official inquiry into a potential violation of law, or prosecute or conduct a criminal, civil or administrative proceeding of an alleged violation of law. 45 C.F.R. § 164.501 (2003).
[6] 45 C.F.R. § 164.502(b)(2)(v) (2003).
[7] Section 12-36-135(3), C.R.S.
[8] The HIPAA Privacy Rule has other requirements for responding to a subpoena or court order issued by parties in the course of a judicial proceeding. 45 C.F.R. § 164.512(e).
[9] 65 Fed. Reg. 82,532 (Dec. 28, 2000).
[10] The Office of Civil Rights in the federal Department of Health and Human Services says that the victim’s authorization is required before protected health information can be released about a victim to law enforcement. Standards for Privacy of Individually Identifiable Health Information, Office of Civil Rights, U.S. Department of Health and Human Services, Page 116 (Dec. 3, 2002). Also available at http://www.hhs.gov/ocr, Frequently Asked Questions, Answer 349.
[11] Section 12-36-135(1), C.R.S. (2003).
[12] 45 C.F.R. § 164.512.
[13] 65 Fed. Reg. 82,527 (Dec. 28, 2000).
[14] Section 12-36-135(1), C.R.S. (2002).
[15] 65 Fed. Reg. 82,538 (Dec. 28, 2000).
[16] This authorization form was developed by the Office of the District Attorney for the First Judicial District.
[17] The Office of Civil Rights in the federal Department of Health and Human Services enforces the HIPAA Privacy Rule.
[18] HB 03-1164, amending 18-4-412, C.R.S. (2002) effective July 1, 2003.