ATTACHMENT A TO FORMAL ATTORNEY GENERAL OPINION

Attorney General of Colorado — Opinion
September 30, 2003

ATTACHMENT A TO FORMAL ATTORNEY GENERAL OPINION HIPAA PRIVACY MATRIX DISCLOSURES TO LAW ENFORCEMENT

Reason for HIPAA Cite Required or Permitted In Response or Voluntarily
Disclosure

Required by law 45 C.F.R. Required by Colorado law, C.R.S. Can volunteer under HIPAA
164.512(a) and 12-36-135, to must report under Colorado
164.512(f)(1)(i) report at once to law enforcement, any injury a law.
provider believes to be the result of a
criminal act.
Disclosure limited to information on observed
injury.

45 C.F.R. Required by court order or warrant; subpoena or
164.512(f)(1)(ii) summons issued by a
judicial officer; grand jury
subpoena; administrative and civil subpoena; or
civil or investigative demands authorized by law if
the information sought is relevant, specific, limited
and material to a
law enforcement inquiry and deidentified
information could not reasonably be
used.

To identify or 45 C.F.R. Permitted to locate a In response to a
locate a suspect, 164.512(f)(2) suspect, fugitive, material witness or law enforcement
fugitive, material missing person but may only disclose name; address; date official’s request
witness or missing and place of birth; social security number; ABO blood type to locate or identify a
person and rh factor; type of injury; date and time of treatment; date suspect, fugitive,
and time of death; and description of distinguishing physical material witness or
characteristics including height, weight, gender, race, hair missing person.
and eye color, presence or absence of facial hair, scars and
tattoos. No DNA information may be disclosed.

Information about a 45 C.F.R. Permitted to disclose information about a In response to law
victim or suspected 164.512(f)(3) person enforcement official’s request
victim of a crime who is or is suspected to be a
victim of a
crime if:
Individual consents; or

Consent not possible because of incapacity or
emergency circumstance and law enforcement
represents that information is needed to determine
whether a
violation of law has occurred by a
person
other than the victim and the information is not
intended to be used against the victim, immediate
law enforcement activity depends on the disclosure
that would be materially and adversely affected by
waiting for the individual’s consent, and in the
exercise of the covered entity’s professional
judgment the disclosure is in the best interest of the
victim.

Disclosures about a 45 C.F.R. Permitted under HIPAA if the covered entity has a Can volunteer under HIPAA
Decedent where 164.512(f)(4) suspicion that the death may have resulted from Must report under Colorado
provider suspects criminal conduct. law
criminal activity
caused death Colorado law requires the reporting of injuries
believed to be the result of a
criminal act.

Crime on the 45 C.F.R. Permitted if the covered entity believes Can volunteer under HIPAA
premises of a 164.512(f)(5) in good faith the protected health
covered entity information constitutes evidence of
criminal conduct occurring on the premises
of the covered entity.

In a medical emergency, 45 C.F.R. Permitted if emergency is not on the covered entity’s Can alert law enforcement
about the commission 164.512(f)(6) premises to alert law enforcement to the commission and and volunteer
and nature of a crime, nature of a crime; the location of the crime or the victim of
the location of the crime; and the identity, description and location of the
crime, crime victims, perpetrator of the crime.
and the perpetrator of
the crime.

To report child abuse 45 C.F.R. Required to report under Colorado law, C.R.S. 19-3-304, Can volunteer under HIPAA
and neglect 164.512(b)(1)(ii) to county social services or local law enforcement agency. Must report under Colorado
Permitted by HIPAA to a government authority authorized law
by law to receive reports of child abuse or neglect.

To report abuse, 45 C.F.R. Colorado law, C.R.S. 12-36-135, requires the Can volunteer under HIPAA
neglect and domestic 164.512(c) reporting of injuries the provider believes resulted Under Colorado law, must
violence (other than from a report injuries from criminal
child abuse) criminal act including domestic violence. conduct including domestic
violence
For disclosures beyond the observed injury,
HIPAA permits disclosures to report a
person the
covered entity reasonably believes to be a
victim of
abuse, neglect, or domestic violence to a
government authority authorized by law to receive
report of abuse if:

1. The individual consents, or

2. The disclosure is expressly authorized by
statute and the CE believes the disclosure is
necessary to prevent serious harm to the
individual or other potential victims, or

3. The disclosure is expressly authorized by
statute and the individual cannot agree because
of incapacity and law enforcement official
authorized to receive a
report represents that
disclosure will not be used against the
individual, immediate law enforcement activity
depends upon the disclosure and would be
materially and adversely affected by waiting for
the individual’s consent.

Must inform the individual of these disclosures.

To avert a 45 C.F.R. Permitted by HIPAA if the covered entity has a Can volunteer under HIPAA
serious threat 164.512(j) good faith belief the disclosure is necessary to Colorado may impose a
to health or safety. prevent or lessen a duty to warn
serious and imminent threat to a
person or public health or safety, and

Is to a
person reasonably able to prevent or lessen
the threat, including the target of the threat; or

Is necessary for law enforcement to identify or
apprehend an individual: because of a
statement
by an individual admitting participation in a
violent crime that the CE reasonably believes may
have caused serious physical harm to the victim,
or where it appears from all the circumstances
that the individual has escaped from a
correctional institution or from lawful custody.

Disclosures limited to the statement by the
individual and the limited information in section
164.512(f)(2)(i).

Disclosure not permitted if statement is learned in
the course of treatment to affect the propensity to
commit criminal conduct, or through a
request to
initiate or be referred to treatment.

Colorado courts may impose a
duty to warn third
persons under Tarasoff. See Ryder v. Mitchell,
54 P.3d 885 (Colo. 2002).

Patient Authorization 45 C.F.R. Disclosure is permitted pursuant to the individual’s HIPAA permits, Colorado
164.508 HIPAA-compliant authorization form, except for certain theft of medical records
uses of psychotherapy notes. statute requires patient
consent