At some point in time every organization will face a search warrant, receive a subpoena for records, or a request from a law enforcement official for copies of medical records. Not responding appropriately, and not knowing the difference between a search warrant and a subpoena can have a detrimental impact on a health care organization.
While both are very important legal documents, there are dramatic differences between a search warrant and a subpoena. A search warrant allows law enforcement officials to have immediate access to the part of the organization listed on the search warrant. Every organization should have a policy in place stating specifically what should be done in the event the organization is served with a search warrant.
A subpoena on the other hand, is simply a formal demand for documents and does not grant immediate access to the information sought. Rather, a subpoena grants reasonable access after the organization has been given reasonable notice.
As it relates to protected health information, a search warrant allows the agency enforcing the warrant to seize original documents, including documents that contain PHI if such documents fall within the description on the face of the search warrant. A subpoena does not give the law enforcement officials the right to seize original documents, and there are specific requirements for release of PHI pursuant to a subpoena. If the subpoena is signed by a judge, or is accompanied by a court order signed by a judge, a covered entity may disclose PHI in response to the subpoena. If the subpoena is signed by anyone other than a judge (attorney, clerk, etc.) and is not accompanied by a copy of a court order, a covered entity may only disclose PHI once it receives satisfactory assurances from the party seeking the information that reasonable efforts have been made to ensure the individual who is the subject of the PHI has been given notice of the request, or that reasonable efforts have been made by the party seeking the information to secure a protective order. (It is important to note some states have a special set of rules for situations where a child has been declared to be a child in need of assistance.)
Much more frequently, provider organizations receive requests from local law enforcement for records, videos, etc. that include PHI in connection with an investigation being conducted by the local law enforcement agency, and often these requests are at odds with the provisions of HIPAA which require specific conditions be met before disclosing the requested PHI.
1. Pursuant to a process required by law. (i.e. mandatory reporting, gunshot wound, etc.)
2. Limited information for identification and location purposes – information needed to identify or locate a suspect, fugitive, material witness or missing person.
3. Victims of a crime – if the individual agrees, a covered entity may release PHI of an individual who is, or is suspected to be, a victim of a crime. If the individual’s consent cannot be obtained because of incapacity or other emergency situation, the covered entity may release PHI if it feels it is in the best interest of the individual, and law enforcement represents such information will not be used against the individual. It is very important to point out though, in the situation where a video is requested, if that video also contains images of another client, not a victim of the crime, the organization cannot release the video absent a court order or a subpoena that meets the requirements set forth above.
4. Decedents – PHI may be released for the purpose of notifying law enforcement of the individual’s death.
5. Crime on the premises – PHI may be disclosed if the covered entity believes in good faith the PHI constitutes evidence of criminal conduct on the premises.
6. Reporting crime in emergencies – When providing emergency health care in response to a medical emergency not on its own premises, PHI may be released to law enforcement for various factors related to the commission, victim or perpetrator of a crime.
The moral of the story is: before handing out PHI, understand the type of request and the obligations that go along with the particular type of request.