Skip to main content

Nixon Peabody LLP

Alert / Healthcare

Preparing for law enforcement requests for patient information

Feb 18, 2025

By Laurie Cohen and Valerie Montague

Risk of increasing ICE raids requires healthcare providers to balance patients’ privacy against law enforcement requests for protected health data and/or access to patients.

What’s the impact?

  • Healthcare providers should review existing policies addressing disclosures of patient information to law enforcement.
  • All staff at healthcare facilities should be trained and prepared to respond to law enforcement requests in a manner compliant with federal and state laws governing patient privacy.

DOWNLOAD

Preparing for law enforcement requests (PDF)

Healthcare providers, including hospitals and federally qualified health centers (FQHCs), that are regulated by HIPAA are required to protect the identity of patients receiving services at their facilities, and patients’ identifiable health information. These healthcare providers, as well as healthcare providers and organizations that are not subject to HIPAA regulations, must comply with other applicable federal and state laws protecting the confidentiality of patient data. The laws and regulations protecting the confidentiality of an individual’s health information contain a number of exceptions permitting use and disclose patient data without an individual’s authorization. From time to time, healthcare providers may receive requests or onsite visits from law enforcement officials seeking information about, or access to, patients. These requests may relate to investigations of crimes, safety checks, legal disputes, or — as has been in the news in the weeks following the change of administration — immigration investigations by U.S. Immigration and Customs Enforcement (ICE).

While the obligation to protect the confidentiality of patients and their information in the face of requests from law enforcement is not new, healthcare providers may be faced with increased requests. Healthcare providers and other organizations holding regulated health data should understand 1) their obligations to protect patient confidentiality, 2) the leeway the organization has to disclose information to ICE and other law enforcement agencies, and 3) the policies and processes the organization is required to follow when receiving law enforcement requests for information.

Healthcare providers can best position themselves to respond to ICE and other law enforcement requests by taking the time to understand applicable legal obligations and to review, update, or implement policies and procedures to guide workforce members through these sometimes high-pressure scenarios, and ensure that frontline staff and compliance teams receive thorough, role-based training to respond to requests from law enforcement for patient information or to enter non-public areas of a facility.

HIPAA requirements for disclosing PHI to law enforcement

The HIPAA Privacy Rule requires healthcare providers to protect the confidentiality of patient identities and identifiable health information, or what HIPAA refers to as protected health information (PHI). The Privacy Rule specifically addresses when a healthcare provider may disclose PHI to a law enforcement official. For example, a healthcare provider may disclose PHI to law enforcement when an individual has signed a HIPAA authorization. Even without a signed authorization, healthcare providers may, but are not required to, disclose PHI in response to a request from a law enforcement official:

  • If the request is accompanied by a court order, court-ordered warrant, subpoena or summons issued by a judicial officer, or grand jury subpoena.
  • In response to an administrative request, such as an administrative subpoena or summons, a civil or authorized investigative demand, or a similar process authorized by law. In this case, the information must be relevant and material to a legitimate law enforcement inquiry. The request from the law enforcement official must be specific and limited in scope, to the extent reasonably practical, to accomplish the intended purpose. De-identified information cannot be used to satisfy the request.
  • To respond to a request for the purpose of identifying or locating a suspect, fugitive, missing person, or material witness. In these circumstances, the healthcare provider may only disclose the following PHI, as applicable: the individual’s name and address, their date and place of birth, their Social Security number, their blood type and rh factor, the type of injury, the date and time of the treatment provided to the individual, the date and time of the individual’s death (if appropriate), and a description of the individual’s identifying physical characteristics.
  • To respond to a law enforcement official’s request for PHI about a victim of a crime if either (i) the victim agrees or (ii) if, due to an emergency or the victim’s incapacity, they are unable to agree, the covered entity may disclose the requested PHI if the law enforcement official represents that the information is not intended to be used against the victim, is necessary to determine whether another person broke the law, the law enforcement investigation would be materially adversely affected by waiting until the victim could agree, and if the healthcare provider believes (in its professional judgment) that disclosing the requested PHI is in the best interest of the victim.
  • For requests related to certain specialized governmental law enforcement purposes, such as to federal officials authorized to conduct activities under the National Security Act or to a law enforcement official having lawful custody of an inmate in certain circumstances.

If a healthcare provider chooses to disclose PHI to law enforcement under the circumstances above, the healthcare provider should ensure that it is disclosing only the minimum necessary PHI to satisfy the request (or more limited information, as discussed above) and that, to the extent the law enforcement official requesting PHI is not known to the healthcare provider, it must verify the identity and authority of the requestor.

In April 2024, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services promulgated a final rule updating the HIPAA Privacy Rule. In its commentary, OCR discussed how it became aware, including through comments and a Congressional inquiry, that HIPAA-regulated entities were misinterpreting the Privacy Rule provision regarding permissible disclosures of PHI after receipt of administrative requests from law enforcement. In the updates to the Privacy Rule, OCR clarified that, without an individual’s authorization, disclosures of PHI to law enforcement are permissible in response to administrative requests “for which a response is required by law.”

The April 2024 updates to the Privacy Rule also clarified that a HIPAA-regulated entity may not disclose PHI that relates to reproductive healthcare for the purpose of investigating a person, or seeking to impose liability on a person, for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, or to identify any person for such purposes. Although ICE inquiries are unlikely to involve investigations regarding reproductive healthcare, HIPAA-regulated organizations that have not yet adopted or updated policies and procedures to address these new requirements should take action, because these new rules may impact certain requests from law enforcement.

State privacy law implications

Although HIPAA permits disclosures to law enforcement under certain circumstances, any such disclosures also must comply with applicable state law. HIPAA is preempted to the extent that state law is more restrictive or provides greater privacy protection. As an example, NYS Public Health Law 2803-c(3)(f) states that “Every patient shall have the right to have privacy in treatment and in caring for personal needs, confidentiality in the treatment of personal and medical records, and security in storing personal possessions.” In New York, providers may disclose PHI to law enforcement when required by law or pursuant to a court order or a court-approved subpoena.

There are limited statutory exceptions that permit or require disclosures without a patient’s authorization. One such exception is NYS Penal Law §265.25, which requires a physician attending or treating the case, or the manager, superintendent, or other person in charge of a hospital, sanitarium, or other institution, to report to police authorities, “[e]very case of a bullet wound, gunshot wound, powder burn[,] or any other injury arising from or caused by the discharge of a gun or firearm, and every case of a wound [that] is likely to or may result in death and is actually or apparently inflicted by a knife, icepick[,] or other sharp or pointed instrument.” Further, with regard to mental hygiene records in New York, the release of records or information about patients or clients not only requires a court order but a finding by the court that the interests of justice significantly outweigh the need for confidentiality.

In the State of Washington, without satisfaction of another exception that permits the disclosure of PHI to law enforcement, when faced with a summons, subpoena, discovery request, or other process not accompanied by a court order or an order from an administrative tribunal, RCW 70.02.060 requires an attorney to provide advance notice to both the healthcare provider and the patient/patient’s attorney that identifies the healthcare provider from which records are requested, information sought, and date by which the patient must obtain a protective order to prevent the healthcare provider from complying with the request, which shall be at least 14 days after the notice. If the requestor follows this process, Washington state law requires the healthcare provider to disclose the applicable PHI.

How can healthcare organizations balance compliance obligations?

In the event there is increased interaction between healthcare providers and law enforcement officials resulting from the recent policy changes under the new administration, taking steps to prepare should reduce the stress and anxiety of such encounters. In addition to reviewing current policies and procedures, healthcare organizations should retrain staff on internal procedures for responding to and handling law enforcement officials’ requests for patient information. Frontline staff should be reminded 1) how to respond and whom to contact when law enforcement officials arrive, 2) that law enforcement officials do not have access to non-public areas of the facility without a warrant signed by a judge that specifically identifies the healthcare provider and facility, and 3) to maintain patient privacy by politely declining to answer questions and directing law enforcement officials to supervisors or other personnel who have been designated to handle inquiries from law enforcement.

New Administration Hub

Insights And Happenings

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe