This post, Can law enforcement access patient information? Sometimes, first appeared on

Hospital emergency departments treat a diverse population that includes victims of abuse, individuals with substance abuse disorder and those who may have been involved in crime.

Do situations arise where they are obligated to share patient information with law enforcement without patient authorization or cause them to initiate such cooperation in the interest of public and patient safety? Sometimes.

That includes reporting evidence to law enforcement of a crime believed to have occurred on a hospital’s campus, but a combination of federal and state laws exists to protect patients’ privacy rights around disclosure of medical information without their consent to outside parties by entities like hospitals.

Last month, the family of Madelyn Ellen Linsenmeir filed a suit against the Springfield Police Department and the city of Springfield for records about the Vermont woman’s death in custody. In a series of texts, an ailing Linsenmeir expressed concern to family members that if she sought care at a hospital, it would check for warrants and she would be sent to jail.

There are provisions that allow health care facilities to release patient  information to law enforcement without patient consent but no requirement for such cooperation under federal patient privacy laws.

A hospital may, for example, disclose to law enforcement “protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public” or to respond under state law to a court order, summons or administrative request from a law enforcement official that meet certain criteria or to comply with mandatory reporting requirements for victims of child abuse, gunshot wounds as well as cases of communicable diseases.

Disclosure of individually identifiable protected health information for other than routine care or payment generally requires written patient consent.

Legislation related to the Health Insurance Portability and Accountability Act, which dates to 1996 and is often referred to as HIPAA, requires providers to inform patients of their privacy practices developed in accordance with state law and to have a patient’s written acknowledgement of this notification.

The notices generally tell patients of their rights to access their medical information, request it not be shared for such things as treatment or payment and explain under what circumstances a provider must comply under the law with outside requests for protected health information as well as how to file a complaint.

Federal HIPAA legislation has evolved to refine who must comply, what information is protected and penalties that can be enforced when it is not.

A covered entity, that is, a provider covered by HIPAA, must disclose protected health information in only two situations, according to the U.S. Department of Health and Human Services.

This includes to individuals – or their personal representatives – specifically when they request access to, or an accounting of disclosures of, their protected health information as well as to HHS when it is undertaking a compliance investigation or review or enforcement action. They may under HIPAA respond to a law enforcement request for an individual’s protected health information for purposes of identifying or locating a suspect, fugitive, material witness or missing person.

The covered entity in this case must limit disclosure to the name and address, date and place of birth, Social Security number, blood type and rh factor, type of injury, date and time of treatment, date and time of death and a description of distinguishing physical characteristics.

Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples or analysis cannot be disclosed under this provision, according to HHS, but may be disclosed in response to a court order, warrant or written administrative request.

An administrative request not from a judicial officer must include an attached letter from law enforcement stating that the “information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used.”

Law enforcement may be given access to certain protected health information for a patient who is in custody but not once that person is released from custody.

States like Massachusetts have enacted legislation to reinforce that hospitals and other health care settings are not extensions of the criminal justice system in terms of criminalizing opioid use disorder, something those with the disorder may not always realize. In 2012, Massachusetts General Law, chapter 94, section 34A, governing controlled substances and drug-related overdoses was updated to include the following provisions:

  • A person who, in good faith, seeks medical assistance for someone experiencing a drug related overdose shall not be charged or prosecuted for possession of a controlled substance under sections 34 or 35 if the evidence for the charge of possession of a controlled substance was gained as a result of the seeking of medical assistance.
  • A person who experiences a drug-related overdose and is in need of medical assistance and, in good faith, seeks such medical assistance, or is the subject of such a good faith request for medical assistance, shall not be charged or prosecuted for possession of a controlled substance under said sections 34 or 35 if the evidence for the charge of possession of a controlled substance was gained as a result of the overdose and the need for medical assistance.

In drafting their Notices of Privacy Practices providers must be in compliance with both state laws, which can be more restrictive about disclosing protected health information without prior patient consent, as well as HIPAA regulations.

What can be disclosed to law enforcement without a court order, subpoena or patient authorization can become a matter of debate as demonstrated by a case in Utah last year in which a nurse refused to let a police officer draw blood without a warrant from an unconscious patient.

Generally, HIPAA and state laws allow for disclosure of protected health information when issues of public health and safety are deemed to arise as well as around issues of child and elder abuse. The HIPAA Privacy Rule includes 12 provisions that allow for the disclosure of protected health information without individual authorization by providers to whom HIPAA applies. Two of these provisions related to legal requests are reiterated below:

  • Judicial and Administrative Proceedings. Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.
  • Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.

Massachusetts has a website that addresses disclosure of confidential health information. Among its key point on state confidentiality laws:

  • Massachusetts laws applicable to institutional health care providers (hospitals and clinics) are, in general, not as stringent as HIPAA. G.L. c. 111, SS70. Those that apply to hospitals and clinics operated by the Department of Mental Health (DMH), however, permit disclosure of a patient’s health information without a patient’s written consent only in very limited circumstances, including: at DMH’s request, pursuant to a court order, or where the disclosure is determined to be in the patient’s best interests and it is not possible or practicable to obtain the patient’s written consent. G.L. c. 123, SS36; 104 CMR 27.17.
  • There is no state confidentiality law that applies to physicians. However, Massachusetts courts have recognized a duty of confidentiality that all doctors in the Commonwealth owe to their patients. Physicians generally must not disclose a patient’s health information without the patient’s written consent, subject to limited exceptions (such as to meet a serious danger to the patient or to others or pursuant to a court order). Alberts v. Devine, 395 Mass. 59, 68 (1985).

This post, Can law enforcement access patient information? Sometimes, first appeared on

(Visited 23 times, 1 visits today)

Comments are closed.