Why is everyone talking about provider disclosures to law enforcement of late? The Senate Finance Committee authored a letter to Xavier Becerra, Secretary of the U.S. Department of Health and Human Services (HHS), outlining the results of a congressional inquiry into the data-sharing practices of pharmacies throughout the country. The letter was in response to proposed HIPAA rules intended to address disclosure to law enforcement agencies in light of the Dobbs v. Jackson case overturning Roe v. Wade, reactivating state law governing (and banning, in many cases) abortion. The essence of the letter is that these proposed measures to limit disclosures to law enforcement do not go far enough. The letter specifically alleges that some pharmacies may have shared data with law enforcement without a warrant and highlights that prescriptions often contain sensitive and potentially stigmatizing information. The letter suggests that the proposed rules be revised to:

1. Require warrants prior to sharing information with law enforcement agencies;
2. Prevent sharing between law enforcement agencies; and
3. Require notification when information is disclosed to law enforcement agencies.

Below, we outline key considerations for pharmacies and other healthcare providers when reviewing law enforcement requests. We urge providers to be vigilant about the scope of any disclosures made to law enforcement and pay attention to required versus permissive disclosures in light of the context of requests.

Providers should review HIPAA’s current requirements surrounding law enforcement requests

The HIPAA Privacy Rule currently permits covered entities (such as healthcare providers or health plans) to disclose protected health information (PHI) to law enforcement officials without written authorization from patients, under specific circumstances. Those specific circumstances are:

• To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena;
• To respond to an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law;
• To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person;
• To respond to a request for PHI about a victim of a crime, if the victim is incapacitated;
• To alert law enforcement to the death of the individual;
• To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises;
• When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity;
• To identify or apprehend an individual who appears to have escaped from lawful custody;
• For certain other specialized governmental law enforcement purposes, federal intelligence, counterintelligence, and other national security activities; and
• To report PHI to law enforcement when required by law (e.g., to meet state law requirements that certain types of injuries or illnesses be reported for public health and safety purposes).

The above list highlights the challenges that providers face in reviewing law enforcement requests; these circumstances are highly fact-specific and may often require staff to seek additional information from law enforcement officials to determine the permissibility of the request.

Providers must be aware of more stringent state laws

Note that regardless of whether the proposed HIPAA rules are revised to address the stated privacy concerns, where state or local law enforcement agencies are requesting records, more stringent state laws will apply. For example, many states require requests for health data to be made in a specific format (for example, in writing, using a specific form, or signed by a specific government official).

Additionally, state law is typically more restrictive when it comes to disclosing “sensitive” categories of data, such as mental health records, alcohol or substance use disorder records, and data regarding sexual or reproductive health. When faced with a law enforcement request, healthcare providers must ensure that any disclosure meets the requirements of HIPAA (current and future state) and state law for the specific types of information sought by law enforcement.

Providers should limit lawful disclosures to only the information requested

If a provider determines that a request for health information made by law enforcement complies with HIPAA and state law, any disclosures made should be tailored to provide only the information requested. Such disclosures are subject to HIPAA’s “minimum necessary” standard, which states that only the minimum amount of PHI necessary to fulfill the purpose of the request should be disclosed. For example, if a law enforcement officer is seeking records about treatment provided to a patient during a specific date range (ideally specified in writing or the warrant), only the records associated with that date range should be provided.    

Providers should ensure staff understand organization policies and procedures

The Senate Finance inquiry noted that pharmacies handle law enforcement requests differently; some allow pharmacy staff to handle requests and make disclosures, while others require all law enforcement requests to be reviewed by legal counsel. Providers should review their policies, procedures, and any staff training materials to ensure that staff are aware of how to process and handle law enforcement requests as well as who at the company can be contacted for assistance when these types of requests are received.

Providers should watch for the final rule

While timing of final HIPAA rules is certainly not predictable, the issues that gave rise to this letter are highly charged, which may result in a faster rulemaking process, at least regarding pharmacy disclosure of prescription data to law enforcement. While the April 2023 Notice of Proposed Rule Making was specific to reproductive issues being disclosed to law enforcement, the letter calls for broader protection. Providers should review their current operations to ensure compliance and monitor changes to existing disclosure requirements.