May a covered entity disclose PHI to law enforcement without authorization from the patient?
A covered entity may disclose PHI to law enforcement officials as follows:
- In response to a court order, subpoena, warrant, summons, or similar process
- Limited information to identify or locate a suspect, fugitive, material witness, or missing person who may have been a victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement
- About a death we believe may be the result of criminal conduct
- In emergency circumstances to report a crime, the location of the crime victims, or the identity, description, or location of the person who committed the crime
If you receive a request from law enforcement, you may contact the Office of HIPAA Privacy & Security for assistance in reviewing the request. All requests from law enforcement must be received in writing on official letterhead.
All releases must be accounted for using an Attachment 45 and sent to Office of HIPAA Privacy & Security for scanning into the central repository.