Under HIPAA's Privacy Rule, covered entities may disclose protected health information (PHI) to authorized federal officials for the conduct of "lawful intelligence, counter-intelligence, and other national security activities."

The authority for such disclosures includes the National Security Act (50 U.S.C. 401) and its implementing authority (e.g., Executive Order 12333); and the Foreign Intelligence Surveillance Act (FISA, 50 U.S.C. 1861), as amended by the USA Patriot Act (USAPA). USAPA permits FISA-warrant searches of "any tangible thing" (including any business records) that could relate to "international terrorism or clandestine intelligence activities." Fruits of such searches may be shared with domestic law enforcement authorities.

HIPAA provides that covered entities may temporarily suspend the right of disclosure accounting for law enforcement or national security disclosures when provided with a written or oral justification. (Under USAPA covered entities may in effect be permanently prohibited from informing the search subject(s) or anyone else of this kind of disclosure.)

Note that these recent changes make the dividing line between national security and law enforcement activities much less clear-cut. Law enforcement disclosures have generally had more procedual requirements and protections for the search subject than those associated with national security investigations.

See also:

• 45 CFR 164.512(k)

  Last modified: 14-May-2005 [RC]