Posted on by

PWW Breaking News Alert – OCR Final Rule on PHI disclosure to law enforcement

OCR Final Rule Has a Significant Change Related to Law Enforcement Administrative Requests
The Office for Civil Rights (OCR) recently issued a Final Rule significantly tightening the conditions under which HIPAA-covered entities can disclose protected health information (PHI) to law enforcement pursuant to an “administrative request.” The new regulation, which becomes effective on June 25, 2024, clarifies that disclosures of PHI in response to administrative requests are only permissible when a response to the request is required by law.

Current Regulation and Interpretation

Currently, under 45 CFR §164.512(f)(1)(ii)(C), covered entities may disclose PHI in response to an administrative request or similar process, provided the request:

  1. Is relevant and material to a legitimate law enforcement inquiry;
  2. Is specific and limited in scope to the extent reasonably practicable; and
  3. States that de-identified information could not reasonably be used.
This regulation was widely interpreted to mean that a request on law enforcement letterhead containing these three affirmations sufficed to permit PHI disclosure to law enforcement under this exception.

The Change – Effective June 25, 2024

OCR in the Final Rule emphasizes that previous interpretations were incorrect. Starting June 25, 2024, disclosures of PHI to law enforcement pursuant to administrative requests will be allowed only when the response is “required by law.” Requests on law enforcement letterhead, even if they include the three affirmations, will no longer meet the regulatory exception unless accompanied by a legally binding document, such as a court-issued subpoena, summons, warrant, or similar process for which a response is required by law. While effective June 25, 2024, OCR said that covered entities must comply with the new regulation by December 23, 2024.  So, OCR will not impose penalties for violations of the new regulation until then.

Implications for Law Enforcement

Beginning, June 25, 2024, law enforcement agencies must provide court-ordered documents or other legally binding processes to compel PHI disclosure under the “administrative request” exception. Without such documentation, a covered entity cannot release PHI to law enforcement under this exception.

Other HIPAA Exceptions Remain Unchanged

This update addresses explicitly administrative requests and does not affect other law enforcement-related exceptions under HIPAA, including releasing necessary PHI for:

  1. Identifying or locating suspects, fugitives, material witnesses, or missing persons.
  2. Disclosing PHI when the patient is a crime victim under certain conditions.
  3. Disclosures related to criminal conduct on the covered entity’s premises.
  4. Reporting a suspicious death to law enforcement.
  5. Reporting a crime in an emergency.
Updated Regulation Text

Here is how the regulation, 45 CFR §164.512(f)(1)(ii)(C), will read as of June 25, 2024, with the new language in red:

An administrative request for which response is required by law, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:

  1. The information sought is relevant and material to a legitimate law enforcement inquiry;
  2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
  3. De-identified information could not reasonably be used.

This crucial clarification by the OCR aims to ensure PHI disclosures are appropriately regulated and only made when legally necessary, reinforcing the protection of patient privacy while maintaining compliance with law enforcement needs.

For further details, refer to page 33043 of the OCR’s Final Rule document.

Please reach out to the PWW attorneys and PWW|AG consultants HERE with any questions regarding this Final Rule.