HIPAA Privacy Rule Operational Bulletin

THE INFORMATION PROVIDED IN THIS OPERATIONAL BULLETIN IS FOR GENERAL GUIDANCE PURPOSES ONLY AND DOES NOT CONSTITUTE LEGAL ADVICE. EMS AGENCIES SHOULD CONSULT THEIR LEGAL COUNSEL TO UNDERSTAND HOW THE RECENT CHANGES TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) REGULATIONS IMPACT THEIR SPECIFIC CIRCUMSTANCES.

Until June 25, 2024, the HIPAA Privacy Rule, specifically 45 CFR § 164.512(f)(1)(ii)(C), allowed covered entities to disclose PHI without patient consent for a law enforcement purpose to a law enforcement official in compliance with an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided the request:

•             It is relevant and material to a legitimate law enforcement inquiry.

•             Is specific and limited in scope to the extent reasonably practicable; and

•             States that de-identified information could not reasonably be used.

The HIPAA Privacy Rule has been amended, effective June 25, 2024, to clarify that covered entities may disclose PHI without patient consent for a law enforcement purpose to a law enforcement official in compliance with an administrative request only if the request meets the three conditions specified above and is one which requires a response by law. Examples of requests that require a response by law are an administrative subpoena or summons and a civil or an authorized investigative demand. EMS agencies are responsible for determining whether a request for PHI from law enforcement is one for which response is required by law and for disclosing PHI without patient consent under 45 CFR § 164.512(f)(1)(ii)(C) only when complying with such a request.

HIPAA Clarification Regrading Law Enforcement Requests (PDF) (7/15/24)