\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Health Care Providers' Obligations under HIPAA in Response to Criminal Investigations
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The Health Insurance Portability and Accountability Act ("HIPAA" or the "Act") was signed into law in 1996.iThe Act and the regulations promulgated thereafter created rules to protect patients' individual health information.[II]The HIPAA regulations also require that entities that possess patient health information implement certain administrative, technical and physical safeguards to prevent its disclosure.[III] Additionally they set forth privacy standards with regard to the use and disclosure of patient health information. [IV] The privacy standards concerning patients' individual health information went into effect in 2003. It is these standards you normally envision when thinking about HIPAA. Traditionally HIPAA governs the transfer of patient medical data from one medical provider to another or some third party involved in patient care. However, one area on which HIPAA's impact has not been explored is in the context of criminal prosecutions. This article addresses how a health care provider should react to a request for the disclosure of intangible patient health information sought in the defense of a criminal prosecution.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0As the attorney for a health care provider, consider the following scenario. A criminal defense attorney approaches your client seeking to interview your client's employees concerning statements that may or may not have been made by the victim during his course of treatment at your client's facility. It is the criminal defense attorney's position that the interviews are material to the defense of his case on the basis of guilt/innocence and/or impeachment. He may very well have a valid argument on this point since your client's employees may possess information that is material to his client's defense. After all it is well established that a criminal defendant has a right to present a complete defense.[V] Additionally, due process mandates access to material information, and any public interest protecting sensitive information should not prevent its disclosure.[VI] Thus, the defense attorney's argument that it is germane to the defense of his case to be able to discuss the medical treatment of the victim with the medical providers does hold merit.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0However, HIPAA defines "health information" as any information, be it oral or recorded, in any form related to the physical or mental health of an individual.[VII] A medical provider may only use or disclose a patient's protected health information without authorization by the patient as prescribed for in HIPAA, subject to its exceptions. One of these exceptions is the law enforcement exception.[viii] Unlike a criminal defense attorney, under the law enforcement exception, law enforcement officials, which include solicitors, can request health information from a medical provider through (in addition to other means) an administrative or investigative request, and the health care provider can...