New HIPAA Modifications Affect Law Enforcement Interaction

By Chuck Humphrey, B.A., EMT-B, CADS*

 

A Tightening!

The Office of Civil Rights (OCR) has been busy over the past few weeks.  OCR has announced some important changes tightening how healthcare covered entities respond to law enforcement requests.

The changes are brought about in large part on the heels of the recent United State Supreme Court decision in Dobbs v. Jackson Women’s Health Organization which overturned the decades-old Roe v. Wade, leading many states to develop individual states’ rules concerning abortion and reproductive rights.

In their communication, OCR placed added restrictions on covered entities (ambulance services are covered entities) and, by association, business associates (billing agencies, ePCR vendors, etc. are business associates) on what information can and cannot be released and what is required of law enforcement agencies making such requests.

June 25, 2024

Specific to the release of reproductive healthcare information, effective on June 25, 2024, the HIPAA rules prohibit EMS agencies and their business associates from disclosing protected health information (PHI) for criminal, civil or administrative investigations or proceedings that are aimed against any person with regards to said transportation services provide.  As an arm of the federal government, the OCR intends to protect such information from release to any investigator who seeks to impose liability on such patients, where the reproductive service is deemed unlawful.

To enable reproductive health related information to be released, covered entities and business associates are required to obtain a signed attestation from the person requesting the information which states that the use of disclosure is not for a prohibited purpose before the PHI can be released.

Just a few miles…

It would appear that such requests made to an ambulance service will be rare.  However, examples of possible scenarios could include things like transports from abortion clinics to hospitals due to procedure complications, inter-state transports such as transporting a patient pre- or post-abortion from a state that outlaws abortion procedures to a state that allows such procedures, or vice-versa.

Obviously, many ambulance services operate on state borders.  Given the Dobbs decision, a few miles across a state border may change the enforcement rules and affect the patients your ambulance service transports.  Just a few miles can make a world of difference in how enforcement agencies are mandated to investigate and potentially prosecute such individuals.

HIPAA

NPPs must be updated!

Luckily, enforcement of this piece of the HIPAA revision will not begin until December 23, 2024, so there is time to revise policies and update your staff members of these changes. 

Additionally, OCR notes that this revision mandates that all covered entities update their HIPAA Notice of Privacy Practices (NPPs) with verbiage that informs patients of this new rule.  This revision mandate is required to be in place no later than February 16, 2026.

Our supposition is that few of us take time to pay much attention to the NPP document, which may also be posted on your digital media.  Now is the time to take a quick look at the document and incorporate the wording changes that are necessary, so you do not forget to make the necessary changes!

Do you have a subpoena?

On the heels of the reproductive health revisions, OCR has States that previous interpretations of the PHI disclosure rules pertaining to law enforcement administrative requests were incorrect.  Beginning with the June 25, 2024, date, disclosures of PHI to law enforcement related to administrative requests are only allowed when the response from the covered entity, or from the business associate acting on behalf of the covered entity is required by law.

Of course, law enforcement that make such requests and can produce a legally binding document accompanying the request can only do so when…

  • The information sought is relevant and material to a legitimate law enforcement inquiry;
  • The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
  • De-identified information could not reasonably be used.

This correction means that requests for PHI from law enforcement MUST be accompanied by a legally binding document (i.e. warrant, subpoena, summons, etc.)  As noted above, covered entities and business associates must be in compliance with this new mandate by December 23, 2024.  No penalties will be assessed for violations between now and the December date.

Exceptions Remain

The OCR release stressed that the above-mentioned revision requiring an accompanying legally binding document only applies to administrative requests and has no effect on other HIPAA law enforcement exceptions which include releasing PHI for…

  • Reporting a crime in an emergency
  • Disclosures related to criminal conduct on the covered entity’s premises
  • Reporting a suspicious death to law enforcement
  • Identifying or locating suspects, fugitives, material witnesses or missing persons
  • Disclosure PHI when the patient is a crime victim under certain conditions

Important Take-Aways

  • New revisions effective June 25, 2024
    • Enforcement will not begin until December 23, 2024
    • ALL HIPAA NPP documents must be updated no later than February 16, 2026!
      • Best to consult with qualified legal counsel to insure that required NPP verbiage meets the requirements of the new revision
  • Law enforcement revisions apply to administrative requests only and has no effect on other HIPAA enforcement exceptions for the release of PHI
  • Develop a means to identify and flag any and all transports that may involve reproductive health procedures for review in the event of a law enforcement requests for PHI
  • Update your staff by incorporating these revisions into your regularly-schedule HIPAA training
  • Review internal SOPs and make revisions that speak to how PHI is released in the affected scenarios

 

*Chuck Humphrey is an independent contractor who spent 25 years in the EMS revenue cycle management industry, prior to his retirement from Quick Med Claims.  In addition to holding active EMT credentials in Pennsylvania, he is also a Certified Ambulance Coder, Certified Ambulance Compliance Officer and Certified Ambulance Documentation Specialist via the National Academy of Ambulance Compliance.  Humphrey is a periodic guest contributor to the QMC blog and podcast space.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *