HIPAA as a Shield for Criminal Acts

  • 1.  HIPAA as a Shield for Criminal Acts

    Posted 10-11-2018 10:22 AM

    You can't make this stuff up, and I just have to share this.  One of our staff members was the victim of an assault off-campus, totally unrelated to her work.   The assailant was not known to the staff member, and law enforcement was not able to make an arrest.  Recently, the assailant sought care at a location where the victim works, and they recognized each other.  The assailant warned the victim that HIPAA prevents her from notifying law enforcement of his identity!


    My plan of action, and please comment if you have any additional or contrary thoughts, is to have the victim contact the investigator assigned to her case and advise that she now knows the identity of her assailant, but the assailant has warned her that federal law prevents her from disclosing the assailant's name.   I have instructed that she should ask the investigator to contact me, as Privacy Officer, to obtain the assailant's name, etc. 


    I will disclose the assailant/patient's PHI per 45 CFR 164.512(f)(2) which permits disclosure of PHI in response to a law enforcement request to identify or locate a suspect, fugitive or material witness, or per 512(f)(5) that permits disclosure of PHI related to a crime on premises.  Although I don't purport to know criminal law, I believe that the assailant/patient attempted to alter evidence or intimidate a witness when he warned her that HIPAA prevents her from disclosing his identity.   


    I do not agree with the assailant's interpretation that HIPAA prevents the victim from disclosing to law enforcement, because I assume that, once the victim informs the investigator that she knows the assailant's identity, the investigator will ask for the name/address, DOB, etc.  I think that 512(f)(2)allows the victim to respond to the question from law enforcement.   I am recommending the above course of action to assure the victim that she is not violating HIPAA. 


    Scot J. Houska

    Chief Compliance Officer / Privacy Officer

    Direct (970) 644-3030 • Mobile (970) 261-3573



    2351 G Road

    Grand Junction, CO 81505



    Strangers stopping strangers, just to shake their hand – J Garcia/R. Hunter


    NOTICE:  This electronic message and all contents are confidential or otherwise protected from disclosure.  The information is intended to be for the addressee only.  If you are not the addressee, any disclosure, copy, distribution or use of the contents of this message is prohibited.  If you have received this electronic message in error, please notify the sender immediately and destroy the original message and all copies.


    This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
    Protenus May

  • 2.  RE: HIPAA as a Shield for Criminal Acts

    Posted 10-11-2018 10:37 AM
    I do not see any issues with your plan of action. Curious to see what others have to say.

    Dr. Randy Lewis, LMFT, CHPC
    HIPAA Privacy Officer
    Orange County Government
    Orlando, FL

    Protenus May

  • 3.  RE: HIPAA as a Shield for Criminal Acts

    Posted 10-11-2018 11:55 AM
    I'm not a lawyer but I would think that she can disclose the info to the police. What if the assailant was pretending to need treatment in order to intimidate and harass the victim?

    If a medical professional is a victim of a stalker that follows them to their workplace are they not allowed to let the police know? As long as she does not get into why the individual was seeking care and doesn't go through his medical records to obtain more information she should be able to tell the police who he is...

    I would look at this as an imminent risk to her safety and something that she is allowed to disclose since now she knows her assailant can find her any time he wants at work or in the parking lot.

    Caitlyn Tobey CHC, CIPP/US
    Concord, MA

    "Do not go where the path may lead, go instead where there is no path and leave a trail." - Ralph Waldo Emerson

    Protenus May

  • 4.  RE: HIPAA as a Shield for Criminal Acts

    Posted 10-11-2018 12:44 PM
    If intimidation/harassment is a crime in your location, then a crime has been committed on your premises and disclosure of PHI is permitted.  I would say the employee/victim was intimidated, maybe even threatened to the point they felt unsafe.

    David Garrison CHC,CHPC
    Compliance/Privacy Officer

    Protenus May

  • 5.  RE: HIPAA as a Shield for Criminal Acts

    Posted 10-12-2018 05:37 AM
    The uses and disclosures in 164.512 are permissible and subject to your NOP.  I would make sure that there is documentation that the patient has received your NOP or in the alternative that good faith efforts were made to give him a copy before any disclosures are made to law enforcement.

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232

    Our Mission: Improve the health of the communities we serve.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    Protenus May