Law Enforcement Access to Protected Health Information – What’s Your Policy?

Understanding and adhering to the HIPAA Privacy Rule is required for covered entities who handle protected health information (PHI), but because the Privacy Rule was designed to be flexible, implementation of policies and procedures to meet the Privacy Rules can vary from covered entity to covered entity. Look no further than the December 12, 2023 letter from the United States Senate Committee on Finance (herein, “The Committee”) for evidence of this variation and how it can seriously impact the privacy of sensitive patient data.

In the December letter drafted to Xavier Becerra, Secretary of the U.S. Department of Health & Human Services, The Committee outlined the results of their oversight inquiry into the seven largest pharmacy chains (CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation), and Amazon Pharmacy. The inquiry focused on obtaining briefings from the major pharmacy chains about their policies and procedures for releasing PHI to law enforcement agencies. Below is a general overview of the findings:

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

  • Five pharmacy corporations had policies that would require a law enforcement agency’s demand for PHI to be reviewed by legal professionals before responding
  • The remaining three pharmacy corporations had policies that put “extreme pressure” on the pharmacy staff to respond to the inquiries immediately and stated their pharmacy staff “are trained to respond to such requests and can contact the legal department if they have questions
  • None of the pharmacy corporations required warrants to share information with law enforcement agencies, unless required by state law
  • Pharmacies would turn over PHI to a law enforcement agency when presented with a subpoena (“which often do not have to be reviewed or signed by a judge prior to being issued”)
  • Only CVS Health published annual transparency reports on the records requests from law enforcement
  • Patients already have the right to know who is accessing their health information through the HIPAA Accounting of Disclosure process, but the obligation is on the patient or their authorized representative to request the appropriate information from the covered entity; since this patient right is not well known in the general patient population it leads to a very small number of disclosure requests annually

The Committee urged the Secretary to strengthen HIPAA Privacy regulations to better protect PHI, and referenced a 2010 decision from the Federal Court of Appeals which protected the privacy of emails and would require a warrant before providers such as Google, Yahoo, and Microsoft could release customer data.

What does this mean for independent pharmacies? As stated in The Committee’s letter, “These findings underscore that not only are there real differences in how pharmacies approach patient privacy at the pharmacy counter, but these differences are not visible to the American people.” Also, “Proactively notifying customers about any patient record disclosures to law enforcement that impact their medical records, except where prohibited by a non-disclosure or “gag” order issued by a judge, would be a major step forward in patient transparency.”

PAAS Tips:

  • PAAS Fraud, Waste, and Abuse and HIPAA Compliance members can refer to section for more information about disclosures related to the law and public health activities
    • Utilize the Accounting of Disclosures Report form in Appendix B to document disclosures required by law or otherwise permitted without the patient’s authorization (not related to permitted disclosures for treatment, payment, or other healthcare operations)
  • Ensure your pharmacy has a written policy and procedure detailing the actions to take if presented with a demand for PHI from a law enforcement agency
  • All documentation related to HIPAA practices must be maintained for a minimum of six years after the last effective date

Sara Hathaway, PharmD