Medical providers are often asked, or feel obligated, to disclose confidential information about patients.  This blog post discusses when disclosures of confidential medical information involve law enforcement, but the general principles discussed herein are instructive in any scenario.  To protect patient confidentiality and avoid costly civil liability arising from improper disclosures, it is imperative that providers ask questions to assess the urgency of any request and to understand for what purpose the information is sought by authorities.  Knowing what questions to ask at the outset prepares providers to make informed decisions about disclosing confidential information in a manner that balances the obligation to maintain patient confidentiality and trust with legitimate law enforcement requests for information aimed at protecting the public.

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally prohibits medical providers from disclosing “protected health information” (PHI) to anyone, including even the police, unless certain conditions are satisfied.  PHI is any information related to a past, present or future physical or mental health condition or treatment of an individual that identifies the individual or can be used to identify the individual.

Properly responding to police requests for confidential PHI depends on the individual facts and circumstances of each request.  To keep things in perspective, it’s important to appreciate that health care providers providing emergency health care in response to a medical emergency are always permitted to disclose any PHI to law enforcement if the disclosure appears necessary to:  alert to the commission, nature or location of a crime or victim; or, the identity, description or location of a perpetrator of such crime.  Absent the foregoing exigent circumstances when asked to provide confidential information by anyone, including authorities:

  1. Take a breath. This is possibly an important matter or law enforcement wouldn’t have arrived, but it’s probably not something so important that it has to be done in the next two minutes.
  2. Ask questions to understand the nature of the request. Consider referring to this chart to help understand the type of request and what information is sought.  Generally, absent an explicit Court Order or Grand Jury subpoena, a party seeking PHI about another person is obliged to provide context and any request for PHI is reviewable by federal, and most state, courts.
  3. Contact your organization’s compliance and/or legal counsel and discuss what you’ve learned prior to providing any confidential information.

Understanding the basic framework of when PHI can, and should, be disclosed enables practitioners to be both professionally ethical and morally responsible citizens.

For additional information about this issue, including establishing a government investigations response plan, contact the author of this post, Clay Lee, or the Epstein Becker Green attorney who regularly assists you.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.