HIPAA Blog

[ Friday, January 27, 2006 ]

A Murder Suspect: A university researcher is killed, and his body is found in the trunk of his burning car in a parking garage near a VA hospital. The police have a hard time solving the crime, so they get the FBI to do a "profile" of the possible killer. The police then ask the VA for information on specific patients who the police think may be suspects, which the VA provides. Apparently, that information was just the name and possibly the time the patient would next be at the hospital, since the police sought DNA evidence from a patient. The patient is now complaining that the VA violated HIPAA.

I doubt it. Under the HIPAA privacy regs, 45 CFR 164.512(f), disclosures for law enforcement purposes, a covered entity can disclose PHI "in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect . . . provided that (i) the covered entity may disclose only . . . name and address, date and place of birth, social security number, . . . blood type . . ., type of injury, date and time of treatment, . . . and . . . distinguishing physical characteristice, including height, weight, gender, race, hair and eye color, [etc.] . . . (ii) The covered entity may not disclose for purposes of identification or location . . . any [PHI] related to the individual's DNA. . . ." It seems to me that the VA met its obligations unser 512(f).

Jeff [5:04 PM]

Comments:

I would have to agree with you, this is most likely not a HIPAA violation. It might have been a little more grey area if they were looking for folks at a specific type of clinic, like an AIDS clinic, but at a VA hospital, I can't see how any PHI is disclosed by the simple fact of his being there.

# posted by

Art : 1:05 PM