HIPAA Compliance and Law Enforcement

By Kate Willet
Freelance Writer

Earlier this year, a Utah nurse, Alex Wubbels, was arrested for refusing to allow a law enforcement officer to draw blood from an unconscious patient.  State and federal laws prohibited her from allowing a law enforcement officer to draw blood without a warrant or patient consent, but the officer proceeded to handcuff her for refusing to honor his request.

Alex Wubbels was correct about the patient privacy laws she cited to protect her patient, and has since reached a $500,000 settlement with Salt Lake City and the Utah University hospital where she was employed.  The Salt Lake City police department fired the arresting officer.

Medical professionals may find themselves in stressful standoffs with law enforcement officers who want access to patient data that it may, in fact, be illegal for health care professionals to provide.  It’s important for healthcare professionals to have a complete understanding of the laws that protect patient information under the Health Insurance Portability and Accountability Act (HIPAA) and how they apply to law enforcement.

Here’s a quick summary of the laws, but as always, it’s best to review them with your Compliance Officer. A HIPAA covered entity may disclose protected health information (PHI):

  • with the individual’s signed authorization
  • if it reasonably prevents a serious or imminent threat to the safety of the individual or the public
  • if the health care provider reasonably believes it is evidence of a crime that occurred on the premises of the covered entity
  • if it is alerting law enforcement of death and there is reason to believe the death occurred from criminal conduct
  • when responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity
  • when required by law to do so (such as in the case of gunshots or stab wounds)
  • to comply with a court-ordered warrant or subpoena
  • to respond for the purposes of locating a suspect (must be limited to basic demographic and health information)
  • when the victim of a crime requests their information be shared with law enforcement
  • if the victim is a child and the health care provider suspects child abuse

A more detailed description of the laws can be found here.

Kate Willett is a freelance writer located in Los Angeles, CA.  She writes about health, politics, and comedy.  She is a graduate of the University of California, Berkeley.


  1. Remember that other laws more restrictive than HIPAA may apply. Examples are 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) and state confidentiality laws.

  2. This article seems a bit misleading – the Utah police example could be an implied consent issue related to a traffic accident, but the circumstances are unclear as to whether the officer had reasonable suspicion to suspect a crime that would warrant the request. He was fired because of the way he handled the arrest, not because of some patient privacy violation. It is equally unclear what the hospital’s policies were that prevented the nurse from cooperating with law enforcement. In short, it seems hot heads and unclear policies led to this problem, but very little of it invokes HIPAA or PHI issues.


Please enter your comment!
Please enter your name here