Q&A: Requests for PHI from law enforcement and attorneys

Q: I work at a psychiatric facility. We communicate with various county entities such as county counsel, public defenders, patients' rights, etc., for patients under involuntary holds, conservatorship, or other legal issues. They usually include the patient's name via email as they don't have the patient's medical record number. Our servers are encrypted but these incoming emails are not encrypted.

Are these county entities covered by HIPAA as well? Who is responsible for educating or providing oversight to them?

A: If an attorney is representing another covered entity (CE) and is being paid legal fees by the CE, the attorney is likely a business associate (BA) of the other CE. Public defenders, patient rights advocates, the courts, correctional facilities, and law enforcement are not CEs and they’re not BAs; therefore, these individuals or entities are not required to comply with HIPAA.

If the communication is with the county, the state, or a municipality, it will depend on the duties of the county, state, or municipality. If, say, counsel is representing the county health department of the state’s mental health institutions, they may be working on behalf of the CE arm of the county or state. If this is the case, the CE component would be required to comply with HIPAA.  County counsel acting on behalf of the county or the county sheriff’s office would not be a CE or a BA.

In cases where counsel is working on behalf of another CE, it would be the CE’s responsibility to make sure counsel is required to encrypt any protected health information (PHI) sent via email. In cases where the individual or entity you are communicating with is a CE, the CE has the responsibility to police itself and make sure emails with PHI included are encrypted. In cases where the third party is law enforcement, the public defender, or the other categories of third parties mentioned, unfortunately there is no oversight when it comes to making sure emails are encrypted and there’s likely no education provided. 

It is recommended that your facility include disclaimer language when responding about the dangers of sending PHI unencrypted via email to protect your facility and the patient. You also need to make sure PHI is stripped for the response to these third parties if the email is not encrypted. 

Here’s an example disclaimer that can be added to emails and could be inserted below the signature block in the email: “Sending Protected Health Information (PHI) by unencrypted email exposes the PHI to two risks. The email could be sent to the wrong person, usually because of a typing mistake or selecting the wrong name in an auto-fill list. The email could be captured or intercepted electronically en route. PHI sent to (facility name) should be encrypted to protect the patient’s privacy.”

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Nicole Votta at nvotta@hcpro.com.