Former HHS Official: HIPAA Broadly Blocks Sharing Data with Immigration Enforcement
When immigration enforcement and patient privacy collide, health care providers must remember that HIPAA's view of personal health information (PHI) is broad, Davis Wright's Adam Greene told a Health Care Compliance Association event Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
As such, the U.S. Department of Health and Human Services (HHS) considers “the mere fact that someone is a patient” to be PHI, said Greene, who previously served as a regulator in the Office of Civil Rights (OCR) at HHS.
“If immigration enforcement comes knocking,” it’s important for health care facilities to know there are strict disclosure rules around PHI.
For example, enforcement officials “seeing anything in a treatment area that relates to [someone] being a patient” or “even confirming that someone is a patient is potentially PHI,” he noted.
That means “if you throw PHI into a public dumpster, HHS interprets that you're providing access to that information, regardless of whether someone actually goes dumpster-diving and collects the information.”
That said, Greene acknowledged there are no official HIPAA or HHS guidelines about what to do if federal agents enter a facility and insist on accessing treatment rooms.
Unless HIPAA specifically allows it or there is a court order or similar authorization, providers should avoid proactively sharing PHI with law enforcement, including allowing access to non-public areas of health care facilities, Greene argued.
Regardless of what a health care provider decides should police or immigration enforcement appear, Greene recommended having “one point of contact to address these issues” and a “centralize[d]” plan, so that the front-line staff doesn't have to deal with the situation.
It's also notable that HIPAA enforcement can be brought up to six years after the fact, Greene said. So even though “it seems very unlikely” that OCR would bring a HIPAA enforcement action against immigration enforcement, a change in administration in 2028 could open the door for it.
Unlike the above situations, there's HIPAA guidance about media access to health care facilities, which Greene recommended providers view as broader third-party access for now.
For instance, there's no rule that requires a health care provider to prevent media access to facility areas that are accessible to the public. But they can't “invite or allow media personnel and -- arguably third parties more generally -- into treatment or other areas of their facilities where patients' PHI will be accessible in written, electronic, oral or other vision, visual or audio form, or otherwise make PHI accessible to the media without prior authorization from the individual,” he said.
While Greene insisted, “I'm not looking to insert politics here,” he said providers should understand there's a "higher risk" of Democratic state attorneys general "looking to enforce HIPAA against [providers] with respect to immigration enforcement versus other more conservative states.” Overall, compliance professionals must understand "the compliance and legal risks here, and [that] they do differ based on the politics of your state.” He added, “Ultimately, it's a risk-based decision.”