Labor & Employment Law Update

In the wake of increased federal enforcement of immigration policies, health care entities need to understand the impact those policies may have on their operations from a personnel and patient perspective.

My colleague wrote separately about the impact on personnel. The interplay between immigration enforcement and patient privacy requirements is an equally important consideration. 

Immigration Enforcement and Privacy Laws

A criminal warrant issued through U.S. Immigration and Customs Enforcement (ICE) will likely be focused on and targeting a specific individual. ICE has authority to deliver a warrant upon an organization for specific records and documents. Such a warrant should be handled no differently than any other type of warrant from a governmental agency (i.e., department of health, police, etc.). Any warrant should be carefully reviewed to identify exactly what the warrant is seeking, determine whether it complies with HIPAA and state privacy laws, and to develop a plan to respond in a compliant manner.

Under HIPAA, a health care provider may only disclose protected health information (PHI) to law enforcement such as ICE under certain limited circumstances. PHI includes an individual’s name, demographic information, and whether the individual is present in a health care facility. PHI may be disclosed to ICE if the individual has signed an authorization allowing the disclosure or, if the individual has not signed such an authorization, if the purpose of the disclosure is for certain limited reasons, including the following:

• To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.
• To respond to an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
  • the information sought is relevant and material to a legitimate law enforcement inquiry;
  • the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
  • de-identified information could not reasonably be used.

How Should Health Care Facilities Respond?

If the ICE official making the request for information is not known to the covered entity, the covered entity must verify the identity and authority of such person prior to disclosing the information.

Based upon the foregoing, PHI may be disclosed to ICE without a patient’s authorization as long as the disclosure is pursuant to a court issued subpoena or warrant or an administrative subpoena – it cannot just be based on a request without such documentation. This is no different from how requests from police and sheriffs are handled.

Health care providers need to make sure that employees who are likely to interact with ICE (e.g., front desk staff) understand these requirements as well as any applicable state law requirements. Any providers who have concerns about a request for PHI are advised to consult legal counsel.