HIPAA Checklist: What You Can Disclose to Law Enforcement, With Examples

Permitted Disclosures to Law Enforcement

HIPAA allows certain disclosures of Protected Health Information (PHI) to law enforcement without a patient’s authorization. Use this HIPAA checklist to determine what you can share, apply the Minimum Necessary Standard, and document why you disclosed.

Quick checklist

• Verify the requestor’s identity and authority (Verification of Identity).
• Confirm the legal basis: required by law, valid Legal Process, or a specific HIPAA permission below.
• Limit to the Minimum Necessary Standard—disclose only what is needed for the stated purpose.
• Exclude specially protected data (for example, Psychotherapy Notes and Substance Use Disorder Records) unless an exception applies.
• Complete Documentation of Disclosures promptly.

Common lawful bases

• Required by law (for example, mandatory reports of certain injuries).
• Legal Process (court order, warrant, subpoena or administrative request that meets HIPAA conditions).
• Specific HIPAA permissions (identification/location of a suspect, victim disclosures, crime on premises, emergencies, decedent matters).

What is typically excluded

• Psychotherapy Notes (separate from the medical record) absent patient authorization or a qualifying court order.
• Substance Use Disorder Records from a Part 2 program, except with patient consent or a specific court order, subject to narrow emergencies.
• Entire charts when only limited data are requested or needed.

Examples

• A detective presents a court order for records related to a specific date and injury. You provide only the records named in the order and document the disclosure.
• An officer asks whether a patient with a gunshot wound was treated at 10 p.m. You may confirm the type of injury and date/time of treatment if the request fits an identification/location or mandatory-reporting basis, and you limit details.

Identification or Location of Suspects

You may disclose limited PHI to identify or locate a suspect, fugitive, material witness, or missing person. Share only the specific elements permitted and nothing more.

Information you may disclose

• Name and address.
• Date and place of birth.
• Social Security number.
• ABO blood type and Rh factor.
• Type of injury.
• Date and time of treatment or death.
• Description of distinguishing physical characteristics (for example, height, weight, gender, race, scars, tattoos).

Information you must not disclose under this permission

• DNA, DNA analysis, dental records, or body fluid/tissue analysis or samples.
• Complete medical records or detailed clinical notes beyond the limited items above.

Examples

• Officers request limited data to confirm whether an individual with a stab wound was treated around 1 a.m. You may disclose the type of injury and the date/time of treatment, but not diagnostic imaging, progress notes, or lab results.
• Police seek distinguishing characteristics to help locate a missing person. You may share a description such as “6′2″, scar over left eyebrow, dragon tattoo on right forearm.”

Crime Victims Information

You may disclose PHI about a suspected victim of a crime if the individual agrees. If the individual cannot agree due to incapacity or emergency, you may disclose if law enforcement represents that the information is needed to determine whether a crime occurred, the disclosure is not intended to be used against the victim, and the immediate law enforcement activity would be materially affected without it.

Practical guardrails

• Obtain the victim’s agreement when possible; otherwise, ensure the request meets the emergency/incapacity criteria.
• Do not disclose if the request comes from the person suspected of committing the crime.
• Apply the Minimum Necessary Standard to limit details.

Examples

• A patient assaulted in a park consents to share treatment details with detectives. You disclose a summary of injuries and treatment pertinent to the investigation.
• An unconscious patient appears to be a hit-and-run victim. Law enforcement provides the required assurances; you disclose limited facts (nature of injuries, estimated time) to help determine whether a crime occurred.

Disclosures Regarding Decedents

You may disclose PHI to coroners, medical examiners, and funeral directors as needed to identify a decedent, determine cause of death, or carry out their duties. You may also alert law enforcement if you suspect a death resulted from criminal conduct.

Key points

• Decedent PHI remains protected for 50 years after death; limit details to what the recipient needs.
• If law enforcement requests PHI about a decedent, confirm the basis (for example, suspected criminal death or valid Legal Process) and disclose only necessary information.

Examples

• A medical examiner requests records to determine cause of death. You provide the requested subset relevant to the determination.
• You suspect a death resulted from poisoning. You notify law enforcement with facts supporting the suspicion and document the disclosure.

Crime on Premises Reporting

You may disclose to law enforcement PHI that you in good faith believe constitutes evidence of a crime that occurred on your premises.

Scope and limits

• Share only the PHI that is evidence of the on-premises crime.
• If the incident involves workforce members or patients (for example, assault on a nurse, theft of controlled substances), limit disclosures to the facts and records that evidence the event.

Examples

• Security footage and sign-in logs show a theft in the pharmacy. You provide the clips and log entries that document the crime, not unrelated patient records.
• A patient assaults another patient in the waiting room. You disclose incident reports and relevant treatment timestamps supporting the investigation.

Emergency Disclosures to Law Enforcement

In emergencies, you may disclose PHI to avert a serious and imminent threat to health or safety or to report a suspected crime related to a medical emergency off premises.

Serious and imminent threats

• If, in good faith, you believe disclosure is necessary to prevent or lessen a serious and imminent threat, you may share PHI with law enforcement or others able to reduce the threat.
• Disclose only what is necessary to mitigate the threat.

Medical emergencies off premises

• When treating an emergency apparently resulting from a crime off premises, you may disclose limited PHI to alert law enforcement to the nature of the crime, location, and the perpetrator’s identity/description.

State-mandated reports

• Some injuries (for example, gunshot wounds, certain burns) must be reported to law enforcement under state law. Where disclosure is required by law, HIPAA permits it; disclose only what the statute requires.

Examples

• A patient states they plan to return to the clinic with a weapon. You warn law enforcement and share limited PHI necessary to prevent harm.
• An intoxicated driver flees after causing an off-site crash. You alert police with the vehicle description and the nature of injuries observed.

Compliance with HIPAA and State Laws

HIPAA sets a federal baseline; more protective state laws (for example, mental health, HIV, reproductive care) and special federal rules may further limit disclosure. Build your workflow to satisfy both HIPAA and applicable state requirements.

Verification of Identity

• Reasonably verify the requestor’s identity and authority (badge/ID, official letterhead, call-back to a published agency number, or delivery through known channels).
• Keep copies of credentials and the written request when feasible.

Minimum Necessary Standard

• Narrow the request to specific dates, encounters, or data elements.
• Provide summaries when details are unnecessary; exclude unrelated diagnoses, medications, and notes.

Documentation of Disclosures

• Record the date, recipient, legal basis, a brief description of PHI disclosed, and the purpose (or attach the request).
• Honor any lawful request to delay notifying the individual if it would impede an investigation; retain the delay notice.
• Maintain logs so individuals can obtain an accounting of disclosures when required.

Legal Process

• Court orders and warrants: disclose exactly what the order authorizes.
• Subpoenas or administrative requests: ensure they are specific, relevant, and limited; confirm that notice to the individual or a protective order requirement is satisfied where applicable.
• Escalate unclear or overbroad requests to your privacy office or counsel.

Psychotherapy Notes

• Do not disclose Psychotherapy Notes without patient authorization or a qualifying court order that specifically addresses them.
• Keep these notes segregated to avoid inadvertent disclosure.

Substance Use Disorder Records

• Substance Use Disorder Records from Part 2 programs generally require written patient consent or a specific court order; narrow emergency exceptions may apply.
• If SUD information is present, treat it with heightened protection even within a general medical record, consistent with applicable rules.

Conclusion

When law enforcement requests PHI, anchor your response in this HIPAA checklist: verify identity and authority, confirm the legal basis, apply the Minimum Necessary Standard, honor heightened protections for Psychotherapy Notes and Substance Use Disorder Records, and complete Documentation of Disclosures. This approach helps you support public safety while maintaining patient privacy.

FAQs

What types of PHI can be shared with law enforcement without violating HIPAA?

HIPAA permits limited disclosures without authorization when a valid basis exists—such as required-by-law reports, valid Legal Process, or specific permissions (identifying or locating a suspect, victim disclosures, crime on premises, emergencies, decedent-related matters). Even then, apply the Minimum Necessary Standard and exclude specially protected categories unless an exception applies.

When is victim consent required for disclosure?

Obtain the victim’s agreement whenever feasible. If the victim cannot agree due to incapacity or emergency, you may disclose limited PHI if law enforcement represents that the information is needed to determine whether a crime occurred, is not intended to be used against the victim, and that immediate activity depends on the disclosure.

How should covered entities document disclosures to law enforcement?

Log the date, recipient, legal basis (for example, required by law, court order), a brief description of the PHI disclosed, and the purpose or a copy of the request. Keep any verification materials and note if law enforcement requested a delay in notifying the individual.

What additional protections apply to substance use disorder records?

Substance Use Disorder Records from programs subject to special federal rules usually require patient consent or a specific court order for disclosure. Emergencies allow narrowly tailored disclosures. Apply heightened safeguards and disclose only what is necessary for the permitted purpose.