38 Journal of Regulatory Compliance Vol. I
paper is not the same thing as having an educated workforce that understands,
implements, and/or adheres to the policy. I learned this lesson the hard way;
that is, when a client for whom I had drafted a HIPAA-compliant marketing
policy later revealed that he had not obtained prior written authorization from
patients to whom he was clearly sending marketing communications because
he still could not figure out what was—and was not—a marketing
3. Law Enforcement Disclosures
A third example of a Privacy Rule provision that is too complex to be
operationalized as quickly as it needs to be governs law enforcement requests
for PHI. As discussed in Part II, covered entities may use and disclose PHI
for twelve public benefit activities without obtaining the prior written
authorization of the individuals whose PHI is being used or disclosed. 94 Most
of these public benefit activities contain numerous conditions, requirements,
or criteria that must be satisfied before the Privacy Rule waives prior written
For example, the sixth public benefit exception relates to disclosures of
PHI to law enforcement officers for law enforcement purposes. 95 This
exception identifies six sub-situations when a covered entity is permitted to
disclose PHI to a law enforcement official for a law enforcement purpose
without prior written authorization, with each sub-situation containing
detailed conditions precedent to the disclosure. 96 One of the six sub-situations
involves victims of a crime. 97 This particular provision permits a covered
entity to disclose PHI without prior written authorization, but only if ( 1) the
recipient is a law enforcement official, defined as an officer or employee of
any agency or authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, who is empowered by
law to ( A) investigate or conduct an official inquiry into a potential violation
of law; or ( B) prosecute or otherwise conduct a criminal, civil, or
administrative proceeding arising from an alleged violation of law; 98 and ( 2)
a law enforcement official affirmatively requests the information (and the
covered entity is not initiating a voluntary disclosure of PHI to the law
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/ (last visited June
21, 2016) ( “The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures
adopted and employed by covered entities and their business associates to meet selected
standards and implementation specifications of the [Privacy Rule and other Administrative
94. See 45 C.F.R. § 164.512(a)-(l) (2016); text accompanying supra note 52.
95. See 45 C.F.R. § 164.512(f) (2016).
96. See id. § 164.512(f)( 1)–( 6).
97. See id. § 164.512(f)( 3).
98. See id. § 164.103 (defining law enforcement official).