Implications of New Federal Immigration Policies for Health Care Facilities, Part 2: Patient Privacy Concerns

This policy shift raises important privacy considerations for health care providers, particularly regarding how immigration status information is handled under the Health Insurance Portability and Accountability Act (HIPAA), which restricts the use and disclosure of “protected health information” (PHI).

Under the DHS directive, officers from US Immigration and Customs Enforcement (ICE), US Customs and Border Protection (CBP), and other DHS agencies may now conduct searches, serve subpoenas, and execute arrests in health care settings. In our prior alert, we discussed steps facilities can take to train staff and prepare for interactions with immigration enforcement officers. In this article, we examine the questions health care providers may confront about their obligations under HIPAA regarding immigration-related information about their patients.

Q: Is an individual’s immigration status PHI under HIPAA?

A: Immigration status, by itself, is not necessarily PHI. However, when immigration status is documented in a medical record alongside other individually identifiable health information — such as a diagnosis, treatment plan, or billing details — it may be PHI and subject to HIPAA protections.

Q: Does HIPAA require a health care provider to record a patient’s immigration status in the patient’s medical record?

A: No. HIPAA does not require providers to collect or document a patient’s immigration status. A provider may choose to document information that is relevant to a patient’s treatment or payment or to the provider’s health care operations, but there is no legal obligation under HIPAA to record immigration status. If a provider does document this information, it may become PHI, which must be handled in accordance with HIPAA.

Q: May a health care provider ask a patient about the patient’s immigration status?

A: Yes, unless applicable state law restricts the collection of such information. However, providers should carefully consider whether a patient’s immigration status is necessary for treatment, payment, or health care operations. Collecting this information unnecessarily might discourage patients from seeking care and could create additional privacy concerns. If a provider collects and documents a patient’s immigration status with individually identifiable health information about the patient, the provider must safeguard the information as PHI.

Q: If a patient requests removal of information about the patient’s immigration status from the patient’s medical record, does HIPAA require a health care provider to grant that request?

A: Not necessarily. Under HIPAA, patients have the right to request an amendment to their medical record if they believe information is inaccurate or incomplete. However, a provider may deny an amendment request if the information is accurate and complete as recorded. Thus, if a provider accurately documents a patient’s immigration status in the patient’s record, the provider is not required to amend the record to remove that information. If the provider denies the patient’s amendment request, the patient may submit a written statement of disagreement, which the provider must include in the record.

Q: If an undocumented patient pays with cash, does that change any HIPAA protections?

A: No. A patient’s method of payment does not affect HIPAA protections. Whether a patient pays with cash, private insurance, Medicaid, or another method, the patient’s individually identifiable health information remains protected under HIPAA. Additionally, under HIPAA’s “right to request restrictions” provision, if a patient pays out-of-pocket in full for a service and requests that the provider not disclose PHI to the patient’s health plan, the provider must comply unless disclosure is required by law.

Q: May a health care provider inform law enforcement if the provider suspects a patient is undocumented?

A: No, in most cases. HIPAA generally prohibits providers from voluntarily disclosing PHI to law enforcement, including immigration enforcement officers. To the extent a patient’s immigration status constitutes PHI, a provider may disclose such PHI to immigration enforcement officers only with the patient’s authorization or if a HIPAA exception permitting the disclosure without authorization applies.

Q: May a health care provider disclose a patient’s information to immigration enforcement officers without the patient’s authorization?

A: Potentially, yes. The HIPAA Privacy Rule permits (but does not require) a covered entity to disclose PHI without patient authorization in certain situations. For example, a provider generally may disclose PHI to a law enforcement official in response to an order, warrant, or subpoena issued by a court or administrative agency. Thus, if immigration enforcement officers present a judicial or administrative warrant or subpoena, a provider may disclose PHI within the scope of such warrant or subpoena. As we explained in our prior alert, providers should consult with legal counsel to determine the authority granted by any documentation presented by law enforcement officers and the appropriate response.

Q: May a health care provider disclose a patient’s information to immigration enforcement officers without an order, warrant, or subpoena from a court or agency?

A: Potentially, yes. Among the various exceptions to the general requirement to obtain patient authorization, the HIPAA Privacy Rule permits disclosure of PHI to a law enforcement official in certain situations without a judicial or administrative order, warrant, or subpoena. For example, providers may disclose limited PHI in response to a law enforcement official’s request for such information to identify or locate a suspect, fugitive, material witness, or missing person. Before responding to any such request, however, a provider should review the request with legal counsel and ensure compliance with its internal policies and procedures.

Q: How should a health care provider handle a situation where immigration enforcement officers request information about a patient who is suspected to be a victim of a crime?

A: If immigration enforcement officers are investigating whether a patient is a victim of a crime (for example, human trafficking or forced labor) and request PHI about the patient, the provider should first determine whether the patient consents to the disclosure of the PHI. If the patient agrees, the provider should limit the disclosure to only the PHI specifically requested. If the patient objects, the provider should not disclose the patient’s PHI unless another HIPAA exception applies.

In emergency situations where a patient suspected to be a victim of a crime is incapacitated or consent cannot be obtained, a provider may disclose the PHI without authorization if:

• The officers confirm that the information is needed to determine whether a violation of law (by someone other than the patient) has occurred and will not be used against the patient. 
• The officers represent that waiting for consent would materially and adversely affect immediate law enforcement activity.
• The disclosure is in the patient’s best interests, as determined by the provider’s professional judgment.

Key Takeaways

DHS’s rescission of its guidelines regarding immigration enforcement actions in or near health care facilities and other “protected areas” may create concerns for patients seeking care. Health care providers should continue to prioritize patient safety and privacy and adhere to HIPAA requirements when interacting with immigration enforcement officers. To prepare for potential encounters with immigration enforcement officers, providers should:

• Review and update policies and procedures regarding law enforcement requests. 
• Train staff on HIPAA and applicable state privacy laws, which may impose greater restrictions on the use and disclosure of patient information than HIPAA.
• Consult legal counsel for guidance on handling such interactions. 
• Provide resources to patients regarding their privacy rights.

If you have questions or require further resources, please contact one of the authors of this alert or your usual ArentFox Schiff attorney.