By Talia Linneman, JD, and Ronald Hedges, JD
It’s important to understand how DNA tests and other genetic information currently is treated in the context of law enforcement, and the circumstances under which healthcare providers, payers, and clearinghouses may respond to a court order or request from law enforcement for such information and remain in compliance with the privacy protections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. Also key is grasping how differently DNA test information is treated when it is outside the reach of HIPAA.
Law Enforcement Access to DNA Test Information
The ability of law enforcement to obtain DNA test information is driven by context. A person’s DNA may be collected, analyzed, and kept on file by law enforcement as long as the person has been lawfully arrested. For an arrest to be lawful, there must be probable cause, meaning that the arresting officer must have a reasonable basis to conclude that the person has committed a crime. If a person has not been arrested, but her DNA information has been collected by one of her healthcare providers (such as a primary care physician, diagnostic clinical laboratory, or hospital), that provider may furnish that information to law enforcement only under limited circumstances, with a more formal process.
When DNA testing became widely available to police, courts had to decide whether a law enforcement officer could require an individual to provide a DNA sample shortly after an arrest, without a warrant. The Supreme Court decided that, yes, this is permissible, in a 2013 case called Maryland v. King (King):
“When officers make an arrest supported by probable cause to hold for a serious offense and they bring the suspect to the station to be detained in custody, taking and analyzing a cheek swab of the arrestee’s DNA is, like fingerprinting and photographing, a legitimate police booking procedure that is reasonable under the Fourth Amendment.”
To be clear, King merely decided that the Fourth Amendment permitted the government to collect DNA from arrestees without much formal process of law—unless a state makes such a law with more requirements. The ruling did not REQUIRE police to collect DNA from arrestees, nor did it preclude the government from prohibiting the collection of DNA from arrestees. In short, federal and state governments remain free to enact laws that aim to strike a balance between the privacy interests of individuals and the public safety interests of communities as long as such laws do not infringe on Constitutional rights, including the right to be free from unreasonable searches and seizures.
HIPAA and Law Enforcement Requests
HIPAA attempts to balance the public’s interests in privacy against access to information differently, in a different context.
HIPAA governs the use and disclosure of protected health information (PHI) by covered entities and their business associates. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically in connection with a HIPAA-covered transaction. “Business associates” include persons or entities that create, receive, maintain or transmit protected health information for or on behalf of a covered entity. PHI generally includes individually identifiable health information that is transmitted by or maintained in electronic media or any other form or medium. Health information specifically includes genetic information.1 Genetic information and genetic test are defined to include, among other things, “an analysis of human DNA, RNA, [etc.] … if the analysis detects genotypes, mutations, or chromosomal changes,” but excludes certain tests of proteins or metabolites that are “directly related to a manifested disease, disorder, or pathological condition.”2 If genetic information is paired with a name or any other identifying information, it is considered PHI, and is subject to HIPAA protections, as further described below.3
HIPAA prohibits a covered entity (or a business associate acting on the covered entity’s behalf) from using or disclosing PHI unless (i) the individual that is the subject of the disclosure has provided a HIPAA-compliant authorization or (ii) the use or disclosure is otherwise permitted or required under HIPAA.
HIPAA permits covered entities (or business associates acting on their behalf) to make certain disclosures of PHI for law enforcement purposes, but there are significant constraints.6 For example, a covered entity may provide certain types of PHI to law enforcement “for purposes of identifying or locating a suspect, fugitive, material witness or missing person.”5 Only a few types of information may be disclosed under this provision, and information related to DNA is not on the list. The types of information that can be disclosed pursuant to this type of request includes: name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics.6
However, DNA-related information may be disclosed through a more formal process. The Department of Health and Human Services’ Office for Civil Rights (OCR) explained in an FAQ (as well as in HIPAA regulations) that other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under the HIPAA Privacy Rule provisions governing disclosures to law enforcement for this purpose, but may be disclosed in response to a court order, warrant, or written administrative request.7
In other words, with a more formal process—specifically, a court order, court-ordered warrant, subpoena or summons issued by a judicial officer, a grand jury subpoena, or an administrative request—genetic information may be disclosed, as may other types of PHI.8
An administrative request is further described in the regulations as including:
- An administrative subpoena or summons
- A civil or an authorized investigative demand, or
- A similar process authorized under law9
The administrative request is sufficient only when all of the following apply:
- The information sought is relevant and material to a legitimate law enforcement inquiry
- The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought
- De-identified information could not reasonably be used10
HIPAA also permits certain other disclosures of PHI related to law enforcement purposes (e.g., to a law enforcement official in response to a request for information about an individual who is or is suspected to be a victim of a crime), subject to separate requirements.11
Changes to DNA Privacy Outside of HIPAA
Complicating matters, while states generally are permitted to provide individuals with privacy protections that are more stringent than those set forth in HIPAA, in some contexts (e.g., immigration) federal law may pre-empt state law. For example, when an individual is detained at the border, and that individual is neither a US citizen nor lawfully admitted for permanent US residence—in other words, the individual is not a “United States person”—the federal government may obtain a DNA sample from the individual and keep it in a database that is searchable by law enforcement.12
Currently, this is not done uniformly. But under a proposed rule the practice would become more widespread. If the rule is finalized, then any exceptions to collecting DNA will require higher-level approval from the attorney general. In contrast the Secretary of Homeland Security currently can (and does) determine that certain testing is not a worthwhile use of the department’s resources. This is a more limited testing policy due to resource limitations.13 In support of the proposed rule, the Department of Justice notes the reference in King to “the need for law enforcement officers in a safe and accurate way to process and identify the persons … they must take into custody.”
Whether the proposed rule or HIPAA strikes the right balance between privacy and access to information is ultimately a political question. In other words, in a democracy, the laws hopefully reflect our shared values, and laws can balance competing interests in more than one way, as long as it is acceptable under the Constitution. Should a non-US person detained at the border be treated more like an arrestee (and, as such, governed by the logic in King) or more like an individual who happens to have health records (and, as such, governed by the logic of HIPAA)? Either event—that is, whether the proposed rule does or doesn’t strike the right balance between privacy and security—highlights how complicated US privacy laws have become, and how critical it is to identify the context and jurisdiction when responding to requests for health information.
- 45 C.F.R. § 160.103 (definition of “health information”)
- 45 C.F.R. § 160.103 (definitions of “genetic information” and “genetic test”)
- 45 C.F.R. § 164.514(b)
- 45 C.F.R. § 164.512(f)
- 45 C.F.R. § 164.512(f)(2)
- 45 C.F.R. § 164.512(f)(2)(i)
- 45 C.F.R. § 164.512(f)(1)
- 45 C.F.R. § 164.512(f)(1)
- 45 C.F.R. § 164.512(f)(1)(ii)(C)
- 45 C.F.R. § 164.512(f)(1)(ii)(C)(1)-(3)
- See 45 C.F.R. § 164.512(f)(3)-(6)
- 84 Fed. Reg. 56397, 56398 (Oct. 22, 2019)
- Id. at 56399
Talia Linneman (firstname.lastname@example.org) is an associate at Dentons and is a member of the healthcare practice group’s Washington, DC, office. Ronald Hedges (email@example.com) is senior counsel at Dentons and is a member of the litigation and dispute resolution practice group’s New York office.Leave a comment