May a health plan disclose protected health information to a state child support enforcement (IV-D) agency in response to a National Medical Support Notice?

Answer:

The Privacy Rule permits a health plan to respond to a request for information by a IV-D agency pursuant to a National Medical Support Notice (NMSN), as described below.

The Privacy Rule at 45 CFR 164.512(f) permits a covered entity to disclose protected health information to a “law enforcement official” for law enforcement purposes in compliance with court orders, grand jury subpoenas, or certain written administrative requests. 45 CFR 164.512(f)(1)(ii). As defined in 45 CFR 164.501, a “law enforcement official” means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law or to prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. An employee of a IV-D agency, including a contract employee, who is empowered by state or federal law to enforce a medical child support order, meets this definition of a law enforcement official.

The NMSN, a nationally uniform form which is sent by the IV-D agency to the employer and health plan for completion, constitutes a written administrative request by a law enforcement official. As such, the Privacy Rule allows a health plan to disclose protected health information in response to the NMSN, provided it includes or is accompanied by written assurances by the law enforcement official that (1) the information sought is material and relevant to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope; and (3) de-identified information cannot reasonably be used. 45 CFR 164.512(f)(1)(ii)(C).

The Privacy Rule requires the covered entity to verify that these three conditions are met, as well as the identity and authority of the public official making the request, unless already known to the covered entity. The covered entity must also limit the disclosures to the minimum necessary for the purpose. To meet these requirements, the covered entity may reasonably rely on the following:

• the NMSN, or a separate written statement that, on its face, demonstrates that the three assurances required for these disclosures have been met. 45 CFR 164.514(h)(2)(i)(A).

• the NMSN is sufficient to verify the identity and legal authority of the public official requesting the protected health information. 45 CFR 164.514(h)(2)(ii) and (iii).

• the NMSN is sufficient as a request from a public official for the minimum information needed to meet the law enforcement purpose of the request. 45 CFR 164.514(d)(3)(iii)(A).

Created 2/25/05