Search Warrant

I worked a case fairly recently where an employee at a data back up company had downloaded CP. The back up companies server had files from attorney's offices as well as doctor office and patient records. I had the same concerns as you when conducting the search. A search warrant was obtained and EVERYTHING was previewed. There were 2 Terabyte Buffalo servers running. I never came into any issues regarding the search. My understanding is that the criminal investigation/ search warrant trumps any civil HIPAA laws. But keep in mind that ANY information reviewed must be kept in confidence and secured accordingly. Of course, an attorney can petition the court for immediate return of the data but if the data contains CP they wont have a chance. You may have to copy all non-relevant data and return it to the business for their operations. As long as everything is explained in full detail throughout the search warrant and the issues of HIPAA ( or any other) you should be fine. The judge may require you to just image relevant areas of the file structure or certain user accounts. Let your prosecutor review it to make sure.Good Luck!

You really need to check and see if you need a "Special Master". In California, it is a MUST! Check with your local ADA or AUSA. HIPA is the least of your concerns with a doc office SW. Boggs is rIght about the HIPA vs SW. The special master will determine what is necessary to search and seize. They won't compromise the Dr. Patient privlidge. Good luck.

You really need to check and see if you need a "Special Master". In California, it is a MUST! Check with your local ADA or AUSA. HIPA is the least of your concerns with a doc office SW. Boggs is rIght about the HIPA vs SW. The special master will determine what is necessary to search and seize. They won't compromise the Dr. Patient privlidge. Good luck.

Basically what Datacop is saying is that you need to ask if you need a non-involved third party to review the and extract only the material within the SW (or what ever legal auth of have for the search) and provide only that info to the investigators.

Sometimes that third party is the forensic examiner, sometimes it another investigator who reviews the output data.

Hope these help.

Just to clarify, the HIPAA privacy regulations are intended to cover the communication of Protected Health Information (PHI), either intentional or unintentional, not the possession of it.

Therefore, the question of what you can and can not do boils down to the issue of the capacity in which you are operating. As a private firm with a background in health care, we are frequently called in for HIPAA investigations or investigations involving Covered Entities and our actions are covered under what is known as a Confidentiality and Business Associates Agreement, which requires us to return or destroy, without copying, any PHI which we discover as part of an investigation except as such retention is required to perform services under the agreement.

For LE, it should be remembered that HIPAA is considered to be minimal protection of PHI and state law can be more stringent but, in general, a Covered Entity can be required to turn over PHI by

* a court order
* a warrant authorized by the appropriate court
* a subpoena issue by the appropriate court
* a grand jury subpoena
* an administrative subpoena issued by an appropriate agency

Note that, strictly speaking, the doctor-patient privilege is not the same thing as PHI. The doctor-patient privilege protects the patient and physician against the use of their communications in court and is not recognized by the Federal Rules of Evidence. It is state specific and does NOT apply to all PHI nor does it apply to all communications.

So, as the other posters noted, check your state regs to see if these are more stringent than HIPAA.

Great responses. Thank you very much.