I queried the research attorney at the link Steve so kindly provided and asked about informing law enforcement about illegal activities and the HIPAA conundrum. Here is her response:
This question has come up several times, and I will preface my response by saying that I am not licensed to practice in Indiana, so I cant give you legal advice. You should verify the information Im giving you with an attorney in Indiana that is familiar with HIPAA law. Having said that, I believe that a physician can release protected health information to law enforcement without violating HIPAA.
45 CFR § 164.512 provides uses and disclosures of protected health information where a patients authorization or opportunity to agree to the disclosure is not required. 45 CFR § 153.512(a) includes disclosure of protected health information to law enforcement to the extent that such use or disclosure is required by law, which includes by statute or regulation, and which covers the situation in Tennessee where physicians are required by statute to disclose information to law enforcement if they have knowledge that a patient is obtaining controlled substances illegally. 45 CFR § 164.512(f) also provides that disclosure for law enforcement purposes is allowed when required by law, and is not limited to situations where legal process (subpoena, warrant, etc.) is involved.
In situations where there is no statute, regulation, or legal process compelling disclosure of protected health information, 45 CFR § 164.512(f)(5) may provide an avenue by which a physician can disclose health information without fear of being in violation of HIPAA regulations. 45 CFR § 164.512(f)(5) provides that a covered entity which includes physicians may disclose information to law enforcement if the entity believes in good faith that the information constitutes evidence of criminal conduct that occurred on the premises of the covered entity. In other words, if you believe that a patient has committed a crime in your office, you may report that information to law enforcement, even if evidence of the crime is contained within the patients protected health records. In Indiana, pursuant to Ind. Code Ann. § 16-42-19-16, a person may not obtain or attempt to obtain a legend drug by fraud, deceit, misrepresentation, or subterfuge. Thus, if you have knowledge that a patient has been obtaining prescription drugs from you by fraud, deceit, etc., you can report that information to law enforcement as it would constitute criminal conduct that occurred on your premises.
Further, Indiana law under Ind. Code Ann. § 35-48-7-11.1
provides that a physician who in good faith discloses information based on a report from Indianas prescription monitoring program (INSPECT) to law enforcement is immune from civil and criminal liability for having done so. It is presumed under the statute that a physician who so discloses information has acted in good faith. So, if your knowledge of wrongdoing comes from accessing a patients prescription monitoring program report, Indiana law provides immunity to you for having done so.