Disclosing PHI for National Security and Intelligence Activities: What a Small Practice Needs to Know (45 CFR § 164.512(k)(2))
Executive Summary
Under limited and specific conditions, HIPAA permits the disclosure of protected health information (PHI) without patient authorization for national security and intelligence purposes. Section 164.512(k)(2) allows such disclosures to authorize federal officials when they are conducting lawful intelligence, counterintelligence, or national security activities. While rare in small practices, understanding this exception is critical for responding properly to government inquiries and avoiding noncompliance. This guide explains what the law allows, how to recognize valid requests, and how to document disclosures legally and safely.
Introduction
National security and medical privacy don’t often intersect in small primary care offices, but when they do, the stakes are high. HIPAA's Privacy Rule generally forbids disclosing PHI without patient authorization yet in extraordinary circumstances, such
as a request by a federal intelligence agency, exceptions exist.
Section 164.512(k)(2) permits a healthcare provider to release PHI to authorized government officials conducting lawful intelligence and national
security functions. Though rare, such requests may come from agencies like the FBI, CIA, or NSA. Understanding your obligations and limits is key to protecting both your patients’ privacy and your practice’s legal standing.
This article provides small practices with the knowledge and tools to handle national security PHI requests appropriately under HIPAA.
What § 164.512(k)(2) Permits
This section of HIPAA authorizes disclosures of PHI without patient authorization to:
“Authorized federal officials for the conduct of lawful intelligence, counterintelligence, and other national security activities authorized by the National Security Act.”
Key elements include:
- Disclosure must be to a federal official authorized by law
- The activity must be for lawful intelligence or national security purposes
- No patient authorization or opportunity to object is required
- The request may include classified or confidential operations
In short, this is one of the few HIPAA pathways that permit releasing PHI without the patient’s knowledge or consent, provided the legal criteria are met.
What Kind of Information Can Be Disclosed?
Any PHI may be disclosed if:
- The request is lawful
- The official is authorized
- The purpose aligns with national security, counterintelligence, or protection of government officials
However, the Minimum Necessary Rule does not apply to disclosures under this exception, which means providers may disclose the full scope of requested information without filtering it.
That said, disclosures should be limited to only what is requested and never volunteered beyond the request.
Recognizing a Valid Request
Most small practices will never receive this type of request. But in the rare event it occurs, you must confirm its legitimacy. Key signs of a valid request include:
- Comes from a federal agency (e.g., FBI, CIA, DHS)
- Delivered via official letterhead or secure communication
- Contains a requestor’s name, title, agency, and purpose
- Refers specifically to Section 164.512(k)(2) or cites intelligence authority
- Includes a statement that the request is authorized under the National Security Act or similar legal justification
If any of these elements are missing, the request should be elevated to your privacy officer or legal counsel before acting.
How to Respond to a National Security Request
Step 1: Verify the Identity of the Requestor
- Ask for government-issued identification
- Contact the agency’s public liaison or legal office for verification
- Do not disclose PHI until legitimacy is confirmed
Step 2: Confirm the Legal Basis
Ensure the request clearly states that it is made under lawful authority for intelligence or national security purposes. If unclear, request a clarification or legal citation.
Step 3: Document the Request
HIPAA requires covered entities to maintain a record of PHI disclosures, including those made under exceptions. Record:
- Date and time of request
- Requestor’s identity and agency
- Legal authority cited
- Specific PHI disclosed
- Staff member(s) involved
This documentation should be kept in your HIPAA disclosure log and available for audit.
Step 4: Disclose Securely
- Always transmit PHI through secure, traceable methods such as:
- Encrypted fax
- Secure file-sharing portal
- Hand delivery if authorized
- Never send PHI via unencrypted email or casual delivery.
Case Study: Mishandling a Security-Related Request
In 2022, a small pain management clinic received a request from a supposed federal officer for records of a patient under investigation for suspected foreign intelligence activity. The request was made via email and lacked agency letterhead or verification.
The clinic staff, wanting to cooperate, emailed over the full medical chart without confirming the legitimacy of the sender. Weeks later, the patient filed a complaint after discovering their PHI had been disclosed without authorization.
OCR investigated and found:
- No confirmation of the requestor’s identity
- No documentation of the disclosure
- Unsecure transmission of PHI via email
- Failure to invoke or confirm the 164.512(k)(2) exception
The clinic was required to enter into a corrective action plan, including legal counsel review of all non-routine disclosures and retraining on PHI exceptions.
Lesson: Even with government requests, verification and documentation are critical. Disclosing PHI improperly, even with good intentions, can lead to serious HIPAA consequences.
Can You Refuse to Disclose PHI?
Yes if the request:
- Lacks proper identification or authority
- Comes from a non-federal entity
- Is inconsistent with intelligence or national security purposes
- Appears fraudulent or improperly formatted
Covered entities are not required to comply with informal or vague requests. When in doubt, seek legal review or contact OCR for guidance.
Other Related National Security Disclosures Under HIPAA
| Disclosure Type | Legal Basis | Requires Authorization? | Notes |
|---|---|---|---|
| Intelligence/national security | § 164.512(k)(2) | No | Must be lawful and from authorized federal official |
| Protective services for the President | § 164.512(k)(3) | No | Covers Secret Service and others |
| Law enforcement disclosures | § 164.512(f) | No (in specific situations) | Must meet law enforcement criteria |
| Military or veterans affairs | § 164.512(k)(1) | No (with safeguards) | Only if consistent with official duty requirements |
Compliance Checklist for National Security Requests
| Task | Responsible | Frequency |
|---|---|---|
| Train staff to recognize government PHI requests | Privacy Officer | Annual |
| Verify and document identity of federal requestors | Office Manager | Per request |
| Maintain log of all national security disclosures | Compliance Team | Ongoing |
| Limit disclosures to what is requested | Medical Records | Per request |
| Secure all PHI transmissions | IT or Admin | Ongoing |
| Escalate uncertain requests to legal or OCR | Privacy Officer | As Needed |
Common Pitfalls in PHI Disclosures to Correctional Facilities
-
Too Much PHI Shared: Don’t release full records unless required.
→ Fix: Apply the Minimum Necessary Standard. Share only what’s relevant to the stated purpose. -
Psychotherapy Notes Disclosed Improperly: These require extra protection.
→ Fix: Never release psychotherapy notes without specific authorization or a valid HIPAA exception. -
Weak Identity Verification: Don’t trust unconfirmed phone calls or vague requests.
→ Fix: Verify identity and purpose before any disclosure (e.g., request official ID or do a callback). -
Poor Documentation: If you don’t log it, it’s a compliance risk.
→ Fix: Keep a detailed disclosure log: who, what, when, and why. -
Unsecure PHI Transmission: Unencrypted email puts data at risk.
→ Fix: Use secure methods like encrypted email or secure fax to send PHI.
Authoritative Sources and Guidance
Final Takeaways
National security and intelligence disclosures under HIPAA are rare but serious. As a small practice, you should be prepared—not paranoid—about how to respond:
- Know that § 164.512(k)(2) allows you to disclose PHI to authorized federal officials
- Always verify the identity and authority of the requestor
- Document every disclosure
- Only release the PHI requested—no more
- Transmit records securely and keep them confidential
With the right awareness and safeguards, your practice can cooperate with national security efforts while staying fully compliant with HIPAA’s privacy standards.