|The Protection of Inmates' Medical Records: The Challenge of HIPAA Privacy Regulations|
|By Wesley D. Bizzell|
Privacy is not often discussed in connection with correctional institutions. However, a Federal statute, the Health Insurance Portability and Accountability Act ('HIPAA'), may alter the way some correctional institutions treat inmates' medical records. This article examines the general framework of the HIPAA Privacy Regulations, provides guidance so that correctional institutions can determine if they will be required to comply with HIPAA, and discusses the numerous exceptions to HIPAA that correctional institutions can utilize.
What is HIPAA?
Enacted by Congress in 1996, HIPAA required the promulgation of standards for the privacy of patients' medical information. In creating these standards, the Department of Health and Human Services ('HHS') released several versions of HIPAA regulations. The competing versions of the regulations generated misunderstanding among many correctional officials. The original draft regulations, issued in 1999, specifically provided that inmates' health care information was not protected under HIPAA. However, HHS later revised this aspect of the regulations and stated 'individually identifiable health information about inmates is protected health information under the final rule.' As such, certain correctional institutions will be required to comply with HIPAA by April 14, 2003.
It is important that such correctional institutions comply with HIPAA by the deadline. Inmates may sue a correctional institution for a violation of their rights under HIPAA. While the statute does not expressly provide for a private right of action, it is expected that those injured by a violation of the Privacy Regulations will sue under traditional theories of tort. Failure to institute policies and procedures to ensure compliance also could subject the correctional institution and its officials to federal civil monetary penalties up to $100 per violation and up to $25,000 per year for each type of violation.
Who Must Comply with HIPAA?
In preparing for HIPAA, the correctional institution must first determine if it is required to comply with HIPAA, which may necessitate an internal audit of the health care operations of the institution. HIPAA applies to certain health plans and health care providers. Although HHS specifically excludes correctional institutions from the definition of 'health plans,' such facilities could be health care providers.
HIPAA defines health care providers to include physicians, dentists, pharmacists, hospitals, optometrists, chiropractors, nurses, social workers, physical therapists, psychologists, and other providers of health care services. Thus, an institution's health clinic, its social worker or psychologist, or a county hospital that provides health services to inmates would be defined as a health care provider under the Privacy Regulations. Even if a correctional institution is a health care provider, it may be able to avoid the reaches of HIPAA. Health care providers must comply with HIPAA only if they transmit health information electronically using one of eight standard transactions.
Although a correctional institution is unlikely to engage in many of these eight transactions, the three that could classify a correctional institution as a health care provider are: transmission of encounter information for the purpose of reporting health care; requests for the review of health care in order to secure an authorization for the health care; and payment of health care claims from a private/public health plan. Thus, if the correctional institution electronically transmits such standard transactions or if it has a contract or other agreement with either a public or private health care provider that transmits health care information electronically, it will be required to abide by the HIPAA regulations. It is important to note that a correctional institution cannot escape the reach of HIPAA merely by contracting out its health care services.
Consequently, State and county departments of corrections as well as local jails may be affected by HIPAA if they bill electronically for inmate health care. County departments of corrections may have an agreement with the county hospitals or medical centers to provide inmate health care. If this health care provider electronically bills the department of corrections for its services, it will be required to comply with HIPAA. Additionally, if a correctional institution contracts with a private entity to provide health care services and that entity electronically bills the correctional institution, such activities would be sufficient to require compliance with HIPAA.
What Does HIPAA Require?
Once the correctional institution realizes that it must comply with HIPAA, it must understand the impact of the Privacy Regulations on its health care operations. Generally, HIPAA requires certain health plans and health care providers to develop and implement policies that minimize the use and disclosure of certain health information and limit who has access to such information. These rules apply to any protected health information, such as information that concerns a person's physical or mental health, health care, or payment, that could reasonably be used to identify an individual and that is transmitted or maintained in any form or medium. In most instances where the disclosure of protected health information is permitted, only the minimum necessary amount of information may be used or disclosed.
Although HIPAA may apply to inmate's medical records, the privacy of health information about individuals in pretrial release, probation, or on parole is not protected by HIPAA. However, the statute protects the medical privacy of all other inmates. Once inmates are released from incarceration, they are entitled to the same privacy rights that apply to all other non-incarcerated individuals under the Privacy Regulations. As a result, correctional institutions will be required to treat the individually identifiable health care information of currently incarcerated inmates different from the individually identifiable health care information of released inmates. However, in creating the Privacy Regulations, HHS understood that correctional institutions could not abide by all of the regulations' provisions while, at the same time, preserving the safety and security of the institution. In recognition of this fact, the Privacy Regulations exempt correctional institutions from compliance with some of the law's provisions.
In order to take advantage of these exceptions, the institution must be a public or private correctional institution, including a halfway house or residential community program center, that confines persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody include 'juvenile offenders adjudicated delinquent, aliens awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.'
While individuals are in a correctional institution, a health care provider, such as the institution's clinic or doctor, can use or disclose an inmate's protected health information to the correctional institution or other law enforcement personnel having custody over the inmate as necessary for: (1) the provision of health care; (2) the health and safety of the inmate or other inmates; (3) the health and safety of correctional institution personnel; (4) the health and safety of those personnel responsible for transporting or transferring of inmates; (5) law enforcement on the correctional institution's premises; and (6) the 'administration and maintenance of the safety, security, and good order' of the institution. These six general exceptions provide a correctional institution with great latitude in using or disclosing an inmate's medical information.
As long as the correctional official warrants the information to be disclosed is necessary for any of the six purposes mentioned above, the institution's health care provider, whether employed by the institution or under contract with the institution, can share information with correctional officials relating to the inmate's health status. For example, the institution's doctor can disclose to correctional officials the nature of injuries to an inmate that has been assaulted by fellow inmates, since that disclosure could assist in the institution's administrative or criminal investigation and may relate to protecting the safety of the inmate. The institution's health care clinic could also notify proper correctional personnel of an inmate's HIV status without violating HIPAA, although state privacy laws may limit the release of this information.
In most situations, patients are permitted to obtain a copy of their medical records, billing records, and any other records used in whole or in part to make medical decisions about them. In contrast, a correctional institution is permitted to deny an inmate's request to obtain a copy of his medical records if access would put at risk the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of any officer, employee, or other person at the correctional institution as well as the safety of any person responsible for transporting the inmate. Again, this exception applies to both correctional institutions and health care providers acting under the direction of correctional institutions.
Although an inmate cannot obtain a copy of his protected health information, he is allowed to inspect his medical records under HIPAA, unless those records are psychotherapy notes, or contain information complied by the institution for use in a criminal or administrative proceeding. Under this exception, a county hospital or physician under contract with the correctional institution may deny an inmate's request to obtain a copy of his medical information indicating his HIV status, if they fear that other inmates could discover that information and jeopardize the safety of the inmate. However, the institution could not prohibit the inmate from inspecting and reviewing his records, since the records containing the inmate's HIV status were not psychotherapy notes or created for use in a criminal or administrative proceeding.
Finally, an important exclusion from the limitations set forth by HIPAA concerns fugitive inmates. If an inmate has escaped from custody, HIPAA does not restrict the use or disclosure of an inmate's medical information. In such situations, the correctional institution may use or disclose the inmate's personal medical information as long as that use or disclosure is consistent with applicable law and standards of ethical conduct. This provision allows corrections officers and other law enforcement personnel to freely share information about an escaped inmate's medical record if it would be useful in the apprehension of the inmate.
Because the HIPAA Privacy Regulations can be complex and confusing, correctional institutions must consult with their attorneys to determine if their health care activities require compliance with HIPAA and, if so, what policies and procedures they must enact in order to carry out the mandates of these Federal regulations. The exceptions discussed above can be limited in scope, and correctional officials must understand when those exceptions will apply. Correctional institutions that are required to become HIPAA-compliant must do so by April 14, 2003. Failure to do initiate the required policies and procedures may create substantial liabilities for the correctional institution in the form of Federal fines or inmate lawsuits.
About the Author
Wesley D. Bizzell is an attorney in the Washington, D.C. office of Winston & Strawn. Prior to joining the firm, Mr. Bizzell worked for two United States Senators handling issues related to the Federal Bureau of Prisons. Mr. Bizzell concentrates his practice in federal legislative and regulatory affairs and government contracts. He may be contacted at firstname.lastname@example.org.
IN CASE YOU MISSED IT