Oct

28

HIPAA - Even States Must Comply

I’ve had my disagreements with state and local government regarding interpretations of HIPAA over the years. Sometimes states lose sight of the fact that just because there is a state statute or rule on the books, it does not necessarily mean it trumps HIPAA. What is sometimes not fully understood or states and local government are slow to act on is if the HIPAA privacy and security rules are more stringent than state law, HIPAA trumps state law period.

One of the areas where there are differing laws amongst states relates to health information about prisoners in state correctional institutions. Just because a prisoner in a state facility does not mean they lose their HIPAA privacy rights. If the prison turns out to be a hybrid entity, the health care provider side is a covered entity pursuant to the HIPAA Administrative Simplification Provisions rules as long as the provider (in this case the state correctional facility) sends and receives HIPAA covered entities directly or indirectly. Following is a good example of a situation where the correctional facility is not acting in accordance with the HIPAA privacy rule (a live example often serves the purpose of illustrating a point).

Question: An advocacy organization’s legal counsel is filing a lawsuit on behalf of a prisoner who has been subject to significant solitary confinement. The prisoner authorized release of records. The correctional facility agreed to release his medical records but not his psychiatric records to prisoner's legal counsel. The correctional institution contends it's not a HIPAA covered entity. If the prison is providing the medical services is it still not a covered entity?

Answer: The correctional institution is not a covered entity unless the correctional institution employs health care providers and sends and receives HIPAA covered transactions directly or indirectly. Generally correctional institutions do not directly employ healthcare providers other than, say, more nurse/EMT level care for the correctional institutions’ infirmaries. Even in the case where providers are directly employed by the correctional institution, unless the correctional institution sends and receives HIPAA covered transactions directly or indirectly, the correctional institution is not a covered entity (which is the same for any health care provider who does not send or receive HIPAA covered transactions directly or indirectly).

There is a “gotcha” here, though. If the correctional institution does employ its own health care providers (including psychiatrists, psychologists, etc.) and, say, checks a prisoner’s eligibility to receive Medicare, Medicaid or veteran’s benefits with the intent of taking advantage of those health plan benefits (all of these referenced “plans” are governmental but are specifically defined as covered entity health plans pursuant to HIPAA) to offset the costs to the correctional institution and eligibility is checked through a web site, the correctional institution (or at least the health care part of the correctional institution) would be a covered entity health care provider pursuant to the HPAA Administrative Simplification Provisions because eligibility verification is a HIPAA transaction and HIPAA specifically allows the use of web based transactions instead of batch transactions (it is called direct data entry or DDE).

If the correctional institution medical staff check eligibility via a web site, this would make the correctional institution a hybrid entity – part covered by HIPAA and part not. Even if state laws allow correctional institution to withhold certain healthcare information, HIPAA would trump because it provides the correctional institution, as an individual, greater access to his or her medical information (considered more stringent than state law). All states have differing laws around health care information and prisoners as it relates to the release of medical records. If the prison is found to be a hybrid entity, though, they cannot withhold the mental/behavioral health information relating to the prisoner’s treatment. See 45 CFR 164.512(k)(5)(ii).

My advice would be for counsel representing the prisoner do some digging and find out if the correctional institution employs the health care providers or even contracts with health care providers (because this could set up a business associate relationship with a covered entity – that being the correctional institution) and any of those providers or staff who support the providers access web based eligibility data and/or send health care claims to Medicare, Medicaid, the VA or CHAMPUS.

If any of the preceding is true, the correctional institution is a hybrid entity and the covered entity side of the entity would be required to adhere to the HIPAA Privacy Rule as it relates to release of a patient’s medical information to, in this case, the prisoner’s attorney. The prisoner has the right to authorize release of all of his or her medical records to a third party and covered entities are required to honor authorizations, again pursuant to the HIPAA privacy rule.