Ask PHN: Hippa in Prison

By Jamila Harris
From PHN Issue 54, Fall 2023

Dear PHN,
Could you explain the rules and violations of the HIPAA Act? Is it a violation if the correctional officer stays in the room while we are seeing medical staff and knows my medical information?

– L.W.

Dear L.W.,
When it comes to the rights of incarcerated individuals and the privacy of their medical information, a valid concern always comes to mind. “Do the correctional officers have the right to know your medical information?” A person who is incarcerated has certain legal rights under the Health Insurance Portability and Accountability Act, also known as HIPAA. This act is a federal law passed in 1996 that protects how medical information of individuals—including identifying factors such as address, birthdate, and social security number—is transferred and disclosed to others. Under the law, this identifiable health information is known as “protected health information.”

Under HIPAA, protected health information can be shared between authorized parties for medical care and billing purposes. The authorized parties are primarily the insurance companies and health care providers that provide continuing health treatment to an individual. This law regulates how protected health information will be protected and transported to other authorized agencies and individuals.

Under the law, there are factors that will allow an individual’s protected health information to be disclosed for non-medical purposes and without prior authorization from the patient. These circumstances include when this information is required by law, such as a court order, when it is necessary to warn public health and other appropriate authorities “to prevent or lessen a serious” public health threat, and for law enforcement purposes.

Law enforcement disclosures are permissible in specific circumstances, including incarceration, but even in such circumstances, it must be limited disclosure (as little information as needed disclosed). The HIPAA rules detail these circumstances. When consistent with applicable law and ethical standards, healthcare providers can share your protected health information:

• “To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public” (45 CFR 164.512(j)(1)(i)); or
• “To identify or apprehend an individual who appears to have escaped from lawful custody” (45 CFR 164.512(j)(1)(ii)(B)).

The HIPAA rules further detail additional circumstances regarding when it is permissible to disclose a person in prison’s medical information, including when it is necessary to transfer from one institution to another or any other entity necessary to provide proper continuing medical care, and to protect the health, safety and security of both the patient and all others at the facility (correctional officers included). Courts have generally ruled that correctional officers can be present at medical visits because “safety and security concerns” override privacy rights in the prison context. The following information is cited from the HIPAA regulations:

“To respond to a request for protected health information by a correctional institution or a law enforcement official having lawful custody of an inmate or others if they represent such protected health information is needed to provide healthcare to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement on the premises of the facility (45 CFR 164.512(k)(5)).”

HIPAA rules cover medical facilities and health care workers (like doctors and nurses) caring for prisoners and how they disclose your protected health information. However, prisons and non-medical staff (like correctional officers) are not always considered “covered entities” under the law, so HIPAA does not necessarily apply to them and how they share your health information if they become privy to it. There are ethical standards for correctional officers about sharing private information. There also may be specific policies at your institution that apply to this.

To summarize, HIPAA protects the privacy of your health information, but there are specific exceptions that apply in prisons and jails. Still, there must always be a justification for your private data being shared by health care providers, like ensuring safety, and the information shared should be kept to the minimum necessary for that purpose.

If you have a concern about your HIPAA rights being violated by a covered entity (health care facility or provider), you can file a complaint with the US Department of Health and Human Services within 180 days of the violation by writing to: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201.