Professional Documents
Culture Documents
FROM:
DATE:
RE:
A covered entity, as defined by HIPAA, is either (1) a health plan - which includes health
insurance companies, HMOs, Medicare etc.; (2) a health care provider - which includes individual
doctors, psychologists, or chiropractors etc.; or (3) a health care clearinghouse - which includes
companies which process health information for other organizations. These three categories are terms of
art and whether HIPAA applies to an organization depends on whether it falls under any of these three
categories.
In addition to falling in one of these three categories, an organization must also electronically
transmit healthcare related information such as electronic billing or electronic processing of medical
information/records in order to be a covered entity.1
2. Does HIPAA apply to correctional institutions?
HIPAA makes very few specific exceptions for correctional institutions, such as permitting
disclosure in rape cases or when necessary for inmate of officer health and safety. Thus HIPAA applies
to a correctional institution if it falls under one of the three categories (health plans, healthcare
providers, and health care clearinghouses), and if it electronically transmits any healthcare related
information.
Correctional institutions are not health care clearinghouses because it is not their function to
process standard transactions. They are also not health care plans because HIPAA excludes from the
definition of health plan a government-funded program whose principal purpose is something other
than providing or paying for the cost of health care.2 However, clinical staff who work for a correctional
facility meet the definition of health care provider under HIPAA, whether employed directly by the
correctional facility or under contract.3 If a correctional facility contracts for health care services, the
provider of those services will determine independently whether it is a covered entity.
With respect to the second requirement that an organization must electronically transmit
healthcare related information in order to be subject to HIPAA, the regulation is broadly interpreted to
include almost any electronic transfer of healthcare related information. Although a correctional
institution is unlikely to engage in many of the typical electronic transactions, the three that could
classify a correctional institution as a health care provider are: (1) transmission of encounter
information for the purpose of reporting health care; (2) requests for the review of health care in order
to secure an authorization for the health care; and (3) payment of health care claims from a
private/public health plan. Thus if the correctional institution electronically transmits such standard
transactions or if it has a contract or other agreement with a health care provider that transmits health
care information electronically, it will be required to abide by the HIPAA regulations. It is important to
1 Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard
Maintenance Organizations, Final Rule and Notice. August 17, 2000. 65 FR 50312-01.
2 Id.
3 Id.
2
note that a correctional institution cannot avoid HIPAA merely by contracting out its health care
services. If a correctional institution contracts with a private entity to provide health care services and
that entity electronically bills the correctional institution, such activities would be sufficient to require
compliance with HIPAA. State and county departments of corrections, as well as local jails, may be
affected by HIPAA if they bill electronically for inmate health care. County departments of corrections
may have an agreement with the county hospitals or medical centers to provide inmate health care. If
the hospital or medical center electronically bills the department of corrections for its services, it will be
required to comply with HIPAA.
In sum, unless a correctional institution conducts absolutely no electronic transactions with regards
to inmates healthcare to include electronic billing and electronic transfer of medical records of any
kind, HIPAA applies and inmates medical records can only be disclosed pursuant to a court order or a
qualified subpoena.
3. Does HIPAA apply to an inmates medical records when he or she is released?
When individuals are released from correctional facilities, they have the same privacy rights
under HIPAA that apply to all other individuals, and covered entities must apply privacy protections
and restrictions to PHI.4 An individual is no longer an inmate when released on parole, probation,
supervised release, or otherwise is no longer in lawful custody. 5
4. When may/must a covered entity disclose PHI?
A covered entity must disclose protected health information in only two situations: (a) to
individuals (or their personal representatives) specifically when they request access to, or an accounting
of disclosures of, their protected health information; and (b) to Department of Health and Human
Services (HHS) when it is undertaking a compliance investigation or review or enforcement actions.6
A covered entity may disclose protected health information in limited circumstances, such as
pursuant to court orders or qualified subpoenas, as outlined in Federal Regulation 45 CFR 164.512 (e).
This subsection permits, but does not require, covered entities to disclose protected health information
in a court or administrative tribunal and in response to a subpoena if certain assurances regarding notice
to the individual or a protective order are provided:
(e) Standard: Disclosures for judicial and administrative proceedings.
(1) Permitted disclosures. A covered entity may disclose protected health information in
the course of any judicial or administrative proceeding:
4 Standards for Privacy of Individually Identifiable Health Information, Final Rule. December 28, 2000. 65 CFR
82462-01
5 Id.
6 5 C.F.R. 164.502(a)(2)
3