TO:

FROM:
DATE:
RE:

September 29, 2014

HIPAA and inmates/parolees privacy rights

QUESTION PRESENTED: Whether HIPAAs privacy protection applies to inmates/parolees medical

records created while in prison.
SHORT ANSWER: Yes. HIPAA prohibits the unauthorized transfer of ones medical records and
makes few exceptions with regard to medical records created by correctional institutions. Although the
Department of Health Human Services originally excluded inmates from HIPAAs protection, its final
regulation specifically extended HIPAAs privacy protections to them subject to several exceptions
not important for the purpose of this memo. Consequently, HIPAA applies to any correctional
institution as long as it falls within the definition of a HIPAA covered entity, and these institutions
may not transfer an inmates medical records without the inmates authorization, a court order, or a
qualified subpoena. On the other hand, if a correctional institution does not fall within the HIPAA
definition of a covered entity, it is not subject to HIPAA restriction although few, if any, correctional
institutions can escape HIPPAAs broad scope. As discussed in detail below, whether correctional
institutions are HIPAA covered entities depends on a technical and nuanced analysis and federal
regulation interpretation. However, the prevailing view is that HIPAA extends to traditional correctional
institutions barring unique circumstances which may exclude them from HIPAAs definition of a
covered entity.
ANALYSIS:
1. What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the use and
disclosure of individuals health information, protected health information (PHI), by organizations
subject to HIPAA, or covered entities. Thus in order for a transfer of medical information to be
protected by HIPAA, the transfer must be of protected health information and the organization
transferring it must be a covered entity. HIPAA protected health information can only be disclosed
pursuant to the patients authorization, a court order, or a qualified subpoena.
Protected health information is any individually identifiable health information held or
transmitted by a covered entity or its business associate, in any form or media to include electronic,
oral, or paper transmissions. Health information not individually identifiable, such as statistical or
actuarial data, is not subject to HIPAA protection.

A covered entity, as defined by HIPAA, is either (1) a health plan - which includes health
insurance companies, HMOs, Medicare etc.; (2) a health care provider - which includes individual
doctors, psychologists, or chiropractors etc.; or (3) a health care clearinghouse - which includes
companies which process health information for other organizations. These three categories are terms of
art and whether HIPAA applies to an organization depends on whether it falls under any of these three
categories.
In addition to falling in one of these three categories, an organization must also electronically
transmit healthcare related information such as electronic billing or electronic processing of medical
information/records in order to be a covered entity.1
2. Does HIPAA apply to correctional institutions?
HIPAA makes very few specific exceptions for correctional institutions, such as permitting
disclosure in rape cases or when necessary for inmate of officer health and safety. Thus HIPAA applies
to a correctional institution if it falls under one of the three categories (health plans, healthcare
providers, and health care clearinghouses), and if it electronically transmits any healthcare related
information.
Correctional institutions are not health care clearinghouses because it is not their function to
process standard transactions. They are also not health care plans because HIPAA excludes from the
definition of health plan a government-funded program whose principal purpose is something other
than providing or paying for the cost of health care.2 However, clinical staff who work for a correctional
facility meet the definition of health care provider under HIPAA, whether employed directly by the
correctional facility or under contract.3 If a correctional facility contracts for health care services, the
provider of those services will determine independently whether it is a covered entity.
With respect to the second requirement that an organization must electronically transmit
healthcare related information in order to be subject to HIPAA, the regulation is broadly interpreted to
include almost any electronic transfer of healthcare related information. Although a correctional
institution is unlikely to engage in many of the typical electronic transactions, the three that could
classify a correctional institution as a health care provider are: (1) transmission of encounter
information for the purpose of reporting health care; (2) requests for the review of health care in order
to secure an authorization for the health care; and (3) payment of health care claims from a
private/public health plan. Thus if the correctional institution electronically transmits such standard
transactions or if it has a contract or other agreement with a health care provider that transmits health
care information electronically, it will be required to abide by the HIPAA regulations. It is important to
1 Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard
Maintenance Organizations, Final Rule and Notice. August 17, 2000. 65 FR 50312-01.
2 Id.
3 Id.
2

note that a correctional institution cannot avoid HIPAA merely by contracting out its health care
services. If a correctional institution contracts with a private entity to provide health care services and
that entity electronically bills the correctional institution, such activities would be sufficient to require
compliance with HIPAA. State and county departments of corrections, as well as local jails, may be
affected by HIPAA if they bill electronically for inmate health care. County departments of corrections
may have an agreement with the county hospitals or medical centers to provide inmate health care. If
the hospital or medical center electronically bills the department of corrections for its services, it will be
required to comply with HIPAA.
In sum, unless a correctional institution conducts absolutely no electronic transactions with regards
to inmates healthcare to include electronic billing and electronic transfer of medical records of any
kind, HIPAA applies and inmates medical records can only be disclosed pursuant to a court order or a
qualified subpoena.
3. Does HIPAA apply to an inmates medical records when he or she is released?
When individuals are released from correctional facilities, they have the same privacy rights
under HIPAA that apply to all other individuals, and covered entities must apply privacy protections
and restrictions to PHI.4 An individual is no longer an inmate when released on parole, probation,
supervised release, or otherwise is no longer in lawful custody. 5
4. When may/must a covered entity disclose PHI?
A covered entity must disclose protected health information in only two situations: (a) to
individuals (or their personal representatives) specifically when they request access to, or an accounting
of disclosures of, their protected health information; and (b) to Department of Health and Human
Services (HHS) when it is undertaking a compliance investigation or review or enforcement actions.6
A covered entity may disclose protected health information in limited circumstances, such as
pursuant to court orders or qualified subpoenas, as outlined in Federal Regulation 45 CFR 164.512 (e).
This subsection permits, but does not require, covered entities to disclose protected health information
in a court or administrative tribunal and in response to a subpoena if certain assurances regarding notice
to the individual or a protective order are provided:
(e) Standard: Disclosures for judicial and administrative proceedings.
(1) Permitted disclosures. A covered entity may disclose protected health information in
the course of any judicial or administrative proceeding:
4 Standards for Privacy of Individually Identifiable Health Information, Final Rule. December 28, 2000. 65 CFR
82462-01
5 Id.
6 5 C.F.R. 164.502(a)(2)
3

(i) In response to an order of a court or administrative tribunal, provided that the

covered entity discloses only the protected health information expressly
authorized by such order; or
(ii) In response to a subpoena, discovery request, or other lawful process, that is
not accompanied by an order of a court or administrative tribunal, if:
(A) The covered entity receives satisfactory assurance, as described in
paragraph (e)(1)(iii) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
ensure that the individual who is the subject of the protected health
information that has been requested has been given notice of the request;
or
(B) The covered entity receives satisfactory assurance, as described in
paragraph (e)(1)(iv) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
secure a qualified protective order that meets the requirements of
paragraph (e)(1)(v) of this section.
CONCLUSION:
HIPAA was designed to prevent unauthorized disclosure of individuals medical information in the
broadest sense possible. Therefore, all entities that systematically provide health care services are
subject to HIPAAs privacy protection rules even if their primary business is unrelated to health care.
Moreover, given HIPAAs broad scope, even organizations that may not be subject to HIPAA often err
on the side of caution and observe HIPAAs restrictions. Thus even in the odd chance of a correctional
institution falling out of HIPAAs covered entity definition, it is likely to observe HIPAAs privacy
regulations anyway. Consequently, in most situations, a correctional institution may not release an
inmates/parolees medical information without his or her consent, a court order, or a qualified subpoena.