May a covered entity collect, use, and disclose criminal justice data under HIPAA?

1. Does HIPAA permit health care providers who are HIPAA covered entities to collect criminal justice data, such as data on arrests, jail days, and utilization of 911 services, and link the criminal justice data to their health data, for purposes of improving treatment and care coordination?

HIPAA does not limit the types of data that providers may seek or obtain about individual patients for treatment purposes. Treatment includes “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”  45 CFR 164.501.  Other standards, such as professional ethics rules or state law, may address the scope of health care providers’ independent investigations and data collection pertaining to patients.  Once a HIPAA covered provider obtains criminal justice data about an individual for treatment purposes, or otherwise combines the data with its PHI, the data held by the HIPAA covered entity is considered protected health information (PHI) and the HIPAA Rules would apply to protect the data. 

2. Is criminal justice data protected health information (PHI) under HIPAA?

In some circumstances, yes.  To the extent that criminal justice data is maintained by a HIPAA covered entity or its business associate and relates to the past, present, or future physical or mental health or condition of an individual or the provision of or payment for health care to an individual, it is PHI.  For example, when a covered health care provider receives criminal justice data, either directly from the individual or from another source, in order to help inform the treatment and services that the provider will provide to that individual, or otherwise links the criminal justice data with its patient information, it is PHI. 

3. Does HIPAA permit health care providers to disclose PHI that includes criminal justice data on individuals to other treating providers without obtaining an authorization from the individuals?

Yes, HIPAA permits a covered health care provider to disclose PHI for treatment purposes to other providers without having to first obtain an authorization from the individuals.  This may include the disclosure of PHI for purposes of coordinating an individual’s care with other treatment facilities or emergency medical technicians (EMTs).    

4. Does HIPAA permit multiple health care providers who are seeking to collect individuals’ criminal justice data and link it to the individuals’ health data to engage the services of or work with a third-party to do this on their behalf?

Yes. Multiple covered health care providers can contract with a third party to perform data aggregation and linkage services on their behalf, as long as the providers enter into a HIPAA-compliant business associate agreement (BAA) with the third party, and so long as the aggregation is for purposes permitted under HIPAA. (Such third parties are considered to be “business associates” (BAs) under HIPAA and have direct compliance obligations with certain aspects of the HIPAA Rules.) In these cases, the participating providers may enter into one, common business associate agreement with the third party.

The BAA then governs the subsequent uses and disclosures that the BA may make with the data. For example, the BA may be authorized by its BAA to share the PHI on behalf of the participating providers with each other or other providers for treatment purposes, including care coordination, or, subject to certain conditions, for health care operations purposes. For more information on exchanging PHI for treatment or health care operations purposes, please see:

Permitted Uses and Disclosures: Exchange for Treatment

www.healthit.gov/sites/default/files/exchange_treatment.pdf

Permitted Uses and Disclosures: Exchange for Health Care Operations

https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf

5. Does HIPAA permit a health care provider to share the PHI of an individual that may include criminal justice data with a law enforcement official who has the individual in custody and is looking to ensure the individual is seen by the proper treatment facility?

A covered entity is permitted to disclose PHI in response to a request by a law enforcement official having lawful custody of an individual if the official represents that such PHI is needed to provide health care to the individual or for the health and safety of the individual. For more information on permitted disclosures to law enforcement under HIPAA, see OCR’s guidance on sharing protected health information with law enforcement:

http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf

While HIPAA permits the disclosure of protected health information to law enforcement in these defined circumstances, other Federal and State laws may impose greater restrictions on the release of certain information, such as substance use disorder information, to law enforcement.

6. Does HIPAA permit health care providers to disclose PHI that includes criminal justice data to other public or private-sector entities providing social services (such as housing, income support, job training)?

In specified circumstances, yes. For example:

• A covered entity may disclose PHI for treatment of the individual without having to obtain the authorization of the individual. Treatment includes the coordination of health care or related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party. Thus, health care providers who believe that disclosures to certain social service entities are a necessary component of or may help further the individual’s health care may disclose the minimum necessary PHI to such entities for treatment purposes without the individual’s authorization. For example, a provider may disclose PHI about a patient needing health care supportive housing to a service agency that arranges such services for individuals.
• A covered entity may also disclose PHI to such entities with an authorization signed by the individual. HIPAA permits authorizations that refer to a class of persons who may receive or use the PHI. Thus, providers could in one authorization identify a broad range of social services entities that may receive the PHI if the individual agrees. For example, an authorization could indicate that PHI will be disclosed to “social services providers” for purposes of “housing, public benefits, counseling, and job readiness.”

7. Does HIPAA restrict the ability of law enforcement officials to use or disclose data they maintain on health or mental health indicators to help inform incident response (g., to ensure officers are prepared to stabilize individuals and/or to support diversion)?

In general, no. Most state and local police or other law enforcement agencies are not covered by HIPAA and thus, are not subject to HIPAA’s use and disclosure rules. HIPAA, however, does apply to the disclosure of health information by most health providers to law enforcement. For more information, see OCR’s HIPAA Guide for Law Enforcement at:

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf

While HIPAA does not generally apply to use or disclosure of the data by law enforcement officials, other Federal and State laws may apply.

8. In the context of pre-arrest diversion, when does HIPAA permit a health care provider to share PHI with a law enforcement official without an individual’s authorization?

Calls for service dealing with attempted suicide or a mental health complaint.  Sometimes a family will call 911 for law enforcement response for a family member in a mental health crisis.  Other times, a business owner or a bystander calls to report unusual behavior (which often is an individual in crisis) and responding officers would benefit from knowing if the individual has a mental health condition.  This type of information may enable officers to employ crisis intervention and de-escalation techniques that could reduce the likelihood of injury to both officers and individuals in a mental health crisis.

HIPAA permits a health care provider to share PHI with law enforcement, in conformance with other applicable laws and ethics rules, in order to “prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.”  45 CFR 164.512(j). For example, if an individual makes a credible threat to inflict serious and imminent bodily harm, such as threatening to commit suicide, a provider may share with law enforcement the information needed to intervene. The provider may rely on a credible representation from a person with apparent knowledge of the situation or authority, such as a law enforcement official, when determining that the disclosure permission applies. See: http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html

Other general calls:  An officer is trying to determine whether an individual has a mental illness, substance abuse problem, or both, and needs to gain information about his or her condition in order to decide whether jail, emergency room, or some other program is needed.

If the individual is in lawful custody, a health care provider may disclose PHI to law enforcement pursuant to 45 CFR 164.512(k)(5) if the official represents that the information is needed to provide health care to the individual or  to provide for the individual’s health and safety or the health and safety of the officers.

If the individual is not in lawful custody (see 45 CFR 164.512 (k)(5)), nor is a threat to self or others (see 45 CFR 164.512(j)), these provisions would not apply and the provider would need to obtain an authorization from the individual before disclosing PHI to law enforcement, unless another HIPAA provision applies (e.g., escaped inmate, apprehension of an admitted perpetrator of violent crime, etc.).  See http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html for additional provisions that may apply depending on the particular situation.

We note that substance use disorder treatment information may be subject to additional protections under 42 CFR part 2.

9. When is an individual, other than an inmate, considered to be within the “lawful custody” of law enforcement for purposes of 45 CFR 164.512(k)(5) of the HIPAA Privacy Rule? Is “lawful custody” limited to arrest and imminent arrest or does it apply to situations where an individual may be under the care or control of an officer, but not under arrest?

For purposes of the scope of permitted disclosures of PHI to law enforcement in custodial situations under 45 CFR 164.512(k)(5), HIPAA does not define the precise boundaries of “other persons in lawful custody.”  As defined in HIPAA at 45 CFR 164.501, the term includes, but is not limited to:  juvenile offenders adjudicated delinquent, non-citizens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.  In addition to these defined situations, lawful custody also includes those situations where an individual is under the care or control of an officer.  This includes instances where an individual has been arrested, as well as situations where the individual has been detained by law enforcement and is not free to go, but is not under formal arrest.  For example, this would include situations when an officer has detained an individual and seeks to determine whether diversion is appropriate.  Lawful custody does not encompass pretrial release, probation, or parole.

10. Does HIPAA restrict a covered entity’s disclosure of PHI for treatment purposes to only those health care providers that are themselves covered by HIPAA?

No.  A covered entity is permitted to disclose PHI for treatment purposes to any health care provider, including those that are not covered by HIPAA.  In addition, HIPAA permits a covered health care provider to disclose PHI for the treatment of an individual to a third party, such as a social service agency, that is involved in the coordination or management of health care of that individual.