By Thomas F. Rae
Senior Claims Examiner
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to publicize standards for the electronic exchange, privacy and security of health information. The final regulation, known as the Privacy Rule, was published by the department of Health and Human Services in December, 2000 and subsequently modified in March, 2002. Since its inception, HIPAA has resulted in many additional requirements, procedures, and concerns as a result for healthcare providers, including correctional medicine.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a “covered entity” or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
HIPAA’S Privacy Rule and Administration Simplification rules apply to all health care plans and providers who transmit health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
The Privacy Rule, therefore, includes Correctional Healthcare Providers as covered entities. It has been established that in HIPAA breaches, there is no private or individual right of action to pursue an alleged HIPAA breach. All HIPAA complaints against covered entities must be brought by the Department of Health and Human Services (HHS). HHS provides, on its website, user-friendly instructions as to how to file a Complaint, in seven languages in addition to English.
HIPAA and Your Insurance Coverage
Exposure to HIPAA Complaints is a developing trend in breach of privacy causes of action. HIPAA Complaints allege statutory violations; these along with the remedies sought, which include agreements by the covered party to perform certain remedial obligations, along with payment of Civil Money Penalties to HHS, may be construed as falling outside of the standard medical or medical-related Professional Liability insurance Policy. Penalties and fines are normally not covered items of damages under most professional liability policies.
Some carriers, however, provide for such coverage by endorsement which provides coverage for Civil Monetary Penalties assessed against the Insured, often subject to the monetary limits of the Endorsement, The Endorsement additionally provides for defense and investigation of any HIPAA Civil Violation arising out of the provision of the Insured’s professional sevices. Policies without such an endorsement or coverage may not provide a defense or indemnification given that many exclude fines and penalties, such as may be assessed under HIPAA.
Correctional Health Care HIPAA Challenges
With respect to correctional healthcare, issues of breach of privacy/confidentiality are becoming more frequent additions to the broad allegations asserted in most complaints alleging breach of confidentiality. At least in very narrow circumstances, these types of allegations might form the basis of a colorable Section 1983 claim that could withstand a motion to dismiss. And at least one court, in Michigan, has found that requirement of a showing of physical injury to be unconstitutional with respect to breach of privacy injuries. State laws may also provide more protection for the recipient of healthcare services than HIPAA.
HIPAA allows correctional facilities to obtain or use protected health information if necessary for providing health care to an inmate; for the health and safety of inmates, officers, or staff; and for administration and maintenance of the safety, security, and good order of the correctional institution. Section 45 C.F.R. 164.512 (k) (5) (i) of the code indicates grounds for which inmate medical information may be provided. Disclosing an inmate’s history may ensure the inmate’s health and safety and those of other inmates. Officers may need to know about an inmate’s seizures before placing the inmate in isolation. Disabilities may require accommodation and assistive devices, and inmate medication management may warrant recurring medical appointments. Medical conditions or certain medications could affect what tasks an inmate can perform safely. Staff needs to be aware of an inmate’s physical limitations while recovering from surgery. Many circumstances exist in which an inmate’s health and safety, coupled with the logistics of running a correctional institution, necessitate the correctional healthcare provider sharing health information.
Certain more extreme, circumstances, however, are subject to differing interpretations, when viewed from the perspective of a correctional facility attempting to maintain safety and order, or from the perspective of an aggrieved inmate. An exposure relatively unique to correctional healthcare providers involves inmates in disciplinary confinement. These are dangerous situations from a patient privilege and HIPAA standpoint as the inmates are kept in cells 23 hours a day and can only be taken out with great effort by security, often with few private locations for examination available where guards are not required to be present for the protection of medical staff. Accordingly, the “cell door consult” is common. Medical staff see the inmate at their cell door, where other inmates can – and do – overhear . This presents a tremendous logistical problem for maintaining privacy and providing necessary evaluation and care while ensuring the safety of medical and prison staff.
Protection of inmate or patient data becomes more sensitive with respect to certain conditions than others. Mental health information is particularly susceptible in correctional settings to claims of breach of confidentiality, which claims could be presented to HHS and filed as HIPAA Complaints. Does a mental health caregiver’s identification of a patient/inmate by name in passing constitute the disclosure of the existence of a treatment relationship? What if the caregiver asks “how are you feeling today?”
The issue becomes more complicated when what occurs is a “cell door” consultation. For reasons of safety, or based on correctional guidelines, access may be restricted to the cell, and all interaction transpires with the caregiver outside the cell and client inside the cell. Issues such as the identification of medications while being dispensed, mental health concerns, physical health issues may the subject of said consultation. While perhaps not sufficient to survive a motion for summary judgment, lawsuits raising these issues have been brought with significant litigation expense incurred in defending the same.
Dissemination of Information
With respect to medical information, inmate’s rights to confidentiality of medical information are undecided in most circuits; however this is a developing area and is now recognized in two jurisdictions in very limited circumstances, which recognize an inmate’s right to confidentiality with regard to the purposeful dissemination of intensely private medical information.
One of these decisions relates to the dissemination of information regarding the HIV status of prisoners, which is a growing focus of laws governing privacy, both in the public domain outside of the correctional setting, and in the jail or prison. Possibly the greatest exposure to potential HIPAA violations in the correctional settings relates to HIV status, and, to a lesser extent, Hepatitis C Virus (HCV) however HCV doesn’t carry the same stigma. A case exemplifying this involves a prisoner who brought suit for breach of confidentiality of his HIV status because he was identified on a separate patient list and treated by a physician via telemedical conferencing, pursuant to protocol. Additional allegations may include that these patients are exposed to further harm as it will be assumed that they are homosexual based upon their status on the list. HIV poses an especially difficult patient confidentiality situation in a prison. It is critical that correctional staff know which prisoners are HIV positive, yet this awareness poses great risks preserving confidentiality, as any unique treatment of an HIV positive inmate will be noticed.
Notably, breach of confidentiality of an inmate’s HIV status not only creates potential exposure under HIPAA, but also under the Aids Confidentiality (ACA). Under the ACA, each individual whose HIV status has been improperly disclosed can recover (1) $2,000 for negligent violation; (2) $10,000 for reckless violation; (3) reasonable attorneys’ fees; (4) and other appropriate relief, i.e., injunctive relief. Alternatively, a plaintiff alleging his HIV status was improperly disclosed can recover actual damages, if greater than the liquidated damages, plus reasonable attorneys’ fees. Facilities should also be aware that a growing body of case law holds that statutory damages, like those imposed under the ACA, are a “Penalty” and therefore not a “Loss” and, as discussed above, penalties and fines are normally not covered items of damages under most professional liability policies. Perhaps the best procedure for protecting correctional facilities from accidental disclosure of HIV status would be to process all inmates through medical in-take in an identical fashion, and then separate out the HIV-positive inmates once they are out of sight of any other inmates. However, this would impose significant logistical challenges.
The Future of HIPAA and Correctional Health Care
In conclusion, exposure to HIPAA Complaints is but one of the breach of confidentiality risks facing our correctional healthcare clients. As inmates grow more sophisticated and knowledgeable or creative as to the causes of action available for them to pursue, we anticipate this to be an arena of development. With this patient population, once a possible legal cause of action is pursued by a few inmates, the word tends to spread fairly quickly; we frequently see clusters of similarly-styled Claims arising from within various correctional healthcare entities, and we have no reason to believe HIPAA Complaints will not follow this pattern.
HHS investigation of HIPAA Complaints may become a vehicle by which opportunistic inmates are able to investigate their claims for breach of confidentiality with greater sophistication. Investigation of a HIPAA Complaint by the government, in instances where a civil suit has also been filed, could lend validity to an inmate’s claims for breach of confidentiality, and potentially increase the odds of, or the amount of, a judgment in his favor. And Civil Monetary Penalties awarded as the result of HIPAA violations, which initially tended to be rather weak penalties, are increasing in size. HHS recently assessed a $4,300,000 Civil Monetary Penalty against a Mid-Atlantic health care organization.
The reality is that HIPAA claims are becoming part of the risk environment in which correctional medicine is delivered. We anticipate HIPAA Complaints in correctional healthcare will mirror the most common breach of confidentiality risks already facing correctional healthcare providers – alleged breaches of confidentiality in mental health status, HIV status, and as the result of “Cell door” consultations. As correctional plaintiffs grow more sophisticated, greater consistency and sophistication in managing inmate medical information, along with additional insurance coverages addressing such unique concerns will enable correctional healthcare providers to more effectively manage risks and losses presented by this growing social and legal trend.
About the Author
Mr. Rae is a certified legal assistant with over 22 years experience exclusively handling malpractice and malpractice-related claims with significant exposures. He served correctional health care clients since the early 1990’s. Since 2003, Rae has enjoyed working in the malpractice division of Markel’s professional lines division, which has a significant concentration of correctional health care clients.