By Melissa Reuland
Information sharing across behavioral health and criminal justice systems is critical to reducing the number of people with mental and substance use disorders in jails. At the point of service, the availability of information related to the person’s treatment history and condition can enhance safety, improve the individual’s health, and support recovery outcomes. However, many jurisdictions face substantial challenges in developing information sharing agreements, cross-system coordination, and technology to gather and share information from their systems. As stakeholders strive to work within the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state confidentiality laws, many misconceptions may complicate their efforts and pose unintended barriers.
At the 2018 Best Practices Implementation Academy convened by SAMHSA’s GAINS Center, John Petrila, vice president of adult policy at the Meadows Mental Health Policy Institute and a national expert on data sharing and privacy law, presented strategies to enable appropriate information sharing between healthcare and criminal justice agencies.
First, he presented two scenarios that highlight misconceptions related to HIPAA:
Scenario 1: An officer responding to a person who might be suicidal calls the local Mental Health Center (MHC) and asks if the person is currently a patient at the Center. Can the center share that information under HIPAA?
Yes! HIPAA regulations, as interpreted by the U.S. Department of Health and Human Services, permit the center to provide the information to the officer in order “to prevent or lessen a serious and imminent threat to health or safety.” Should a MHP be present with the officer, this information may also be shared as the MHP is a covered entity (see below for more on “covered entities”). However, note that state law may prohibit such exchanges; if state law is more protective of privacy than HIPAA, then state law takes precedence.
Scenario 2: Treatment staff from the jail call a local hospital to ask for the name of the medication taken by a person who was recently booked. Can the hospital provide this information under HIPAA?
Yes! HIPAA regulations permit the hospital to share this information with the jail if it is for one of the following five purposes:
- Provide health care
- Ensure health and safety of inmates and others
- Protect transporting officer
- Promote law enforcement on premises
- Uphold safety and security of correctional facility
In fact, HIPAA is more permissive than many stakeholders realize regarding what information mental health agencies can provide to law enforcement. To help with identifying and locating a suspect, fugitive, missing person, or material witness, a health provider may provide law enforcement with the following:
- Name
- Address
- Date and place of birth
- Social Security number
- ABO blood type
- Type of injury
- Date and time of treatment
- Date and time of death (if applicable)
- Distinguishing physical characteristics
Again, if state laws are more restrictive, these limitations should be considered when deciding to share the above information. More guidance on this topic is provided on the U.S. Department of Health and Human Services website.
State Law Versus Federal Law
Petrila noted that state laws may be more restrictive than federal laws and will take precedence over what is allowed in HIPAA. HIPAA was enacted to address privacy of health information and also the growing use of technology for holding and exchanging health information. It was intended to balance privacy and continuity of care concerns, while assuring data security. However, many state mental health confidentiality laws were enacted at a time when cross-system care was not a major part of health care and when most health records were on paper, resulting in inconsistencies between federal and state law in some situations. Many state statutes are being updated to reduce discrepancies. For example, Ohio confidentiality laws were recently revised to be consistent with HIPAA, as lawmakers recognized that the state law was limiting continuity of care, and Texas was an early adopter of revised state privacy laws to assure a “fit” with HIPAA.
Creating a Framework for Data Sharing
Petrila suggested that rather than beginning efforts to share information by turning immediately to a specific situation (a common temptation for stakeholders starting to create information sharing arrangements), communities should first develop clear goals for information sharing and a framework to guide that effort. For example, instead of deciding whether or not a particular mental health clinician can tell a local law enforcement agency about a patient’s medicines in any given situation, first decide why information sharing is needed between the two entities in the first place.
Communities should seek to answer four important questions to guide their data-sharing efforts:
- Why do you want to share information?
- What type of information do you want to share?
- With whom do you want to share the information?
- Who decides if you will get to share it?
Once the framework for information sharing is established, it may be formalized into Business Associate Agreements (BAAs) or other types of agreements that create governance structures and rules for information sharing and use.
For additional information about Business Associate Agreements, consult the following resources: sample agreement provisions from the U.S. Department of Health & Human Services, or a sample agreement from the Camden Coalition of Healthcare Providers.
Guidance on HIPAA Rules for Information Sharing With Criminal Justice Entities
The U.S. Department of Health and Human Services provides guidance regarding HIPAA and how information may flow to and from health and criminal justice systems. This detailed information provides examples of circumstances where data may be exchanged. The FAQ resource may be filtered by profession, so users can access articles about information sharing that are specific to their role. The guidance is available on the U.S. Department of Health and Human Services website.
1. Why do you want to share information?
Partners need to be clear about why they want to share the information. Does the group want to collect individually identifiable information and use this information for point-of-service decision making by law enforcement or clinical staff? Does the group want to link people detained in the jail to existing case managers in the community? While this may seem like a simple process, many stakeholders fail to explore these questions. Furthermore, there may be restrictions on access by partners who are non-covered entities, so understanding the purpose of information sharing with non-covered entities is critical to establishing a legal and effective information-sharing system.
2. What type of information do you want to share?
The next step is to determine what type of information is needed to support point-of-service actions and decision-making. Stakeholders should try to specify exactly what information is needed and for what purpose, as conversations between partners may founder when the request is vague or broad (for example, simply asking for “health information”).
3. With whom do you want to share the information?
Partners should clarify with whom the information will be shared. Sharing information with law enforcement, a hospital, or a researcher each require different considerations and agreements. Petrila explained that it is important to remember that HIPAA was designed to help agencies share information—the “P” in HIPAA stands for “portability.” All entities covered by HIPAA can share information among themselves. It is when a covered entity wants to share with a non-covered entity that special agreements are needed.
What are considered covered entities? | ||
A Health Care Provider | A Health Plan | A Health Care Clearinghouse |
This includes providers, such as:
· Doctors · Clinics · Psychologists · Dentists · Chiropractors · Nursing homes · Pharmacies …but only if any electronic transmissions of information are in connection with a transaction for which HHS has adopted a standard. *Fire departments may be considered covered entities if they bill for their services and transmit that information. |
This includes:
· Health insurance companies · Managed care organizations · Company health plans · Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs |
This includes entities that process nonstandard health information they receive from another entity into a standard format (i.e., standard electronic format or data content), or vice versa. |
4. Who decides if you will get to share it?
People providing their personal information make the first decision regarding the sharing and use of identified protected health information. One strategy found effective in increasing information sharing is to have a standardized universal Release of Information form consented to by an individual that allows named agencies to access the provided information. Only one agency has to obtain the signed waiver, which then facilitates quick and useful information sharing with the other named entities.
To determine who can share information, stakeholders should also address questions about governance in their agreements in order to safeguard the information sharing effort and, where identifiers are used, ensure that privacy is protected. For example, the following questions may arise:
- What if a party that was not part of the original agreement wishes to access information?
- What if a party to the agreement wishes to use information for a purpose not specified in the original agreement?
- What if a party wishes to withdraw from the agreement?
Stakeholders should think deeply about the governance structure and should address questions that may arise through their legal agreements.
As noted above, information sharing with non-covered entities will require an information sharing agreement. The type of agreement depends on the information and the circumstances in which the information will be shared. In the case of protected health information covered by HIPAA, agreements may include BAAs, Data Use Agreements (DAUs), contracts, or other forms of agreements. The type of agreement required also depends on the intended use. For example, whether a BAA is appropriate depends on the type of work the prospective business associate is providing the covered entity.
What Is Considered a Business Associate?
By law, the HIPAA Privacy Rule applies only to covered entities—health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of their duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions. The business associate should not obtain information for independent use or purposes, except as needed for the proper management and administration of the business associate.
Types of business associates may include the following:
- Corrections
- Court services
- District court
- Human services – outreach and housing
- Law enforcement
- Fire department (if they do not bill for services)
For more information on business associates, visit the U.S. Department of Health and Human Services webpage on Business Associates.
For more information on drafting BAAs, visit the U.S. Department of Health and Human Services webpage on Business Associate Contracts.
Using the Sequential Intercept Model as part of the framework
The Sequential Intercept Model (SIM) shows the progression of how people move through the criminal justice system. As people come into contact with the various intercept points, information about the person is collected and often retained; it may be of interest to other parties making decisions about the person. As a result, the SIM can be used to shape conversations about information sharing. At each point along the model, the following questions can be considered: What types of information are collected and which might enhance the decisions made? Who provides the information? Who might object to sharing the information? Who may want it at a later stage? For what purposes might the information be used? The extent to which information follows a person through the justice system can be a determining factor in the continuity of care provided to people with mental and substance use disorders.
View the entirety of John Petrila’s presentation below:
Additional Helpful Resources
- HIPAA FAQs for Professionals, from the U.S. Department of Health and Human Services
- HIPAA Disclosures for Law Enforcement Purposes, from the U.S. Department of Health and Human Services
- Information Sharing in Criminal Justice–Mental Health Collaborations: Working with HIPAA and Other Privacy Laws
- HIPAA Requirements and Florida Law: Disclosures of PHI for Law Enforcement Purposes
- HPIAA Privacy Rule and Sharing Information Related to Mental Health, from the U.S. Department of Health and Human Services Office for Civil Rights
- Legal Agreements and Supporting Documents, from Actionable Intelligence for Social Policy