Initially, the HIPAA Privacy Rule proposed excluding inmates’ health information from protected health information (PHI) because unimpeded sharing of such information was deemed crucial for correctional operations. However, after public commentary, the Department of Health and Human Services removed this exclusion, recognizing inmates’ rights to privacy and the potential for misuse of health information in correctional settings.
According to an American Journal of Public Health journal article by Melissa M. Goldstein on the topic of healthcare privacy in correctional settings, “In the correctional context, the few federal courts that have recognized a right to privacy in inmate medical records have held that it must give way when the state has a legitimate penological interest in accessing those records.”
Whether a prison infirmary is subject to HIPAA depends on its status as a covered entity. A correctional institution or its healthcare component (such as a prison clinic) qualifies as a covered entity if it furnishes, bills, or is paid for healthcare in the normal course of business and electronically transmits health information in connection with certain transactions specified by HIPAA’s Privacy Rule. For example, if a prison infirmary bills electronically for inmate healthcare or contracts with external providers who do so, it must comply with HIPAA.
Prison infirmaries as healthcare providers within correctional institutions
A Journal of Hospital Medicine noted in relation to inmate care, “Federal law mandates basic healthcare for people who are incarcerated, yet does not define how care is delivered.”
Prison infirmaries function as healthcare providers embedded within correctional institutions, delivering medical care to incarcerated individuals who often have complex health needs. These infirmaries provide a range of services from routine sick calls and chronic disease management to emergency care and mental health services. They operate under the dual mandate of providing adequate healthcare while maintaining institutional security and order.
Healthcare delivery in prison infirmaries is influenced by the correctional environment. Custody officers are often present during medical encounters to ensure safety, which can affect privacy. However, efforts are made to minimize breaches of confidentiality by limiting the health information disclosed to officers to what is necessary for security purposes. The infirmary staff must balance clinical care standards with security protocols, such as the use of restraints or supervision during treatment.
Prison infirmaries handle PHI with modifications to accommodate security and institutional needs. While HIPAA’s Privacy Rule protects inmate PHI, correctional facilities have explicit permissions to use and disclose PHI without inmate authorization for purposes such as maintaining safety, security, and order, or providing healthcare within the institution.
Unlike other healthcare organizations, prison infirmaries are exempt from certain HIPAA requirements. For example, they are not required to provide inmates with a notice of privacy practices, nor must they notify inmates about possible uses and disclosures of their PHI. Inmates also have restricted rights to obtain copies of their PHI if disclosure could jeopardize safety or security.
Do inmates maintain the same rights under HIPAA?
The above mentioned American Journal of Public Health study noted, “Although the Privacy Rule does protect the health information of inmates, the drafters also recognized that correctional facilities have legitimate needs to use and share inmates’ PHI without authorization.”
Inmates have many of the same HIPAA rights as free civilians, but with important limitations. While inmates are protected under HIPAA’s Privacy Rule, certain rights are curtailed to balance privacy with security and safety concerns inherent in correctional settings.
For instance, inmates do not have the right to receive a notice of privacy practices from correctional healthcare providers, a standard requirement in civilian settings. They also may be denied access to copies of their medical records if such access would threaten the safety, security, or rehabilitation of the inmate or others. However, inmates generally retain the right to inspect their PHI unless there is a valid reason for denial.
Moreover, upon release from incarceration, individuals regain full HIPAA protections and rights equivalent to those of free civilians.
When can the PHI of inmates be shared?
The American Journal of Public Health study also provides, “Although the US Constitution does not expressly provide a right to health information privacy, the US Supreme Court has recognized a limited right regarding information held in government databases.”
Inmate PHI is shared within correctional facilities primarily among healthcare providers, correctional officers, and law enforcement officials who have lawful custody, but only as necessary for healthcare delivery, safety, security, and institutional order.
HIPAA permits disclosure without inmate authorization to correctional staff for purposes such as managing the inmate’s health, protecting the inmate or others from harm, and ensuring security during transfers. Disclosures are limited to the minimum necessary information.
External healthcare providers involved in inmate care also have access to PHI, governed by HIPAA compliant agreements to ensure confidentiality during care transitions. Access to inmate PHI is tightly controlled and monitored to prevent misuse or unauthorized disclosures, reflecting the dual need for privacy and security in correctional healthcare.
Parallel legislation
Besides HIPAA, correctional health information is subject to the Prison Litigation Reform Act (PLRA), the Americans with Disabilities Act (ADA), and constitutional protections. HIPAA’s "lawful custody exception" permits sharing of protected health information (PHI) without consent between healthcare providers and correctional facilities when necessary for care provision, safety of inmates and staff, and law enforcement purposes. Additionally, Medicaid policies, including recent reforms like the Medicaid Reentry Act, influence prison healthcare by facilitating coverage suspension rather than termination during incarceration, supporting continuity of care upon release. Regulations specific to prisoner research, such as Title 45 CFR Part 46 Subpart C, also intersect with HIPAA to ensure confidentiality and ethical standards in research involving incarcerated individuals. Thus, prison healthcare systems operate under a layered legal regime that balances inmate privacy rights, public health goals, correctional safety.
FAQs
Does HIPAA cover healthcare provided to inmates outside the correctional facility?
Yes, HIPAA applies fully to healthcare services provided to incarcerated individuals at external hospitals or specialty clinics, requiring secure sharing of PHI and adherence to consent or emergency disclosure rules.
How is PHI shared between correctional facilities and community healthcare providers?
Sharing PHI is critical for continuity of care, especially upon intake, release, or during probation/parole. This exchange must comply with HIPAA and other regulations like 42 CFR Part 2 for substance abuse treatment records to ensure privacy and effective treatment coordination.
Can medical staff share an inmate’s health information with custody staff?
Yes, medical staff can provide protected health information to custody staff when necessary for the safety and security of the institution while maintaining HIPAA compliance.
Are correctional facilities always considered HIPAA-covered entities?
Not necessarily. Correctional facilities are covered entities under HIPAA if they provide healthcare and electronically transmit health information in connection with covered transactions such as billing or eligibility verification.
How does HIPAA’s “lawful custody exception” work in prisons?
This exception allows correctional facilities to access and share PHI without inmate consent if necessary to provide healthcare, maintain safety and security, or support law enforcement functions within the institution. It ceases once the individual is released from custody.
Can correctional healthcare providers share PHI with law enforcement officers?
Yes, HIPAA permits disclosure of PHI to correctional officers or law enforcement on the premises when necessary to maintain safety, security, or to prevent a serious threat to health or safety.
Kirsten Peremore
