Understanding HIPAA compliance in corrections
Medical staff can provide an inmate's protected healthcare information to custody when requested and still maintain compliance with HIPAA regulations
By Ryan Pettus
The California Department of Corrections and Rehabilitation (CDCR) relies upon many programs as part of its mission to facilitate the successful reintegration of incarcerated individuals back to their communities. The custody staff under the Division of Adult Institutions and the medical professionals under the Division of Health Care Services are fundamental in meeting the CDCR mission and goals by providing a safe and secure path to rehabilitation. Open communication between custody and medical is paramount in successful and safe CDCR operations.
Medical staff can be hesitant to provide needed medical information to custody peace officers due to HIPAA-compliance concerns. The concerns of some medical and custody personnel to provide private medical information are founded on a misunderstanding or poor training of what HIPAA allows and prohibits regarding disseminating medical information. This article provides clarification of HIPAA-compliance issues in CDCR’s custody setting.
While many people mistakenly write HIPPA, the correct acronym is HIPAA which stands for the Health Insurance Portability and Accountability Act.
HIPAA was created primarily to modernize the flow of healthcare information and stipulate how Personally Identifiable Information is maintained by the healthcare and healthcare insurance industries. 
HIPAA legislation has evolved significantly since its earliest incarnation. Not only has the language of the Act been modified to address advances in technology, but the scope of the Act has been extended to cover Business Associates.
The regulations were initially codified in 1996 and began the development of federal policy for the transfer of medical information.  The regulation has gone through several iterations with additional measures added through legislative action.
In 2003 the Final Rule on Security Standards was issued. The HIPAA Security Rule established a national standard to protect individuals’ personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate safeguards to ensure the confidentiality, integrity, and security of electronically protected health information. 
Implemented with the initial creation in HIPAA, the Privacy Rule had an effective compliance date of April 2003. The Privacy Rule defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual” and set standards for allowable uses and disclosures of PHI.  Most importantly to CDCR, the Rule sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Medical Information Sharing in Corrections
Custody peace officers occupy a unique role in public safety requiring insight into the daily activities, living conditions, mental and physical health of the incarcerated individuals under their supervision. CDCR medical professionals occupy another unique role in providing care for acute and chronic medical needs of the same incarcerated population. Often custody staff requires Protected Health Information (PHI) on inmate/patients where the medical staff has domain over the same PHI. Often the medical staff is, understandably, hesitant to release PHI to custody peace officers.
Individuals and organizations that must comply with HIPAA are often called HIPAA-covered entities. Every healthcare provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity.  By this definition CDCR medical staff are a covered entity defined by HIPAA and as such are liable for the protection and security of PHI. However, under § 164.512(a), a covered entity may use or disclose PHI when required by law.
In developing the Privacy Rule legislators were key to implement codified allowances between law enforcement and healthcare providers. HIPAA allows correctional facilities to obtain or use protected health information if necessary for providing health care to an inmate; for the health and safety of inmates, officers, or staff; and for administration and maintenance of the safety, security, and good order of the correctional institution, including law enforcement on the premises of the facility (§ 164.512(k)(5)). Overall, HIPAA permits law enforcement more access than it prohibits.
More broadly covered entities may disclose PHI to law enforcement (correctional officers) to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public (§ 164.512(j)(1)(i)); or to identify or apprehend an individual who appears to have escaped from lawful custody ( § 164.512(j)(1)(ii)(B)). Also, many medical staff are considered “mandatory reporters” and must report suspected minor or elder abuse to the authorities. Correctional peace officers have jurisdiction for law enforcement operations within CDCR.
Although medical staff should maintain the security and privacy of Protected Health Information (PHI), the same staff need to understand custody may require PHI for operational needs.
Medical staff can provide PHI to custody when requested and maintain compliance with HIPAA regulations and department policy. Most importantly if correctional peace officers request medical information in the interest of maintaining the safety and security of the institution, medical staff should not delay in providing that information.
Moreover, medical and custody staff should feel free to provide information necessary to ensure good order of the facility and safety of the incarcerated individuals.
1. The HIPAA Guide. HIPAA For Dummies.
2. Atchinson BK, Fox DM. The Politics Of The Health Insurance Portability And Accountability Act. Health Affairs, 1997, 146-150.
3. U.S. Department of Health & Human Services. HHS.gov.
4. U.S. Department of Health and Human Services. 45 CFR Parts 160 and 164. Federal Register.
5. HIPPA.com. HIPAA.
Rae TF. Ultra Risk Advisors. HIPAA – Correctional Facility Concerns and Coverage, 2011.
About the author
Ryan Pettus is a sergeant with the California Department of Corrections and Rehabilitation (CDCR). He has a bachelor's degree in criminology from ASU and has several years of regulatory engineering experience in the nuclear and law enforcement fields.