HIPAA
and YOU
Covered Entities—
Do you even have to bother?

M

any state prison systems and most jails have
widely diverging opinions as to whether they
are “covered entities” under the new federal
HIPAA regulations. This article attempts to clarify the legislation, give guidance on “covered entities,” and create a
template to follow so that correctional administrators do
not run afoul of its provisions.
The Legislation
The Health Insurance Portability and Accountability
Act (HIPAA) is designed to protect you as a patient; however, in so doing it may directly affect you in your life as a
correctional professional. The broad general protection
afforded to you was in an effort to make an employee be
insurable through his employer’s insurance. HIPAA specifically addressed portability of insurance between employers and preexisting conditions. In so doing, the law
addressed the issues of privacy of medical information. It
is that area that may cause you heartburn as a part of the
correctional fraternity.
The Health Insurance Portability and Accountability
Act was passed in 1996 and signed into law on August 21 of
that year. It was a congressional amendment and refinement to three previous sections: the Employee Retirement
Income Security Act of 1974 (ERISA); the Internal
Revenue Code; and the Public Health Service Act. HIPAA
includes changes that
1. limit exclusions for preexisting conditions,
2. prohibit discrimination against employees and their
dependents based on their health status,
3. guarantee renewability and availability of health coverage to certain employees and individuals, and

DAVE THOMAS, M.D.,

AND

4. protect many workers who lose health coverage by
providing better access to individual health insurance coverage.
The good parts of this legislation for the individual
employee are the limitations on exclusions for preexisting
conditions. Some employers have health plans that limit
or totally exclude coverage for preexisting health care conditions. For instance, if you had a heart attack while working for employer A and are hired by employer B, employer
B’s health plan may have excluded you permanently from
any cardiac-related health care claim. Under the authority
of HIPAA, health plans now have strict limits on how long
exclusions for preexisting conditions can be in effect.
Generally employees who change jobs and have health
problems will have those preexisting conditions covered
in 12 months or less. HIPAA also clarifies that a preexisting
condition must have been affecting your health within the
last six months for it to be excluded for the one-year
period. HIPAA also makes clear that pregnancy is not to
be considered a preexisting condition.
Another part that affects correction is the exclusion for
passing a physical examination. When HIPAA is totally in
effect, employers may not exclude persons from coverage
because of any particular illness a prospective or existing
employee may have, nor may they require a physical examination prior to coverage. This exclusion on physical examinations prior to employment is strictly for the purpose of
health insurance coverage. Of course, jobs requiring physical examinations for performance of duties may still have
a physical examination, and any data discovered during
that evaluation, however, are specifically excluded from
decisions on health care coverage.

JACQUELINE A. THOMAS
AMERICAN JAILS

March/April 2003 ◆ 73

Privacy Under HIPAA
The second major area that HIPAA addresses is health
care information. The intent of the legislation is clear: no
health care information pertaining to an individual should
be shared except as it pertains to those providers specifically involved with the provision of care for that individual
and those third parties who need specific narrow information for billing and payment.
Currently, because of the varying nature of state health
information laws, personal health information can be distributed without consent for reasons that are totally unrelated to treatment. This can and has led to abuses of
information. For instance, under the current loose patchwork of state laws, information held by an insurer can be
passed on to a lender who can then deny that patient’s
application for a home mortgage or a credit card, or to an
employer who uses it in personnel decisions.
Personal health information may be disclosed for insurance underwriting purposes, without the knowledge or
consent of the insured. This is a totally different situation
than volunteering and consenting to a physical examination prior to the inception of the policy. Personal health
care information has been used without the knowledge or
consent of the individual for market research or any other
reason without any safeguards to protect it against misuse.
While there is and has been this tremendous exchange
of personal, identifiable health care information without
consent of the patient, patients themselves have been in
the awkward position of attempting to discover their own
records without success. If the patients can surmount the
access to their records issue, they are often unable to
obtain their own medical records. In addition, patients
wishing to access or control the release of such records
may be unable to do so because of overwhelming barriers
established by their insurance company, health care
provider, hospital, state agency, federal provider, or anyone else who holds their records.
The intent of the PRIVACY section of HIPAA is to give
control of the medical information and the medical
records to the individual patient. Often cited are the
appropriate areas that all of us would want. For instance
HIPAA permits the patients to have the ability to know how
their health information is being used. Health plans and
providers must inform patients on the use of their personal
health care information, to whom it is being disclosed, and
why the information is being disclosed. Prospective consent is needed for each of the disclosures. Each patient is
also entitled to a disclosure history listing the entities that
received information unrelated to direct treatment or payment. This information must be supplied within 60 days of
request.
The PRIVACY regulations of HIPAA specifically require
doctors and hospitals to get the written consent of their
patients to use their health information. While this provision will not alter the way most large entities and systems
have operated, smaller individual providers—-such as the
doctor dropping by the jail once a week—-may have to
gain written consent from the detainees and inmates
74 ◆ March/April 2003

AMERICAN JAILS

prospectively BOTH for treatment AND use of the medical information that the doctor gathers.
Even large entities will have to change the way they
approach the medical information of their patients. First,
nonroutine disclosures—-that is, disclosures to someone
other than the treatment team or billing services—-would
require a separate, specific written consent prospectively.
Second, patients would have access to their own files. Not
only would access to files be granted and copies when
requested, but patients have the right to request corrections or amendments to their medical records.
While the intent of the legislation is part of an emerging understanding of the protection of privacy, it is possible under the HIPAA regulations for the patient to
challenge diagnoses and other aspects of materials that
have traditionally been considered the province of the
medical professional. Neither the law nor the rule as
described (in the Federal Register, vol. 65, No. 250/ Thursday, December 28, 2000), determines how accuracy of the
challenges to the information is determined. For instance,
in the White House press release on this subject, the specific language permitting “amendments and corrections”
referred to a patient with “…an improper diagnosis in his
or her medical file could be denied health insurance and
left no redress.” Nowhere are there guidelines on how to
maintain the accuracy and integrity of the professional
expert opinions.
In a further effort to protect individual patient health
care information HIPAA attempts to set boundaries on
medical record use and release. Those boundaries allude
to the “minimum necessary” information to be used and
disclosed. Currently, many state laws permit the disclosure
of an entire record even if an employer, billing service, or
other entity only requires specific limited information.
HIPAA specifically restricts information that is used and
disclosed to the minimum amount necessary to perform a
specific function.
Another requirement of the PRIVACY section is to
address all standard practice involving medical care documentation with regard to privacy considerations. Indeed,
this is where there is an advocate for a HIPAA compliance
officer. The regulation requires the establishment of internal procedures to protect the privacy of health records and
other documents. These procedures include, but are not
limited to, the training of employees about privacy considerations in the workplace, receiving complaints from
patients about privacy issues, the designation of a privacy
officer (HIPAA Compliance Officer) to assist patients with
their complaints, and ensuring appropriate safeguards are
in place for the protection of health information. With the
exception of the designation of a single person as a compliance officer, many responsible physicians, hospitals, and
other health care entities were assuring compliance. The
new regulation enforcement will require documentation
of the above items, such as specific training of employees
on privacy of medical information. HIPAA makes this a
national standard.
The law is entitled the “Health Insurance Portability
and Accountability Act” because there are very strong

accountability provisions. There is an equally strong federal investigative authority granted to look into infringements of HIPAA. New civil and criminal penalties were
created by this act for improper use or disclosure of information. These penalties like these which are divided
between disclosure and disclosure for sale allude to the
fact that accidental or sloppy disclosure is punishable in a
draconian fashion. Civil penalties permit administrative
actions for up to $100 PER DISCLOSURE (maximum of
$25,000 per year) and create a tort action for the aggrieved
party. Therefore it is possible to be civilly and criminally
sanctioned by the federal government and then have a civil
suit from the patient whose records were disclosed.
Although the courts will have to make a determination on
this aspect, it appears the law allows an aggrieved patient
the right to sue because there was a disclosure and a second suit because the patient had harm as a result of the
failure of the HIPAA compliance system.
Although the initial intent of Congress was to address
electronically transmitted information, HIPAA’s final form
clearly indicated that the law extended its provisions to
cover medical record information in all forms, specifically
citing written and oral communications. The final regulation provides protection for paper and oral in addition to
electronic information, creating a privacy system that covers all personal health information created or held by covered entities.
This provision means that there will be one standard for
health care information rather than separate ones for
paper, oral, and electronic. While a single standard will
make compliance easier, it should be noted that this one
single standard is fairly restrictive.
Are Jails and Prisons Excluded from HIPAA?
Having now gained some insight into the provisions and
the extent of the law, the crucial question for the correctional administrator is: ARE WE A COVERED ENTITY?
Throughout the legislation there is reference to “covered
entities.” The definition of a covered entity seems at first
blush fairly simple; however, there is wide room for interpretation as noted by the response of various correctional
facilities around the country.
Several state correctional systems have declared themselves a “covered entity” under the provisions of HIPAA
(e.g., Florida). Other states have determined that their correctional systems are not covered entities (e.g.,
Washington), but have ongoing efforts to assure reasonable compliance. Other states and many local jails are
unaware of the provisions of the act and have not determined whether or not they are covered entities.
Because of the confusion surrounding the law, extensions from compliance were readily obtainable through
2002. Many systems took advantage of the extension provisions, but for those that have not, compliance is expected
within the first half of 2003.
Many correctional administrators cite broad exclusions
from HIPAA compliance because of the unique nature of
the correctional system. There are exclusions from HIPAA
compliance in the Federal Register for corrections, but these

exclusions are narrow, rather than broad. Certainly, as initially discussed in congressional committees there were to
be broad exclusions for law enforcement, corrections, and
other public safety units. HOWEVER, as the bill reached its
final form most broad exclusions were removed and narrowly tailored specific language was inserted.
For instance, public health initially enjoyed a near
exemption from the provisions because of the critical
safety nature of its mission. These proposed broad exclusions were replaced with a rather narrow definition.
Information for public health and research purposes is
now specifically addressed. The regulation recognizes that
threats to public health, such as life threatening and easily transmitted infectious diseases, will require appropriate
monitoring by public health authorities. The regulation
encourages health professionals to use de-identified
records whenever possible. While HIPAA advocates feel
the law strikes the proper balance between protecting privacy and meeting the needs of public health, public safety,
and law enforcement others profoundly disagree.
Many jails and prisons look to the exclusions hopefully
or try to define themselves as excluded from the provisions
of “covered entities.” Remember the exclusions are narrowly tailored and quite specific. The Federal Register and
the act itself describe them with specificity.
First and most important for jails—the act clarifies that
reference is to “…individuals that are incarcerated in correctional facilities that are part of the criminal justice system
or in the lawful custody of a law enforcement official—and
not for individuals who are detained for noncriminal reasons…”
(Emphasis mine—Federal Register, Vol. 65 No. 250/Thursday,
December 28, 2000. Pg. 82541). Specifically cited are people
who are detained for mental health reasons which is a problem in every major jail in the country.
With the exception of this one confusing area concerning the mentally ill detainees, HIPAA clarifies and permits disclosure of personal medical information for
inmates and detainees under the following circumstances:
(1) The provision of health care to such individuals
(2) The health and safety of such individual or other
inmates
(3) The health and safety of officers [of][sic-or] employees or others at the correctional institution
(4) The health and safety of such individuals and officers
or other persons responsible for the transportation of
inmates or their transfer from one institution or facility to another
(5) Law enforcement on the premises of a correctional
institution; and
(6) The administration and maintenance of the safety,
security, and good order of the correctional institution
(Federal Register/Vol. 65/No.250/Thursday, December
28, 2000/pg. 82541 and section 164.51(k) and (h) of
the law).
The Federal Register goes on to site a specific example:
“This section is intended to allow, for example, a prison
doctor to disclose to a van driver transporting a criminal
that the individual is a diabetic and frequently has seizures,
as well as information about appropriate action to take if
AMERICAN JAILS

March/April 2003 ◆ 75

the individual has a seizure while he or she is being transported.” (Ibid.)
The provisions of HIPAA in the example provided
above may permit more disclosure than state law. For
example, currently in Florida, without the patient’s consent we would advise the van driver that the inmate may
become acutely ill in transport and if that occurred what
he could do to assist the inmate. We would be prohibited
from disclosure of the specific diagnosis of diabetes. In situations like this where HIPAA permits more disclosure
than state law, the more restrictive legislation is controlling. In other words, although HIPAA would allow the
sharing of the diagnosis of diabetes without the patient’s
consent, because Florida law does not, providers in Florida
would have to decline sharing the specific diagnosis.
Covered Entities—Do You Even Have to Bother?
It should be clear that while there are specific exclusions for correctional facilities, because the law addresses
them in such detail, the intent of the legislation is that corrections would be a “covered entity.” Some states and local
jails have indicated that because they do no electronic
billing or transfer of protected information that they are not
a “covered entity.” Although a final determination will only
come about by a trial case, it is wise for correctional administrators to begin to move into compliance with HIPAA.
There are a variety of reasons to assume this posture.
First, eventually, all of corrections will be dependent on
electronic transmission of information. Indeed it is routine and commonplace now. Second, the act clearly
addresses the nonelectronic transfer of information and
references written and oral documentation. From the comments released by the White House, a previous administration was certainly going to point executive branch
enforcement agencies in that direction. Third, the penalties apply to all persons releasing or receiving protected
information, not just medical professionals. Therefore,
assuming that you are not a covered entity only to find out
later that you were may cause judicial action against a correctional administrator for something his/her staff did in
a routine fashion. Fourth, although at first it seems hugely
cumbersome, complying with the privacy setting in corrections is not all that difficult.

76 ◆ March/April 2003

AMERICAN JAILS

While not exhaustive, compliance with the intent of
HIPAA can be accomplished with few changes in most
correctional settings. Establishing a HIPAA compliance
officer, staff training on confidentiality of protected information, receiving grievances from patients concerning
their medical information, having a system in place for
inmates/detainees to evaluate and challenge their medical information, and giving copies of the record upon
request comply with most of the privacy regulations. The
Health Insurance Portability and Accountability Act continues specifically some of the legislation protecting mental health records and therefore those are not disclosable.
There are still federal statutes regarding privacy of substance abuse, mental health, and some other physical conditions that are not affected (and therefore either not
disclosable to the patient (mental health) or not disclosable to others without the patient’s direct consent (e.g.,
substance abuse and HIV information except as provided
in other laws).
One other aspect needs to be reviewed prior to concluding and that is medical information as it involves the
prosecution of criminal activity. Although medical records
are often important to the investigation and prosecution of
serious criminal activity, it was clear in the comments of
the White House at the signing ceremony of this law, the
overarching philosophy of protection of personal medical
information would be the goal. The specific comment was
“…[although criminal prosecutors may desire personal
medical information, that must be balanced by the fact
that]… Americans must not be discouraged from seeking
health care because of concerns about having their information inappropriately given to others.”
Eventually, HIPAA will impact the way all of us in corrections do our job. We would be well advised to begin now
to come into compliance with this legislation.
Dr. Dave Thomas is the Chairman of the Division of
Correctional Medicine of NovaSoutheastern College of Osteopathic
Medicine and Director of Health Services for the Florida
Department of Corrections. Ms. Jacqueline Thomas is a medical
student at NovaSoutheastern University College of Osteopathic
Medicine and has done extensive research into correctional health
care. Dr. Thomas can be reached at (850) 922-6645.

LETTERS

TO THE

EDITOR

◆

Dear Editor:

tem that does not involve itself in

consider itself a “covered entity.”

electronic billing does not have to

Hopefully, this letter to the editor

article by Dr. David Thomas and

consider itself a “covered entity”

will allay some of the concerns

Ms. Jacqueline Thomas, HIPAA and

and therefore the privacy section

expressed by facilities not involved

You, concerning HIPAA and

of HIPAA is not required.

in electronic billing.

In the last issue there was an

HIPAA compliance. The article

Frequently, federal legislation

seemed to advocate for small and

has a tendency over time to

Edward Harrison, CCHP,

medium sized jails to declare them-

become more encompassing.

President, NCCHC

selves as “covered entities” under

Correctional facilities and systems

David Thomas, MD, JD,

the act.

would be wise to note the provi-

NSU-COM

Recently, the National

sions of HIPAA. Those provisions

Commission on Correctional

concerning privacy and access to

Health Care organized a telephone

medical information by inmates

conference call with the compli-

and detainees may eventually

ance division of the Department of

impact all of us in corrections.

Health and Human Services. It is

At this point in time, if a facility

apparent that the compliance divi-

or system is not in any way involved

sion feels that any jail or prison sys-

in electronic billing, it need not

80 ◆ May/June 2003

AMERICAN JAILS