THE IMPACT OF HIPAA ON CHILD ABUSE AND NEGLECT CASES

THE IMPACT OF HIPAA ON CHILD ABUSE AND NEGLECT CASES

Howard Davidson, J.D. Director, American Bar Association Center on Children and the Law

What is HIPAA?

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) has two key purposes. The first (Title 1) protects health insurance coverage for workers and their families when they change or lose their jobs. The second (Title II) requires the U.S. Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers.

It also addresses, through new protections, the security and privacy of patient health data. This last area, regarding the protection of health information, raises some important questions about how information sharing practices in child maltreatment cases may be affected when HIPAA's privacy provisions go into effect in April 2003.

HHS issued initial privacy regulations under HIPAA in December 2000, but after extensive feedback it issued final regulations on August 14, 2002. These will be formally incorporated into the Code of Federal Regulations as 45 C.F.R. Parts 160 and 164. Until these are published, the text of the regulations may be accessed at this website: http://www.hhs.gov/ocr/hipaa/finalreg.html

Who Does HIPAA Apply To?

HIPAA's privacy requirements apply only to information and records maintained by "covered entities." For example, a physical health care or mental health care "provider" that conducts certain transactions in electronic form (e.g., via internet or intranet) is a covered entity.

In addition, any person, business, or agency that furnishes, bills, or receives payment for such care, in their normal course of business, where they also transmit relevant transactions electronically, are covered entities. Medicaid and Child Health Insurance Programs (CHIP) are also covered entities. If programs or entities are not providing health care, billing for it, or transmitting information related to such care or billing via electronic means, it appears the HIPAA privacy provisions do not govern them.

How Does HIPAA Prevent Disclosure of Information Related to Child Maltreatment?

HIPAA's broad privacy provisions are intended to protect the confidentiality of patient health records. HHS rules give individuals added control over how their protected health information is used and disclosed.

HIPAA requires that covered entities give patients written notice of their privacy rights. Under most circumstances, patients must give specific authorization before covered entities can share their information or records. A general, but limited, exception is what the rules call "routine" situations, such as common sign-in lists used in doctors' office reception areas to note arrivals of each patient.

HIPAA's privacy protections will have important implications for child protective services agencies, other entities involved in child welfare work, and advocates when they seek - in child maltreatment cases - records or information on adults or children from "covered" hospitals, clinics, physicians, psychologists, psychiatrists, etc. As explained below, HHS has provided exceptions to make clear that health care providers suspecting child maltreatment still must report it. The exceptions, however, more clearly exempt disclosure of certain child victim records than they do physical or mental health information pertaining to perpetrators of child maltreatment, parents of child maltreatment victims generally, other adults or children in the child's home, or prospective adult caretakers (e.g., foster or kinship care providers). Therefore, it is important that those seeking health information on such adults for child safety-related purposes become familiar with HIPAA privacy protections generally, as well as the scope of the exceptions. Further clarification on these issues will undoubtedly be needed from HHS.

What HIPAA Exceptions Apply to Child Maltreatment?

Disclosure of child abuse/neglect related information is addressed in three sections of the HIPAA regulations-- Sections 160.203, 164.502(g)(5), and 164.512.

(1) Section 160.203 sets forth a series of exceptions to general HIPAA privacy requirements. It also clarifies that HIPAA generally overrides state laws where they are contrary to HIPAA.

160.203(c) says that HIPAA rules do not apply where the "provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention." This might be construed to permit, assuming relevant authorization in State legislation, the sharing of both health records and information concerning adults and children, since this broadly worded exception to HIPAA's privacy protections not only permits "reporting" but also appears to permit disclosure of public health-related case information on child maltreatment and child fatalities to those conducting activities related to "investigation" and "intervention" in such cases.

Although not generally thought of as public health related functions, investigative and intervention responses to child maltreatment clearly are public health matters, even if government social services or law enforcement agencies play the lead roles. Thus, disclosures of health information to multidisciplinary teams, children's advocacy centers, and child fatality review groups - about relevant children and adults - could fall within this exception to HIPAA privacy requirements.

Additionally, "reporting" of child maltreatment may not necessarily be limited to what the reporter says when calling in a report. In many states, reporting laws also require mandatory reporters to submit a written report and to answer questions concerning facts related to the matter that they reported.

(2) Section 164.502(g)(5) addresses situations where a "personal representative" of an individual entitled to HIPAA protections (e.g., a parent of a child patient) need not be provided access and control over the individual's records. Such situations exist when there is a "reasonable belief' that the individual "has been or may be subjected to domestic violence, abuse, or neglect by such person" or where treating that person as the personal representative "could endanger the individual." Before restricting such access and control, there must be a professional judgment that "it is not in the best interest of the individual to treat the person as the individual's personal representative." These are important provisions that can help keep a maltreated child's medical information out of the hands of an abusive parent.

(3) Section 164.512 addresses a range of situations where a patient's authorization or opportunity to agree or object to the release of information (i.e., the subject's consent) may not be required.

164.512(a) provides exceptions when uses and disclosures of information are "required by law."

164.512(b)(1) permits disclosure of information for "public health activities" which include prevention of injuries as well as disclosures to an "appropriate government authority authorized by law to receive reports of child abuse or neglect."

164.512(c) addresses information on victims, and permits disclosure of information (beyond mere reporting) about victims of child maltreatment or domestic violence, even if otherwise "protected health information," to appropriate government authorities only if

1) Such disclosure would be authorized or required by law or regulations, and

2) 2) Disclosure of information on the victim is considered necessary to prevent serious harm to them or to other potential victims; or

3) The victim consents to the disclosure.

When the victim cannot consent due to incapacity, the agency receiving the child maltreatment report must indicate that disclosed information is "not intended to be used against" the victim and that actions delaying interventions until the victim could consent to disclosure would "materially and adversely" affect those interventions. Moreover; victims must be orally notified of disclosures of information unless notice would place them at risk of serious harm or would be given to a person (e.g., the victim's parent) responsible for the abuse or neglect, and thus informing them would not be in the child victim's best interests.

(Note that the above three provisions in Section 164.512(c) address disclosure of information relating to the "victim" only, and not on the alleged "perpetrator" of abuse or any other adults or children.)

164.512(d) provides an exception for "health oversight activities." These do not cover situations where the individual about whom disclosures relate is the subject of an investigation or activity. It is not clear how this provision might be construed to affect access to health information by child protective services agencies, child fatality review teams, or others.

164.512(e) permits disclosures made pursuant to court or administrative orders, or by subpoena, discovery, or other legal process. It also requires that the individual receive notice and an opportunity to object to disclosure, and it provides for a "qualified protective order" process to restrict use of information to the litigation itself This exception could also be applied to court orders in the investigative stage of child maltreatment cases, as well as to court orders issued after a petition alleging child maltreatment has been filed.

164.512(f) provides an exception for inquiries made by law enforcement agencies. There are some limitations on what information can be released to police. When information is sought about child victims of crime, provisions for disclosure to police are similar to those in Section 164.512(c). Since child protective services agencies are not considered part of "law enforcement," this provision probably does not apply to those agencies.

164.512(g) provides an exception for disclosing information to coroners or medical examiners (and for entities that perform such duties). It is an important provision affecting access to information for determining whether a child has died as a result of abuse or neglect.

164.512(i) provides an exception for research purposes, which would include research related to child maltreatment cases. Disclosures for research purposes must be reviewed and approved by an institutional review or privacy board.

164.512(j) includes a broadly worded exception for disclosures "to avert a serious threat to health or safety." Covered entities may disclose information, consistent with legal and ethical standards, when necessary "to prevent or lessen a serious and imminent threat to the health or safety of a person or the public" when the disclosure is to those who can help prevent or lessen the threat. This is consistent with the "duty to warn" principal stated in Tarasoff v. Regents of the University of California, 551 P.2d 334 (1976).

This section also establishes or reinforces a type of "privileged communication" by providing that an admission by a person that they have committed a violent crime cannot be disclosed to law enforcement if the admission was made in the course of, or when seeking, treatment (or counseling or therapy) related to that person's "propensity to commit the criminal conduct that is the basis for the disclosure." It also establishes a presumption that those who make disclosures under this section are acting in good faith.

164.512(k)(5) includes exceptions for providing information necessary to the health and safety of individuals in correctional or law enforcement custodial settings (e.g., juvenile detention facilities). Given the penal system focus of this exception, it appears not to cover disclosures to those providing shelter care, group care, or foster care to abused and neglected children.

164.512(k)(6): this provides exceptions for health plans sharing information with government agencies administering public benefit programs (e.g., Title IV-E). This might facilitate access to information from health providers during the HHS Child and Family Services Review process.

Conclusion-Many Unanswered Questions and Challenges

What we know. While HIPAA provides broad protections from unauthorized disclosure of patient health information:

• HIPAA does not inhibit reporting of child abuse and neglect;

• HIPAA supports disclosures of health information for public health prevention, surveillance, investigation, and intervention activities;

• HIPAA provides protections for child victim health information, but disclosures can still be made with victim consent or where necessary to prevent serious harm to them or other potential child victims;

• HIPAA gives courts, law enforcement agencies, and those determining the cause of child deaths the ability to access relevant health information; and

• HIPAA protects child victim health information from being disclosed to parents or other adult representatives when disclosure would be contrary to the child's best interests.

What we don’t know. There are some apparent ambiguities and conflicts within HIPAA's privacy exception rules that will require clarification. Further, more questions are raised than answered about how these exceptions will be applied in practice, particularly in accessing information from health care providers about parents and other adult caretakers, as well as siblings of maltreated children. Hopefully, more guidance on exceptions related to child maltreatment cases may be forthcoming from the HHS Office of Civil Rights (see http://www.hhs.gov/ocr/hipaa/) through fact sheets, answers to frequently asked questions, or other materials.

Implementation tips. Training and educational materials will be needed for health care providers who are "covered entities" under HIPAA privacy rules about the sharing of information in child maltreatment cases. Judges and attorneys who handle child maltreatment proceedings will need to become aware of HIPAA privacy protections and their exceptions. Child welfare agencies will need to collaborate with health and mental health providers to minimize the adverse impact of HIPAA on accessing critical child safety-related patient records and other information, and staff will require some HIPAA training. Finally, state legislative changes may be necessary to meet provisions for disclosure contained in the HIPAA privacy regulations that require a state law authorizing or requiring sharing of information.

Howard Davidson is director of the American Bar Association's Center on Children and the Law, based in Washington, DC. Comments and questions on this description of HIPAA regulation provisions may be directed to him via e-mail at: davidsonha@staff.abanet.org