D. Comply with Privacy Laws

This section describes a few strategies to comply with health privacy laws and ethical principles, maximizing the impact of justice-health information sharing initiatives and minimizing potential risks.

Get Consent

Information sharing is always legal with a person’s valid consent. Obtaining a person’s knowing, voluntary, and informed consent to share his or her clinical information is also a good practice that can help ensure compliance with ethical obligations. The consent process provides an opportunity for health and justice professionals to ensure that their clients and patients have personal control over health decisions by describing who has access to their health information and what they are going to use it for. Federal and state laws define substantive and procedural requirements of a valid consent to share personal health information (for example,  see Subpart C of 42 CFR, Part 2).

Click here for a discussion of the use of informed consent in the age of advancing health information technology.

Uniform Consent Forms: 

Uniform consent forms provide a way for networks of treatment providers and justice entities to legally share health information in order to deliver comprehensive care. Providing coordinated care for people as they move between justice settings and the community typically requires communication between multiple providers working in different locations, organizations, and disciplines. Agencies and stakeholders can work together to develop uniform consent forms to facilitate more efficient, cross-boundary information sharing. These forms typically list all of the participating agencies, the reasons for sharing information, and allow consumers to check  off which entities listed on the form can access their personal health information.

Examples of uniform consent forms:

These jurisdictions’ consent forms are used to permit information sharing and care coordination among multiple agencies.

  1. Washington State Department of Corrections: Consent for the Release of Confidential Mental Health And Alcohol and Substance Use Treatment
  2. Connecticut Department of Correction: Authorization to Obtain and/or Disclose Protected Health Information
  3. Seattle Veteran Treatment Court Release of Information
  4. Idaho: Multi-Part Authorization for Release of Information


Develop a Privacy Policy

By describing procedures to ensure that personal information is protected and only accessed by authorized users at appropriate times, privacy policies help ensure that the storage, transmission, and use of data complies with relevant legal and ethical requirements and guard against unauthorized use of personal information. For guidance on creating a privacy policy, see the following resources:

Data Segmentation

Data segmentation can help ensure compliance with privacy regulations. It is a technology that limits what type of information can be viewed in a person’s medical record based on a password or user identification. For example, segmentation can be used to allow entities directly involved in treatment to share diagnostic and clinical information, while restricting others with administrative roles to the minimum amount of information necessary. Segmentation can also allow the patient to play an active role in determining which portions of his or her record can be shared with different providers and agencies within an information-sharing network.

Click here to read more about the role of data segmentation in protecting privacy in electronic health information exchange.

Consider Legislation

State legislation can be used to authorize information sharing between criminal justice and health systems for pre-defined purposes. For example, several states have passed laws that enhance the ability of agencies to coordinate services for people who use multiple providers within the public mental health system.

Illinois: Illinois has twice modified its Mental Health and Developmental Disabilities Administrative Act in order to increase information sharing between the health and justice systems. Public Act 91-0536 and Public Act 094-0182 enable information sharing between the state prison and jail system and the Department of Mental Health (DMH) without informed consent in certain situations. For example, correctional facilities are able to send their rosters electronically to DMH to access information on treatment history, assess treatment options, and inform discharge planning.

Minnesota:  Minnesota enacted a state law, Section 13.468, to permit county welfare, human services, corrections, public health, and veterans service units to exchange information on “whether an individual or family is currently being served… without the consent of the subject of the data.” The law limits such information to a person’s identity, contact information, and the names of county agencies that have provided services to the person.