The Justice and Health Connect Toolkit provides a framework for planning, implementing and sustaining interagency collaboration between justice and health systems. The toolkit is organized into four modules, describing the steps to setting up information sharing initiatives. While the toolkit is presented in a linear format, we encourage you to explore the different sections as your information sharing initiative evolves and progresses based on your interests and needs.
Wherever possible, the toolkit references real-world examples of jurisdictions that have adopted effective approaches to address information sharing challenges, accessible summaries of the research literature, and examples of best practices. In this way, the toolkit provides a different way of accessing information included in the resource library. If you still cannot find what you are looking for or have feedback on the toolkit, contact the Justice and Health Connect Team.
The communication of personal health information within and between justice and health systems is regulated by a combination of federal and state laws and ethical standards. These privacy laws and regulations are designed to protect patient autonomy, confidentiality, doctor-patient trust, and human dignity. Information that may indicate someone’s mental health, substance use, or HIV status is subject to more stringent protection, because people facing these health challenges may experience social marginalization or other forms of stigma if it is revealed.
Although privacy laws may seem cumbersome and complicated, they do not create insurmountable barriers to information sharing. In many instances, the inability of health and justice systems to communicate and coordinate services is far more damaging than the potential risks related to misuse or accidental exposure of confidential health information.
This module provides an overview of the laws, regulations, and ethical standards that protect the privacy of personal health information. It includes links to resources that provide more detail on the relevant laws and regulations and presents ways to structure information sharing initiatives to maximize access to treatment while complying with federal and state laws.
The two key federal privacy regulations that relate to health information are 42 CFR, Part 2 and the Health Insurance Portability and Accountability Act (HIPAA). These two sets of rules apply nationally and set the floor for privacy protection for health information. In addition to understanding federal laws, you will need to consult state and local laws governing the health, mental health, and substance use information in the jurisdiction where you are working, as these laws apply if they are more stringent than the federal regulations.
What is the purpose of 42 CFR Part 2?
42 CFR, Part 2 (commonly referred to as “Part 2”) is part of the implementing regulations of The Federal Confidentiality of Alcohol and Drug Abuse Patient Records Law. Part 2 protects the confidentiality of people who seek or obtain treatment for substance use, requiring individual consent to share health records related to drug or alcohol treatment in most cases. The purpose of Part 2 is to assure consumers that any information that could identify them as someone seeking or receiving treatment for substance use will be kept private. This confidentiality is necessary to promote a level of trust between treatment providers and their clients, to ensure that patients feel secure in seeking treatment, and to shield them from negative consequences that can occur if substance use status is disclosed.
You need to be sure that any disclosure of information about a person’s substance use treatment needs complies with the requirements of Part 2 and is consistent with the regulation’s core values.
THE BASICS OF 42 CFR, PART 2
- Requires specific consent: With certain conditions and exceptions, Part 2 prohibits the disclosure and use of substance use treatment records without a person’s specific consent. It is stricter than HIPAA in that it does not have an explicit treatment exception that allows care providers to share information without consent when the purpose is to coordinate treatment.
- Applies to most providers: Part 2 applies to substance use treatment programs that receive any form of federal assistance (for instance, grant funding, Medicaid).
- Applies to identifiable information: These regulations apply broadly to any information that can be used to identify an individual as someone seeking or receiving care for substance use.
- Has limited exceptions to consent requirement: Part 2 defines limited circumstances where disclosures can be made without consent, including medical emergencies, research, and audits or evaluations.
- Sets a floor: Similar to HIPAA, Part 2 sets a federal privacy floor, meaning it preempts state laws that are less protective of substance use information privacy but preserves provisions of state law that are more stringent. For a more detailed summary of the requirements of 42 CFR, Part 2 and how it applies to the criminal justice system click here.
What is the purpose of HIPAA?
HIPAA aims to improve the delivery of healthcare by setting standards for the transmission of personal health information. The regulations strike a balance between individual privacy and the need for medical professionals, treatment providers, and others to exchange information on the treatment needs of their patients and clients.
Misconceptions about HIPAA
HIPAA is not an insurmountable barrier to justice-health information sharing. However, a general lack of understanding of the requirements of HIPAA and fear of violating privacy regulations can act as obstacles to effective interagency collaboration. The following two resources debunk many of the misconceptions about HIPAA that prevent agencies from sharing information and working together.
The Basics of HIPAA
HIPAA has two main components. The Privacy Rule governs all health information regardless of how it is stored or transmitted. It is the most relevant to answering such questions as when consent is required before sharing information. The Security Rule only applies to electronic health information, describing a series of standards and policies designed to ensure information security.
Click here for a summary of the Privacy Rule relevant to criminal justice agencies.
The Privacy Rule
- Protects all individually identifiable, personal health information: The Privacy Rule sets national standards for the privacy and security of personal health information (PHI) that is created, maintained, or used by a covered entity or its business associates.
- Often requires authorization prior to release of health information: HIPAA’s Privacy Rule defines when covered entities or business associates must obtain informed consent (“authorization”) before they can release health information.
- Defines exceptions to authorization requirements: The Privacy Rule allows covered entities to share health information without an individual’s consent in a number of situations, including: to coordinate treatment or payment for treatment, to conduct public health activities, to comply with a judicial order, to assist a limited set of law enforcement investigations, and to prevent a serious threat to health or safety.
- Psychotherapy notes: To protect the patient-clinician relationship, HIPPA’s exception that allows sharing information to coordinate treatment does not apply to psychotherapy notes.
- Creates a privacy floor: This means that state law will apply where it is more stringent than HIPAA.For a more detailed explanation of the Privacy Rule, click here.
The Security Rule
- Applies to electronically shared information: Establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form “electronic protected health information” (e-PHI). If your information exchange involves electronic transmission of health information then you will need to also consult the Security Rule.
- Safeguarding electronic health information: The Security Rule requires covered entities to put in place various administrative, physical, and technical safeguards when transmitting e-PHI. For example, it requires them to perform a risk analysis to assess risks of disclosure and document the process in place for securing this information. It also requires them to implement technical policies and procedures that ensure only authorized persons have access electronic protected health information (e-PHI).
- Creates a privacy floor: This means that state law will apply where it is more stringent than HIPAA. For a more detailed summary of the Security Rule, click here.
In addition to federal provisions, a significant body of state law governs the privacy of health information. Most states have specific laws governing mental health records, HIV status, and substance use information. These laws are typically more stringent than their federal counterparts, such as HIPAA. Given the amount of state-specific variation in privacy laws, it is important to consult local legal experts with knowledge of privacy laws in the jurisdiction where you are working to determine how these laws affect your ability to share information.
The Relationship between Federal and State Privacy Laws:
HIPAA and Part 2 set privacy floors. This means that federal law does not supersede state law when state health privacy law provisions impose more stringent requirements, standards, or implementation specifications. In many instances, state law governing mental health records will be more restrictive than HIPAA. State laws governing substance-use information frequently mirror or explicitly codify Part 2.
It is beyond the current scope of this toolkit to provide a comprehensive summary of state medical privacy laws. Click A Quick Guide to State Laws on Sensitive Health Information to read a short summary on state laws that apply to mental health, substance use, and HIV.
Click on these Additional Resources:
Privacy of Criminal Justice Information:
In addition to privacy of health information, it is also important to recognize that information about a person’s involvement in the criminal justice system is also sensitive and protected by law. Only certain information is considered public information. Disclosure of involvement with the criminal justice system can affect many facets of a person’s life, including employment, education, and housing. It can also influence a healthcare provider’s willingness to provide care. It is imperative to factor in the consequences of disclosing criminal justice information when designing an information sharing initiative.
- Compendium of State Privacy and Security Legislation (2002): The Bureau of Justice Statistics (BJS) provides an overview of State legislation governing the privacy, security, maintenance, and dissemination of criminal history records.
- Click here to read the Legal Action Center report on the challenges disclosure of criminal records can create for people reintegrating into the community from prison.
Healthcare professionals and criminal justice practitioners have ethical obligations to preserve the privacy, safety and well-being of the people they serve. Even in situations where they can legally share health information, practitioners must often decide whether sharing information is in their clients’ best interest: could disclosure of health- or justice-related information have negative, unintended consequences? Medical professionals have an ethical obligation to “do no harm” to their clients, also known as “non-malfeasance.” Even when authorized and carefully managed, release of sensitive health information about a person’s mental illness, substance use problem, or criminal justice involvement can negatively affect employment, housing, insurance coverage, custodial rights, and right to receive disability benefits, and lead to social stigmatization.
A common ethical dilemma for clinicians when considering whether to share information with justice agencies is the concern that releasing health information could negatively influence the outcome of an ongoing criminal or civil case, lead to more restrictive conditions being placed on their patient, or damage the clinician-patient relationship.
While privacy laws and regulations are designed to minimize these potential risks, agencies engaged in information sharing should adhere to professional standards and ethical principles in addition to complying with relevant privacy regulations. Below is a summary of ethical principles that can be applied to justice-health information sharing.
The Fair Information Principles are universally recognized standards that cover the collection, use, storage, and dissemination of personal information. They are embedded in laws that govern the privacy of health information and provide a good starting point when setting the parameters for information sharing initiative. They are helpful principles to guide information sharing initiatives that involve complicated ethical considerations.
Explicitly define the purpose for sharing information and make sure that all subsequent use of that information is consistent with that defined purpose.
Review how personal information is collected to make sure that you have legal authority, and to ensure that safeguards are in place to prevent unauthorized compilation of personal data.
Adopt a process that ensures any information shared is accurate and up to date.
Limit the use and disclosure of information to the purpose articulated in the purpose specification.
Conduct a risk assessment and develop a method to protect against of unauthorized access or misuse of information.
Inform the individual and public how information is collected, maintained, and shared.
Describe policies and legal rights for individuals to access and amend their personal information.
Instill a formal process to monitor compliance with all of the fair information principles.
There is a range of professional standards to protect sensitive health information. These include professional codes of conduct, clinician licensing statutes, and ethical guidelines for disciplines such as medicine and public health that apply to clinicians working in both criminal justice and community settings. Moreover, some standards specifically address the ethical dilemmas involved in providing health services in jails, prisons, and other criminal justice settings.
The National Commission on Correctional Health Care (NCCHC): NCCHC represents a number of major national organizations in the fields of health, law, and corrections with the joint mission of “improving the quality of health care in jails, prisons and juvenile confinement facilities.” NCCHC provides explicit standards relevant to information sharing, including the management and confidentiality of health records, access to custody information, and the use of informed consents. For further information on NCCHC standards, click here.
The American Bar Association, Standards on Treatment of Prisoners:
The American Bar Association has also established ethical principles for professionals providing and overseeing health services for incarcerated populations.
Part VI addresses Health Care. A few provisions relevant to the ethics of justice-health information sharing include:
Patient autonomy is the ethical principle underlying a person’s right to make informed choices about his or her care. It is important that information sharing initiatives aim to maximize the ability of patients to participate in decision making about their healthcare.
Maximizing Patient Autonomy in Justice-Involved Populations
Dr. Emily Wang and Dr. Shira Shavit, in collaboration with the San Francisco Department of Health and the Southeast Health Center, established The Transitions Clinic Network (TCN), an innovative clinical model that establishes community-based medical homes for people with chronic diseases returning home from prison.
Patient autonomy and an understanding of the ethical and cultural challenges associated with providing treatment in correctional settings are at the core of the TCN model’s proven success. To maximize engagement with services in the community following release, TCN staff ensure patient confidentiality, foster trust, and empower people to participate in their own healthcare.
By fostering trust and engaging people in their own care, TCN’s approach has significantly improved health outcomes and reduced costly emergency rooms visits for this population following release from prison. Click here for a study demonstrating improved outcomes for those using TCN.
This section describes a few strategies to comply with health privacy laws and ethical principles, maximizing the impact of justice-health information sharing initiatives and minimizing potential risks.
Information sharing is always legal with a person’s valid consent. Obtaining a person’s knowing, voluntary, and informed consent to share his or her clinical information is also a good practice that can help ensure compliance with ethical obligations. The consent process provides an opportunity for health and justice professionals to ensure that their clients and patients have personal control over health decisions by describing who has access to their health information and what they are going to use it for. Federal and state laws define substantive and procedural requirements of a valid consent to share personal health information (for example, see Subpart C of 42 CFR, Part 2).
Click here for a discussion of the use of informed consent in the age of advancing health information technology.
Uniform consent forms provide a way for networks of treatment providers and justice entities to legally share health information in order to deliver comprehensive care. Providing coordinated care for people as they move between justice settings and the community typically requires communication between multiple providers working in different locations, organizations, and disciplines. Agencies and stakeholders can work together to develop uniform consent forms to facilitate more efficient, cross-boundary information sharing. These forms typically list all of the participating agencies, the reasons for sharing information, and allow consumers to check off which entities listed on the form can access their personal health information.
Examples of uniform consent forms:
These jurisdictions’ consent forms are used to permit information sharing and care coordination among multiple agencies.
- Washington State Department of Corrections: Consent for the Release of Confidential Mental Health And Alcohol and Substance Use Treatment
- Connecticut Department of Correction: Authorization to Obtain and/or Disclose Protected Health Information
- Seattle Veteran Treatment Court Release of Information
- Idaho: Multi-Part Authorization for Release of Information
Data segmentation can help ensure compliance with privacy regulations. It is a technology that limits what type of information can be viewed in a person’s medical record based on a password or user identification. For example, segmentation can be used to allow entities directly involved in treatment to share diagnostic and clinical information, while restricting others with administrative roles to the minimum amount of information necessary. Segmentation can also allow the patient to play an active role in determining which portions of his or her record can be shared with different providers and agencies within an information-sharing network.
Click here to read more about the role of data segmentation in protecting privacy in electronic health information exchange.
State legislation can be used to authorize information sharing between criminal justice and health systems for pre-defined purposes. For example, several states have passed laws that enhance the ability of agencies to coordinate services for people who use multiple providers within the public mental health system.
Illinois: Illinois has twice modified its Mental Health and Developmental Disabilities Administrative Act in order to increase information sharing between the health and justice systems. Public Act 91-0536 and Public Act 094-0182 enable information sharing between the state prison and jail system and the Department of Mental Health (DMH) without informed consent in certain situations. For example, correctional facilities are able to send their rosters electronically to DMH to access information on treatment history, assess treatment options, and inform discharge planning.
Minnesota: Minnesota enacted a state law, Section 13.468, to permit county welfare, human services, corrections, public health, and veterans service units to exchange information on “whether an individual or family is currently being served… without the consent of the subject of the data.” The law limits such information to a person’s identity, contact information, and the names of county agencies that have provided services to the person.