July 11, 2013
Q.

Does the Health Insurance Portability and Accountability Act (HIPAA) limit the ability of medical professionals to report information to a facility related to sexual abuse of an inmate? Does HIPAA limit an agency’s ability to disclose medical information to a PREA auditor?

A.

No. The HIPAA regulations expressly allow medical providers to provide to a facility with lawful custody of an inmate any information necessary for (among other things) “[t]he health and safety of such individual or other inmates” or “[t]he administration and maintenance of the safety, security, and good order of the correctional institution.” 45 C.F.R. § 164.512(k)(5)(i).

Disclosures made pursuant to a PREA audit are also permissible under HIPAA pursuant to the regulatory exception for “health oversight activities.” 45 C.F.R. § 164.512(d). The HIPAA regulations allow disclosure to “a health oversight agency for oversight activities authorized by law, including audits,” where necessary for appropriate oversight of (among other things) “[e]ntities subject to government regulatory programs for which health information is necessary for determining compliance with program standards” or “[e]ntities subject to civil rights laws for which health information is necessary for determining compliance.” 45 C.F.R. § 164.512(d)(1). The HIPAA regulations define “health oversight agency” to include any person or entity operating under the authority of a public agency who is legally authorized “to oversee . . . government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.” 45 C.F.R. § 164.501. Because a PREA auditor qualifies as a health oversight agency, and the auditor’s work qualifies as a health oversight activity, HIPAA poses no bar to the disclosure of relevant information to the auditor. Although information may be disclosed to a certified PREA auditor, any public report or statement released by the PREA auditor must not include protected health information.

Standard
Categories
Auditing