Individual identifiers include but are not limited to: name, address, date of birth.

NOTE: HIPAA is a complex law governing the exchange of health information among health care practitioners, health insurers, and other health care business entities. The following summary is intended solely for the purpose of providing a general overview of the most relevant issues that arise when considering who may access the medical records of a child or a parent as these may relate to a juvenile court case.

Please refer to the statues and regulations for more information. These can be found on the website for the Department of Health and Human Services. "Standards for Privacy of Individually Identifiable Health Information," effective April 14, 2003, promulgated by the Department of Health and Human Services under the authority of HIPAA, Pub. L. No. 104-191 (1996) (under Administrative Simplification provisions). 45 C.F.R. Parts 160 and 164.
See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/introdution.html 

WHAT INFORMATION IS PROTECTED?

HIPAA protects the confidentiality of individually identifiable health information.1

Health information means any information, whether oral or recorded in any form or medium, that:

• is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and
• relates to the past, present or future physical or mental health condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual.

Health care means care, services, or supplies related to the health of an individual. It includes, but is not limited to, the following:

• Preventive, diagnostic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
• Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Individually identifiable means that the information identifies the individual or might be used to identify the individual. It includes many common identifiers such as name, address, birth date, SSN, etc.

NOTE: information may be de-identified by removing specified identifiers of the individual and of the individual's relatives, household members, and employers. De-identifed information is not protected.

While there are exceptions to the above, it is a safe assumption that any information concerning the physical or mental health of a child and his or her parents that is held by a health care provider is protected by HIPAA. However, there are two significant exceptions to HIPAA protection.

Schools:
HIPAA does not cover health information that is maintained by educational institutions, specifically:

• Education records covered by FERPA. See Education Records.
• Medical records maintained by a health care practitioner for the purpose of treating a student older than 18 years of age attending an postsecondary educational institution.

Information protected by other laws:
If another law, either federal or state, provides more protection in a given situation then that law governs the situation. Generally, another law will take priority over HIPAA if it prohibits or restricts what would be permitted under HIPAA, provides an individual greater rights of access, or provides greater privacy protection for the individual.2

A common example of another law providing greater protection than HIPAA is the federal law that protects records of substance abuse treatment. See Substance Abuse Treatment Records.

State laws that grant testimonial privileges to certain health care practitioners may also provide greater protection. See Privileged Communications.

Additionally, if specific information falls within an exception to HIPAA protection, it may still be protected by another federal or state law, such as a privilege statute or laws protecting court records.

HOW IS DISCLOSURE OF PROTECTED HEALTH INFORMATION AUTHORIZED BY THE INDIVIDUAL?

The principle presumption of HIPAA's privacy provisions is that the individual has control over all information concerning his or her health. The individual, or his or her personal representative, has access to all personal health care information, and may give consent to disclose that information to others.

Who qualifies as a personal representative?3
For adults and emancipated minors, a personal representative means any person who has legal authority to act on behalf of the individual in making decisions related to health care.

For unemancipated minors, it is a parent or guardian or other person acting in loco parentis under relevant law. However, The minor may be solely responsible for providing consent when

• the minor has legally consented to the health care, even if another person has also consented, and the minor has requested that the other person not be considered a personal representative;
• the minor is legally permitted to obtain the health care without the consent of a parent or guardian, and the minor, a court or another person has authorized it; or
• a parent, guardian, or person acting in loco parentis has agreed to allow the information to remain confidential between the provider and the minor.

If state law allows or prohibits the disclosure of information concerning an unemancipated minor to a parent, guardian or other person acting in loco parentis, then that law controls over HIPAA. See Medical Treatment of Minors.

A covered entity may elect not to release information to a personal representative if the covered entity has a reasonable belief that:

• the individual has been or may be subject to domestic violence, abuse, or neglect by the person,
• treating the person as the personal representative could endanger the individual, AND
• the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.

What must the consent form contain?
The consent form must contain the specifics of what information is to be disclosed, to whom, for how long, and for what purpose, so that only the minimum amount of information necessary to accomplish the purpose is disclosed. Any disclosures must be limited to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. It also must give notice to the individual that the information may be subject to redisclosure and not protected by HIPAA.4

WHEN CAN INFORMATION BE DISCLOSED WITHOUT CONSENT?

HIPAA has provisions for the disclosure of protected health information without the written consent of the individual when the public interest in sharing the information outweighs the individual's privacy interest. For these situations, disclosure is permitted, but not required. This section discusses the situations most likely to be relevant when a child is involved in a juvenile court proceeding.

Note that psychotherapy notes generally may not be disclosed without authorization.5

A health care provider can disclose personal health information without consent of the individual under the following circumstances.

By order of a court or administrative tribunal
HIPAA does not limit the authority of the court or administrative tribunal to require the disclosure of personal health information.6 The disclosure is limited to only that information expressly authorized by the order. Other state laws may, however, apply to protect the information from disclosure, especially state privilege laws. See Privilege Communications.

Non-court-ordered disclosures for judicial and administrative proceedings
Information may be disclosed in response to a subpoena, discovery request, or other lawful process under limited circumstances.7 It must be accompanied by �satisfactory assurance� that the party seeking the information has made either

• reasonable efforts to provide notice to the individual of the request. �Satisfactory assurances� in this context means a written statement and accompanying documentation demonstrating that:
  • the party has made a good faith attempt to provide written notice to the individual (if the person's location is unknown, that notice was mailed to last known address),
  • notice included sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court or administrative tribunal, and
  • the time to raise objections has elapsed, and no objections were filed, or all objections filed have been resolved and the disclosure is consistent with the resolution.
OR
• reasonable efforts to secure a qualified protective order. "Satisfactory assurances" in this context means that:
  • the parties to the dispute have agreed to a qualified protective order and presented it to the court or administrative tribunal, or
  • the party seeking the disclosure has requested a qualified protective order.

A qualified protective order means an order of the court or an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that 1) prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested, and 2) requires the return to the health care provider or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.

Disclosures about victims of abuse, neglect or domestic violence to public agencies authorized by law to receive such reports
The health care provider must, in the exercise of professional judgment, believe that the disclosure is necessary to prevent serious harm to the individual or other potential victims. The disclosure must be required by state law and be limited to the relevant requirements of the law.8

If the individual cannot consent because of incapacity, disclosure may be made without consent. A law enforcement official or other public official must represent that the information is not intended to be used against the individual and an enforcement action that relies on the disclosure would be materially and adversely affected by delay.

The entity disclosing such information must notify the individual of the disclosure unless it believes, in the exercise of professional judgment, that informing the individual would place the individual at risk of serious harm, or, if the notification would go to a personal representative, that the entity believes that the personal representative is responsible for the abuse, neglect or other injury, and that informing that person would not be in the best interests of the individual as deemed in the exercise of professional judgment.

Reporting of certain types of injuries
Protected health information may be disclosed to law enforcement officials as required by law, such as laws that require certain types of injuries to be reported.9 The only laws in Connecticut that come under this category are:

• Injuries from firearms, General Statutes � 19a-490f.
• Burn injuries and injuries from fireworks, General Statutes � 19a-510a.

Legal process issued by law enforcement agencies
Protected health information may be disclosed in compliance with and as limited by relevant requirements of the following legal process:10

• a court order, warrant or subpoena or summons issued by judicial officer;
• a grand jury subpoena; or
• an administrative request, if the information sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope in light of the purpose for which the information is sought, and de-identified information could not be used.

In response to a law enforcement officer's request
Information may be disclosed to a law enforcement officer in the following situations:

• For the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, limited to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, if applicable, and a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos, but not information related to DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue not covered above.11
• In response to a law enforcement officer's request for information about an individual who is suspected of being a victim of crime, if the individual agrees to the disclosure, or if agreement is not possible because of the victim's incapacity, the law enforcement officer represents that such information is needed to determine whether a crime has occurred and is not intended to be used against the victim, and that immediate law enforcement activity depends upon the disclosure and would be materially and adversely affected by waiting, and the disclosure is in the best interests of the individual.12

When health care provider suspects criminal activity
If the health care provider has a suspicion that the death may have resulted from criminal activity, the provider may disclose health information about the decedent.13

If criminal conduct occurred on the premises of the entity and the provider believes in good faith that the health information constitutes evidence of the crime.14

While providing emergency medical care in response to a medical emergency, off the premises of the entity, the provider may disclose health information if necessary to alert law enforcement to the commission and nature of a crime, the location of the crime or the victim(s), the identity, description, and location of the perpetrator. If the provider believes that the crime was the result of abuse, neglect, or domestic violence, then those provisions apply.15

Consistent with law and standards of ethical conduct, health information may be disclosed if the provider believes in good faith that the disclosure is necessary for law enforcement authorities to identify or apprehend an individual, either because of a statement by the individual admitting participation in a violent crime that the provider believes may have caused serious physical harm to the victim, or where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.16

To protect public health, safety and welfare
If the health care provider believes in good faith that the disclosure of protected health information is necessary to protect public health, safety and welfare, disclosure may be made to any entity that may reasonably be able to prevent or lessen the threat.17

What is considered an individual identifier?

What are identifiers for HIPAA?

Which of the following types of data includes information that identifies an individual?

Which of the following are examples of personally identifiable information?