Melissa M. Goldstein explains in Health Information Privacy and Health Information Technology in the U.S. Correctional Setting that, “According to the National Commission on Correctional Health Care, discussions of patient information and clinical encounters should be conducted in private and ‘carried out in a manner designed to encourage the patient’s subsequent use of health services’ to protect patients’ dignity and ‘foster necessary and candid conversation between patient and health care professional.’”
She further explained that, “The commission refers to the ethical obligations of healthcare practitioners stating that local, state, or federal laws may allow certain exceptions to the obligations of health care professionals to maintain confidentiality; health services staff should inform inmates at the beginning of the health care encounter when these circumstances apply.”
Likewise, the American Public Health Association states that “prisoner-patients should be provided the same privacy of healthcare information as patients in the community,”
As Alexander L. Bednar notes in "HIPAA's Impact on Prisoners' Rights to Healthcare," "Under the final HIPAA Privacy rule, identifiable health information pertaining to 'inmates' has been deemed 'protected health information,' called 'PHI.' Although excepted in the preliminary rule, the final Privacy Rule protects inmates' PHI."
In the landmark case of Estelle v. Gamble, the Supreme Court held that deliberate indifference to serious medical needs of prisoners is "cruel and unusual punishment" forbidden by the Eighth Amendment. This decision created a constitutional foundation for prisoners' right to adequate healthcare.
However, the constitutional right to healthcare doesn't automatically translate to the same privacy protections enjoyed by non-incarcerated individuals. Prisoners' privacy rights exist in a modified form, shaped by:
HIPAA directly refers to correctional facilities in its rules. Section 45 CFR § 164.512(k)(5) of HIPAA permits covered entities to disclose PHI to law enforcement agencies or correctional facilities with lawful custody of an inmate for specific purposes:
Melissa M. Goldstein explains that, "The initial proposed version of the HIPAA Privacy Rule excluded inmates' health information from the definition of 'protected health information' (PHI) and therefore from HIPAA's protection, because 'unimpeded sharing of inmate identifiable health information is crucial for correctional and detention facility operations.' In response, the US Department of Health and Human Services received public comments to the proposed regulation arguing that the exclusion sent the message that abuses do not matter for this population. Commenters argued that inmates do have a right to privacy in their health information and that information obtained in these settings can be misused. For example, if used indiscriminately, health information could trigger assaults within correctional facilities on individuals with stigmatized conditions. Upon release, disclosures could impair individuals' reintegration into society and subject them to discrimination. The drafters of the final regulation promulgated pursuant to the statute were persuaded and eliminated the exception."
Many correctional facilities operate in a complicated regulatory environment because they may function as "hybrid entities" under HIPAA. A hybrid entity has some components that are covered entities (like a prison medical department) and some that are not (like security operations).
This creates practical issues in managing information:
For example, if an inmate has a seizure disorder, medical staff are covered by HIPAA when handling this information, but sharing relevant details with security staff to prevent placement in situations that could trigger seizures may be permitted under the correctional institution exception.
Melissa M. Goldstein explains this concept by stating that, "Within a jail system, inmates' health information may originate from or reside in many locations, including booking notes (e.g., infectious or chronic disease status), sick-call triage systems, physician notes, and other departments such as housing and work details (e.g., mobility or injury status). Such information might reside in the system regardless of an institution's status as a covered entity and therefore might not be protected by HIPAA. The determination of whether any particular correctional institution is a covered entity can be difficult and requires careful analysis of the institution's operations. In general, an institution's status will likely depend on whether it qualifies as a health care provider (i.e., if it 'furnishes, bills, or is paid for health care in the normal course of business') that transmits health information in electronic form in connection with certain transactions specified by the Privacy Rule."
Learn more: What is a hybrid entity under HIPAA?
When individuals enter correctional facilities, they tend to undergo medical screening. These screenings gather sensitive information about physical and mental health conditions, medications, drug use history, and infectious diseases.
While this information is undoubtedly valuable to providing proper care, concerns are raised about:
Courts generally held that such sharing of information in a lawful manner for operational and security reasons is allowable, but indiscriminate disclosure for no good reason would likely violate privacy rights.
Dispensing drugs within prison facilities typically occurs in semi-public areas. Inmates may wait in line to receive drugs and, as such, expose data about their health conditions to other individuals. Courts have generally balanced the administrative reality of institutional dispensation of drugs against privacy concerns, acknowledging that incidental exposure will occur.
For instance, in Payne v. Taslimi, the Fourth Circuit Court of Appeals ruled that an inmate did not have a reasonable expectation of privacy over his HIV status when a physician made a remark about his medications within hearing distance of other people in a prison medical unit. The court reasoned that, due to the environment within a prison medical unit, expectations of privacy were lower. This case shows the judicial precedent that, in prison settings, the issues of institutional security and operational efficiency come before individual privacy concerns in medicating.
Mental health information is afforded greater protection under both HIPAA and federal regulations such as 42 CFR Part 2, which governs substance use disorder records. In correctional settings, confidentiality of this information is especially important because the stigma associated with mental health issues can expose inmates to discrimination or abuse.
However, security concerns sometimes necessitate the sharing of mental health information, especially when an inmate presents a suicide risk or poses a danger to others. Courts generally uphold the need for disclosure in these situations while still requiring reasonable efforts to protect privacy.
Despite these exceptions, legal barriers exist when it comes to disclosing substance use disorder records in correctional settings. As Melissa M. Goldstein explains in, "The Confidentiality of Alcohol and Drug Abuse Patient Records laws (Part 2) do not contain disclosure provisions specific to correctional institutions, custodial situations, or law enforcement, so law enforcement officers and correctional institutions likely would require patient consent or court orders to obtain information from a Part 2 program unless an exception applies. Disclosure from a correctional facility covered by Part 2 most likely requires patient consent or a court order as well."
This distinction means that while mental health information can be revealed under specific security exceptions, substance use disorder records generally require patient consent or court approval. The complexity of such regulations demonstrates the ongoing challenge of reconciling inherent privacy and institutional security.
The COVID-19 pandemic accelerated the adoption of telehealth in correctional settings. These remote consultations raise additional privacy concerns:
HIPAA's Security Rule requires appropriate safeguards for electronic PHI, which applies to these telehealth interactions, though the correctional exception still permits necessary security monitoring.
Despite the growing role of telehealth, the use of health information technology (HIT) in correctional settings remains limited. Melissa M. Goldstein explains in Health Information Privacy and Health Information Technology in the U.S. Correctional Setting: "One recent study showed a range of technological sophistication among prison facilities, with rare use of EHRs. Furthermore, there is very little electronic exchange of health information within correctional systems or between systems and community providers. There are signs that EHR use is increasing, however, including reported adoption by the Federal Bureau of Prisons, the Texas Department of Criminal Justice, and the Georgia Department of Corrections, among others. There also appears to be growing interest among government leaders at all levels in the potential of health information technology to help bridge the divide between jails and their communities."
Under HIPAA's correctional exception, the facilities typically are not obligated to seek inmate consent to release health information when releasing it is necessary for reasons of health, safety, security, custody, or rehabilitation. While some facilities still obtain consent forms from inmates, these are actually more notices than true opportunities to control information.
Access to the PHI of a person is restricted as well. While the inmates have access to viewing their medical records, copies are withheld in certain circumstances. As Bednar explains, "A prison hospital may deny an inmate's request to obtain a copy of his/her PHI if obtaining the copy of PHI would jeopardize the 'health, safety, security, custody, or rehabilitation of the individual or other inmates or the safety of any officer, employee or to the person at the correctional institution or responsible for the transporting of the inmate.'" However, he notes that there's an important distinction: "The purpose for this exception, 'and the reason that the exception is limited to denying an inmate a copy [of PHI] and not to denying a right to inspect, is to give correctional institutions the ability to maintain order in these facilities and among inmates without denying an inmate the right to review his or her protected health information.'"
Federal prisons are regulated by Bureau of Prisons policies, which includes provisions regarding health information privacy. State and local facilities vary in policy, creating inconsistent levels of protection throughout the correctional system. Private correctional facilities may have unique policies, but they typically are required to abide by minimum standards set by contracting government agencies.
Facilities accredited by organizations like the National Commission on Correctional Health Care (NCCHC) or the American Correctional Association (ACA) must meet specific standards for health information management, often providing greater privacy protections than non-accredited facilities.
Prisoners have privacy protections, but these are modified by correctional-specific regulations and institutional needs, not as extensive as those enjoyed by the general public.
Yes, prison officials may access medical information when it is necessary for security, operational needs, or when ensuring the safety and well-being of the inmate and others.
HIPAA applies to correctional facilities, protecting prisoners' health information, but allows disclosures to correctional authorities for specific purposes like safety and healthcare delivery
Inmates generally cannot control the release of their health information for security or operational reasons, although they have the right to review their records in most cases.
Yes, federal, state, and local facilities may have different policies regarding health information privacy, and accreditation status can impact the level of protection offered.