It’s HIPAA not HIPPA—The Health Information Portability and Accountability Act protects patients from the unauthorized disclosure of protected health information (PHI). HIPAA is synonymous with health care, and rightfully so, because it regulates traditionally health care covered entities and their business associates.
Law enforcement is not a covered entity under HIPAA because they do not offer health care services to patients nor do they transmit PHI for health-related transactions. As a result, police officers, correction officers, and their respective agencies do not have an obligation to limit the disclosure of PHI. An obvious gap in HIPAA arises: who is responsible for protecting health care privacy against the unauthorized disclosure of PHI in an era where law enforcement’s use of body-worn cameras is strongly advocated across the nation? But before answering this question, here are some HIPAA basics.
What Is PHI?
PHI is individually identifiable health information that relates to the health care, condition, or payment of an individual and can reasonably be used to identify an individual.
Who Does HIPAA Regulate?
HIPAA only regulates traditionally covered entities: health care plans, health care clearinghouses, and health care providers that transmit PHI for certain transactions. Examples of covered entities include: hospitals, medical clinics, physicians and other health care practitioners.
HIPAA also regulates business associates who are hired by covered entities to perform services that involves access to PHI. Business associates can provide, among other things, legal services, accounting services, and claims processing for a covered entity.
Medical facilities have a legal obligation to prevent the unauthorized disclosure of PHI under HIPAA. This obligation is tested in several situations involving law enforcement. For example, a criminal suspect or a victim receives treatment at a hospital and law enforcement is present attempting to interview them during an investigation; or law enforcement enters a hospital with their body-worn cameras recording and films patients in common hospital areas; or when correctional officers transfer inmates-patients to a medical clinic within a jail or prison and body-worn cameras record the inmate-patients while discussing or receiving medical treatment. Regardless of the situation, the onus is on the medical facility to ensure that law enforcement does not gain unauthorized access to PHI.
Medical facilities are faced with a difficult task from a practical perspective. Does hospital staff make initial contact with every law enforcement officer who enters the hospital to ensure their body-worn camera is turned off? What if law enforcement is in active pursuit of a criminal suspect? Preventing the unauthorized disclosure of PHI is further complicated when footage that captured medical treatment or random patients inside a hospital is available through a public record request.
In the interest of patient privacy, some states have enacted legislation prohibiting body-worn camera recordings of medical treatment and/or exempting any footage containing medical treatment from a public record request. However, many more states have either adopted ambiguous laws or have failed to enacted laws all together. Most state privacy laws do not regulate body-worn cameras. HIPAA could fill these gaps, but it does not.
Until there is federal legislation enacted to fill HIPAA’s gap regarding body-worn cameras inside medical facilities, local law enforcement agencies and medical facilities must rely on mutual cooperation and self-regulation to protect patient privacy.
Although law enforcement does not have an obligation to limit the disclosure of PHI, at least one police department has recognized the gap in HIPAA regarding body-worn cameras in medical facilities. This police department adopted a department procedure that regulates, among other things, the use of body-worn cameras within medical facilities and jails.
Specifically, this police department’s procedure acknowledges the importance of patients’ right to privacy within medical facilities, and strives to avoid recording those other than the suspect. Body-worn camera recordings are prohibited during: clinical interviews, medical treatments, and generally while inside a medical facility unless responding to a report involving a suspect or taking a suspect’s statement. What is also noteworthy about this department’s procedure is that body-worn cameras should not record while inside jail facilities. This last regulation protects an inmate-patient’s privacy when transferred to a medical facility within a county jail.
HIPAA continues to be a tool the federal government uses to regulate the unauthorized disclosure of PHI. HIPAA is only a legislative floor and states have historically used it as a guideline when enacting legislation to fill gaps in HIPAA. The use of body-worn cameras within medical facilities continues to be unknown legislative territory because only some states have enacted legislation regarding body-worn cameras. Even then, state laws are often ambiguous.
When there is no applicable federal or state law on point, one local police department took the initiative (despite being under no obligation under HIPAA to prevent the disclosure of PHI) and addressed the gap in HIPAA by implementing a department procedure regulating the use of body-worn camera recordings within medical facilities. This local agency’s procedure supports the premise that self-regulation and mutual cooperation by health care providers and law enforcement through department policies is currently the only available solution. Self-regulation currently fills the gaps in HIPAA and state laws regarding the use of body-worn cameras within medical facilities.