Child Abuse, Confidentiality, and the Health Insurance Portability and Accountability Act

The overarching purpose of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Pub L No. 104–191) is to protect health insurance coverage for individuals who change or lose their jobs (Title I) and to establish national standards for electronic health care transactions that ensure the security and privacy of patient information (Title II). The latter goal required the US Department of Health and Human Services to establish such standards, which were enacted in April 2003. Title II also addresses the release of information about children and minors who are suspected victims of child abuse. Although HIPAA generally overrides state laws, HIPAA rules do not apply where the “provision of state law…provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation or intervention” (Section 160.203[c]) or where state laws are more stringent than HIPAA rules.¹  Pediatricians are responsible for updating their practice in concurrence with changing HIPAA statutes, such as Health Information Technology for Economic and Clinical Health (HITECH), which was signed into law in February 2009.

HIPAA regulations apply to “covered entities.” Covered entities include a health care professional (examples include “doctors, clinics, and psychologists”; see www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html) who documents and exchanges at least some patient information in electronic form (eg, via the Internet or an intranet), a health care clearinghouse that processes health care information from one format to another, and an individual or group health plan (eg, insurance plan) that provides or pays for medical care. A health care professional or a practice group that requests payment from a health care plan conducts electronic exchange of information and is, therefore, a covered entity. Covered entities cannot disclose certain patient information without written authorization from the patient or the patient's legal guardian unless exceptions are provided through HIPAA or state laws that override HIPAA.

Physicians who are employed by covered entities, including governmental organizations, but who work at a facility that may not be a covered entity, such as a children's advocacy center, may still be required to comply with HIPAA regulations. If there is a contract, such as a business associate agreement, between the physician's employer, a covered entity, and any other agency or facility, the physician is required to comply with HIPAA to the same extent as the covered entity is required to comply.

Information governed by the rules of HIPAA is called protected health information (also referred to as individually identifiable health information) and is defined as information, including demographic data, that relates to an individual's past, present, or future physical or mental health care; the provision of such health care; and the payment related to such health care.¹  A covered entity may disclose protected health information without patient or legal guardian authorization for the purposes of treatment, investigation, intervention, and public health–related functions. Treatment is defined as the provision, coordination, or management of health care and related services by a health care professional, including consultation between health care professionals regarding a patient.¹  Therefore, it is permissible under these exceptions to disclose protected health information to other health care professionals who care for, or consult on, the patient and to public health authorities without patient or parent authorization.

Public health authorities include appropriate government authorities who are authorized by law to receive reports of child abuse and neglect.¹  In most states, child protective services (CPS) and/or law enforcement agencies are designated to receive such reports.

Physicians who are covered entities are required to give their patients written notice of their privacy rights, and patients are expected to acknowledge receipt and understanding of these rights. Informing patients of their rights to have protected health information kept private (which only requires acknowledgment that they have received and understood the information) is distinct from obtaining authorization for disclosure of such information. An authorization for release of information that is not exempt by HIPAA is different from an informed consent to release information for treatment, payment, and health care operations, which are generally exempted by HIPAA.²  Authorization is written permission from the legal guardian to use or disclose the child's protected health information to another person, entity, health care professional, or agency for purposes other than those not exempted (eg, treatment, payment, and health care operations) by HIPAA rules or state law. Authorization may be required when a physician is asked to disclose or discuss a patient's protected health information in legal proceedings. Authorization must include:

1. a description of the information used or disclosed;

2. the person authorized to make the disclosure;

3. the person to whom the disclosure is made;

4. an expiration date;

5. the risk of redisclosure once protected health information is disclosed and no longer protected by HIPAA; and

6. the purpose for which the information is used or disclosed.

If information regarding substance abuse is involved, federal law requires additional statements in the authorization as well as the signature of a minor aged 16 years or older.

In general, HIPAA permits disclosure of information without legal guardian authorization in matters that affect the treatment of, and medical intervention for, the child and the intervention and investigation of matters that relate to abuse or neglect, public health, and safety. HIPAA also regulates release of information to the legal guardian of the child for situations in which such disclosure may jeopardize the safety of the child.

All states have laws that mandate reporting of suspected child abuse or neglect, and HIPAA rules allow disclosure of protected health information without legal guardian authorization under these circumstances. In general, if a pediatrician suspects abuse or neglect, as defined within state statutes, then he or she is obligated to disclose information to the appropriate investigative agencies, which in most states includes CPS and law enforcement agencies.

Section 164.512(f) places limitations on the information released to law enforcement but not to CPS agencies.¹  However, if a law enforcement agency is a designated authority by the state to receive and investigate child abuse reports, the pediatrician may disclose all protected health information important to the investigation without legal guardian authorization. In other circumstances, the physician may disclose protected health information to law enforcement without authorization if there is a probability of imminent physical injury to the patient, physician, or another person or if the child is missing and a law enforcement agency confirms it is investigating a missing person.

If the pediatrician is not the reporter, he or she is still able to disclose information about a child who is a suspected victim of abuse or neglect without parent authorization, but only if such disclosure (1) is permissible by state law “for the conduct of… investigation” (Section 10.203[c]), or (2) is deemed to be necessary to prevent serious harm to the child and other potential victims, and (3) is limited to the information relevant to the suspected abuse or neglect of the child (Section 164.512[c]).¹  The legal guardian of the child should be verbally notified of the disclosure unless informing him or her would place the child at risk of harm or would not be in the child's best interest.

HIPAA rules and state laws that govern release of protected health information pertain to treating physicians who are also covered entities. In addition, CPS agencies may contract with a child abuse pediatrician who does not treat the child but who may review medical and/or investigative records and photographs to provide an expert opinion. In these circumstances, written authorization from parents (who may retain custody of the child) to review such information is not needed, because CPS agencies (and, often, law enforcement agencies) are authorized by statute to investigate abuse and contract with an expert. However, the pediatrician would need parental authorization or a court order to provide such information to others outside the CPS agency, even when such parties have a copy of the physician's report or other protected health information of the patient.

HIPAA rules do permit disclosures “made pursuant to court or administrative orders or by subpoena, discovery, or other legal processes.”³  State laws that are more stringent than HIPAA may take precedence in these situations and may require a court order signed by a judge before disclosures of protected health information are made to attorneys or in court. State laws may also require the court to make a determination of relevancy before issuing a court order that allows the physician to disclose confidential information during testimony. When state laws do not override HIPAA, the physician is required to receive a written notice from the party sending the subpoena that the legal guardian of the child has been informed that the physician is going to disclose the child's information (Section 164.512e1iii).¹  Whenever a request or subpoena is received for release of medical records for the purpose of a child abuse investigation, the subpoena should be retained in the records and a description of the information provided, and the date of release should be documented.

Child fatality review teams usually comprise professionals from CPS, pediatrics, the medical examiner's office, emergency medical services (EMS), law enforcement, the district attorney's office, and children's advocacy centers, the duties of which are to review medical records and autopsy and investigation findings related to a child's death. The purpose is to exchange information, identify any trends, and identify preventable deaths, including those attributable to child abuse or neglect. Disclosure of a child's protected health information during child fatality reviews is a permissible HIPAA exception that relates to public health matters and surveillance. It is also permissible to disclose such information to multidisciplinary teams and organizations that review child abuse cases.

Although HIPAA regulations more clearly exempt disclosure of information about children who are suspected victims of abuse or neglect, exceptions regarding disclosure of medical and mental health information about the parents, caregivers, and siblings of the child are not as clearly defined or inclusive. For example, HIPAA specifies the type of information that a physician can release to law enforcement about a patient who may be an abuser, which includes distinguishing physical characteristics, blood type, name, and address. Because the pediatrician's patient is the child, any statements made by the parent to the pediatrician that relate to the child's health or injuries are considered part of the child's protected health information and can be disclosed to investigative agencies; this information may include intimate partner abuse, mental illness, admission to causing injury to the child, and explanations for the child's injuries.

When a pediatrician discloses verbal or written information to law enforcement about a child who is a suspected victim of abuse or neglect, this information may become public. For example, if a warrant is issued for a person's arrest related to an injury to a child, information about the child's injury and the source of the information may be contained in the warrant and accessed by the media. In addition, if a pediatrician testifies about the child's protected health information, this information is also accessible to the public. Although these disclosures of information by others are beyond the pediatrician's control, the pediatrician should release information only to the appropriate individuals involved in the treatment, intervention, or investigation of child abuse and provide accurate and verifiable information. The pediatrician should not speculate beyond the realm of his or her expertise or the facts of the case. Physicians are not permitted to release any information about a patient to the media.

When a parent brings his or her child to a pediatrician for care, pediatric offices are required to provide the parent with information regarding his or her rights to confidentiality and protection of the child's health data. Parents are requested to sign a form that indicates they have received and understand this information; in some cases, the parent is requested to sign consent to release the child's protected health information under the HIPAA exceptions for the purposes of treatment, payment for services, and health care oversight. The form is retained in the child's health record. In the case of suspected child abuse or neglect, the pediatrician must decide whether release of information to the parent or to a person that the parent designates could endanger the child. Section 164.502(g) (5) ¹  indicates that when there is a reasonable belief that the child “has been or may be subjected to domestic violence, abuse or neglect by [the parent or legal guardian]” or “it is not in the best interest of the [child] to treat the person as the [legal guardian],” then the pediatrician is not required to provide information or access or control of the child's protected health information to the legal guardian. The pediatrician, therefore, is not required to provide the child's information to a parent who could be a suspected abuser or to a parent who seems to be protective of a suspected abuser, because this would not be in the best interest of the child. If the pediatrician is unsure whether the parent is a suspected abuser or does not know the results of the investigation, then the pediatrician may wish to confirm with the investigative agencies whether it is safe to disclose information to the legal guardian.

Although HIPAA specifies that consent is voluntary for use and disclosure of information related to treatment, payment, and health care operations, a physician may wish to document when they do obtain consent, including whether the parent was informed verbally or in writing of the disclosure of information. Again, the parent should be informed of information disclosure only if the child's well-being and safety are not jeopardized by such.

The physician may receive requests for the protected health information of a child from individuals involved in the investigation of, or legal proceedings related to, suspected abuse or neglect. The physician or facility's custodian of records is responsible for ensuring that the release of such information is permissible without specific parent authorization, is provided in response to a court order or subpoena, and is disclosed confidentially only to the acceptable individuals or agencies. For example, if the information is transmitted via facsimile, the physician should take all reasonable steps to verify that the recipient is available to receive the information as it is transmitted.⁴  Whenever information is disclosed, the physician should document what was disclosed, how it was disclosed (verbally or in writing), and to whom the information was disclosed.

1. Pediatricians should become familiar with their state laws regarding disclosure of a child's protected health information when child abuse or neglect is reported or investigated and should know when HIPAA or state laws take precedence. Specifically, the pediatrician should know which agencies are authorized to receive and investigate child abuse reports and which laws govern release of protected health information after an investigation is completed. When HIPAA regulations were announced, attorneys general from each state were required to do a preemption analysis for their state; physicians may consult their state's attorney general's office for information on state laws and HIPAA. In addition, the American Academy of Pediatrics has developed a HIPAA toolkit for medical practices to facilitate implementation of HIPAA rules; a glossary of terms is included in this resource (http://practice.aap.org/hipaa.aspx).

2. When abuse or neglect is suspected, the pediatrician must report and may disclose a child's protected health information to the CPS (and/or law enforcement) agency without parent authorization. When child abuse has already been reported and is being investigated, it is permissible for the pediatrician to disclose information to the appropriate investigative agencies without parent notification or authorization.

3. When disclosures of protected health information are made, the pediatrician should attempt to inform the parent unless doing so could result in danger to the child. The pediatrician must recognize situations for which disclosure of information is necessary and obtaining authorization from the legal guardian may delay the child's treatment or jeopardize the child's safety. It is permissible for pediatricians to withhold the child's information from the parent if there is a possibility that the parent is the abuser or is protective of a suspected abuser.

4. HIPAA privacy rules apply to physicians of record. If a physician reviews records made by another health care professional to assist in the investigation of child abuse or neglect or to contribute to a child abuse case review related to public health matters or surveillance, it does not require authorization from the child's legal guardian.

Carole Jenny, MD, MBA, Chairperson

Cindy W. Christian, MD

James Crawford, MD

Emalee Flaherty, MD

Roberta A. Hibbard, MD

Rich Kaplan, MD

^*Nancy D. Kellogg, MD, Past Member

^*Deborah Hiser, JD

Janet Saul, PhD

Centers for Disease Control and Prevention

Tammy Piazza Hurley