You asked if the Health Insurance Portability and Accountability Act of 1996 (HIPAA) prevents a school system from inquiring whether a paraprofessional job applicant has a psychiatric history that might pose a threat to student's safety. (The Office of Legislative Research is not authorized to give legal opinions and this report should not be treated as such. )

SUMMARY

There is no simple answer to the question presented given the complexity of HIPAA and its various applications.

HIPAA's “Privacy Rule” sets national standards to protect the privacy of health information. “Covered entities” such as health care providers (such as physicians and hospitals), health plans (such as health insurers, HMOs, Medicare, and Medicaid), and health care clearinghouses have to follow the HIPAA rules. Others, such as employers, generally do not have to follow the HIPAA privacy rule as they are not covered entities. The HIPAA Privacy Rule protects individually identifiable health information (known as “protected health information” or “PHI”), by defining and limiting the circumstances under which an individual's PHI may be used or disclosed by covered entities.

It does appear that HIPAA's Privacy Rule would prohibit health care providers and plans from disclosing personal health information to employers without a patient's explicit, written authorization.

The HIPAA rules specifically address “psychotherapy notes” by requiring a covered entity to get an individual's authorization to use or disclose psychotherapy notes. There are a few exceptions to this such as allowing the covered entity who originated the notes (e. g. , mental health professional) to use them for treatment.

In the question raised however, the individual apparently is not yet an employee, but a job applicant, so HIPAA's application may be uncertain. The federal Americans with Disabilities Act (ADA) apparently does not prohibit an employer from requiring applicants to undergo medical exams once a job offer is made, subject to certain standards and limitations. Also, Connecticut law currently requires local boards of education to conduct criminal history background checks of its workers.

HIPAA PRIVACY RULE

Background

HIPAA was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address a growing concern about privacy and the security of personal health data. The job of writing rules on privacy eventually was the responsibility of the federal Department of Health and Human Services (HHS). After several modifications, HHS issued the “HIPAA Privacy Rule,” which took effect on April 14, 2003 for most health care providers, health plans, and health care clearinghouses. Small plans had until April 14, 2004 to comply. This rule sets a national standard for accessing and handling medical information.

Before HIPAA, a person's right to privacy of health care information varied depending on what state you lived in. After the passage of HIPAA, “covered entities” (these are health care providers, health plans, and other health care services that operate in all states (“clearinghouses”)) have to abide by the minimum standards set by HIPAA. States are free to adopt laws providing more privacy, but cannot diminish the basic HIPAA rights.

Covered Entities

Not everyone involved in a person's health care is covered by HIPAA. As noted above, the HIPAA Privacy Rule pertains to three categories of “covered entities. ” “Health care providers” are covered regardless of their size, if they electronically transmit health information in connection with certain transactions. This includes claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA “Transactions Rule. ” The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care provider includes doctors, hospitals, staff involved in a patient's treatment, laboratories, pharmacists, dentists, and many others that provide medical, dental, and mental health care or treatment.

Individual and group plans (“health plans”) that provide or pay the cost of medical care are covered entities. This includes health insurance companies, HMOs, group health plans sponsored by employers, Medicare, Medicaid, and basically any other company or arrangement that pays for your health care. There are some exceptions. A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Certain types of insurance entities are also not health plans for covered entities purposes, such as entities providing only workers' compensation, automobile insurance, and property and casualty insurance.

The third type of covered entity, “health care clearinghouses,” are entities that process nonstandard information they receive from another entity into a standard (i. e. , standard format or data content) or vice versa. An example is a billing service that takes information from a doctor and puts it into a standard coded form.

Protected Health Information

HIPAA's Privacy Rule covers any information about a person's past, present, or future mental or physical health including information about payment for care. To be covered by HIPAA, information has to be kept by a covered entity (health care provider, plan, or clearinghouse). This, combined with some fact that identifies the person (name, address, telephone number, Social Security number) is called “protected health information' (PHI). PHI can be oral, handwritten, or entered into a computer. This means, for example, that a conversation between a doctor and nurse about a patient's condition has the same general protections as information written on the person's records.

Permitted Uses and Disclosures of PHI

A covered entity may not use or disclose PHI except either (1) as the Privacy Rule permits or requires or (2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing. A covered entity must disclose PHI in only two situations: (1) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (2) to HHS when it is undertaking a compliance investigation or review or enforcement action.

A covered entity is permitted, but not required, to use and disclose PHI, without an individual's authorization, for the following purposes or situations:

1. to the individual;

2. treatment, payment, and health care operations;

3. opportunity to agree or object;

4. incident to an otherwise permitted use and disclosure;

5. public interest and benefit activities; and

6. limited data set for purposes of research, public health, or health care operations.

(For more information see HHS “Summary of the HIPAA Privacy Rule,” http: //www. hhs. gov/ocr/privacysummary. pdf ).

Psychotherapy Notes. Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes (no. 2 above) require the individual's authorization. There are two exceptions:

“Psychotherapy notes” means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. It excludes medication prescription and monitoring, counseling session start and stop times,, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date (see 45 Code of Federal Regulations § 164. 501).

Serious Threat to Health and Safety. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat; this falls under no. 5 above).

Employers

Employers are not covered entities under the HIPAA Privacy Rule. School district employers generally are not covered entities under HIPAA, so long as they do not create, maintain, or use PHI. To the extent that employers create, maintain or use summary health information for purposes of contracting with a health plan, and the information does not identify individual employees, the HIPAA privacy rules do not apply. Also, to the extent the employer employs or retains benefits professionals to assist employees with individual health claims, the employer must obtain an authorization form from the employee in order to receive health information. Any use of PHI by the employer must be limited to the minimum amount necessary to carry out health plan operations.

According to the Health Privacy Project at Georgetown University's Institute for Health Care Research and Policy, HIPAA's Privacy Rule prohibits health care providers and plans from disclosing PHI to employers without a patient's explicit, written authorization. A valid authorization under the law must include a description of the information to be shared, the name of the person allowed to use or disclose the information, an expiration date, and the individual's signature. (see http: //www. healthrivacy. org)

OTHER LAWS THAT MAY BE RELEVANT

Americans with Disabilities Act

The Federal Americans with Disabilities Act (ADA) prohibits employers from discriminating against those with “physical or mental impairments which substantially limit a major life activity” so long as their condition does not make them incapable of doing the job. Title I of the ADA prohibits employers from conducting medical examinations and making inquiries as to whether a job applicant has a disability at the pre-offer stage of the selection process. But once a job offer is made (“conditional offer”), employers may require applicants to undergo medical exams and condition the offer on the results of those exams if (1) all entering employees in the same job category are subjected to such an examination regardless of disability and (2) information obtained regarding the medical condition or history of the applicant is collected and maintained on separate forms and in separate medical files and is treated as a confidential medical record.

State Law-Requiring Background Checks

Connecticut law requires criminal history records checks for (1) anyone hired by a local board of education after July 1, 1994 and (2) any worker placed in a public school under a public assistance employment program who performs a service involving direct contact with students. (CGS § 10-221d).

JK: ts