OLR Research Report


By: Katherine Dwyer, Associate Analyst

Brandon Seguro, Legislative Secretary


Describe the laws that limit the circumstances in which health care providers may release a patient's personal health information.


Personal health information is protected by both federal and state laws. The federal Health Insurance Portability and Accountability Act (HIPAA) provides the minimum level of protection; state laws may provide additional protection.

HIPAA's privacy rule establishes national standards to protect patients' medical records and other personal health information (45 C.F.R. 160, 164(A), (E)). The privacy rule limits the disclosure of patients' personal health information by covered entities without their authorization and gives patients a right to obtain, examine, and copy their medical records and request corrections.

HIPAA's security rule applies the protections of the privacy rule to electronic personal health information and requires that appropriate administrative, physical, and technical safeguards be put into place to maintain the confidentiality, integrity, and security of electronic health information (45 C.F.R. 160, 164(A), (C)).

Several Connecticut laws also address the privacy and disclosure of patients' personal health information. These include laws that (1) establish a bill of rights that assures confidential treatment of patients' personal and medical records and (2) prohibit the sale of personal health information. Connecticut law allows the disclosure of personal health information to certain state agencies. For example, Department of Mental Health and Addiction Services (DMHAS) contractors must disclose personal health information to the commissioner in certain circumstances.

A Connecticut resident whose HIPAA rights are violated may file a complaint with the Attorney General's Office or the federal Office for Civil Rights. The offices have the authority to receive and investigate complaints against covered entities and, if necessary, file a lawsuit in federal court to enforce HIPAA protections.


Covered Entities

HIPAA-covered entities include:

1. health plans (e.g., health insurance companies, Medicare, and Medicaid);

2. health care clearinghouses (e.g., a billing service, repricing company, or community health management information system); and

3. health care providers that conduct health care transactions electronically (e.g., most doctors, hospitals, nursing homes, pharmacies, and dentists).

HIPAA does not apply to life insurers, employers, workers' compensation carriers, most schools and school districts, many state agencies, most law enforcement agencies, and many municipal offices. Other federal and state laws may protect personal health information not protected by HIPAA. For example, while most schools and school districts are not HIPAA-covered entities, the federal Family Educational Rights and Privacy Act (FERPA) protects any personal health information contained in students' educational records.

Permitted Disclosure of Personal Health Information

HIPAA allows covered entities to use or disclose personal health information without the patient's written authorization:

1. to certain public health authorities for public health activities;

2. to certain government authorities, including social service or protective service agencies, when the information relates to abuse, neglect, or domestic violence;

3. to health oversight agencies for audits; licensure or disciplinary actions; civil, administrative, or criminal investigations, proceedings, or actions; or other oversight activities;

4. in the course of any judicial or administrative proceeding in response to a court or administrative tribunal order, subpoena, discovery request, or other lawful process;

5. for certain law enforcement purposes;

6. for research purposes (with a board-approved waiver authorization);

7. to avert a serious threat to health or safety;

8. for specialized government functions, including some military and veterans activities; and

9. for workers' compensation cases (45 C.F.R. 164.512).

The entities may also disclose a decedent's personal information without written authorization (1) to coroners, medical examiners, and funeral directors and (2) for cadaveric organ, eye, or tissue donation purposes.

A detailed summary of the HIPAA laws and regulations can be found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.


Privacy Protection

In addition to HIPAA, certain Connecticut laws also provide protection for personal health information. Examples include laws that:

1. prohibit persons from selling or offering to sell personal health information (CGS 38a-988a) and

2. prohibit the Department of Public Health (DPH) from publicly disclosing personally identifiable information about a patient in an institution, except in licensure proceedings (CGS 19a-499).

Another law also establishes a bill of rights for individuals admitted to a nursing home, residential care home, or chronic disease hospital. This law (1) assures confidential treatment of patients' personal and medical records and (2) gives patients the right to approve or refuse the release of their records to any individual outside the facility, except in the case of a patient's transfer to another health care institution or as required by law or a third-party payment contract (CGS 19a-550(b)).

Permitted Disclosures of Personal Health Information

Connecticut law allows personal health information to be disclosed without a patient's consent to certain state agencies and other entities in certain circumstances. For example, the law permits any facility or individual under contract with DMHAS to provide personal health information and records to the DMHAS commissioner, upon her request, for administration, planning, or research

purposes (CGS 52-146h). In the case of disclosure to DMHAS, the law requires that identifying information is removed from all records and that a coding system be used to identify patients.

Additionally, the departments of Administrative Services, Emergency Services and Public Protection, and Social Services, and the U.S. Department of Health and Human Services may receive information on patients for the purposes of obtaining support and payments for patients' care, claiming federal reimbursement, or reviewing and auditing federally funded programs (CGS 17b-225). The law states that any information received by the departments must remain confidential and be used solely for the specified purposes.

The law also permits a provider to disclose mental health information without a patient's consent:

1. to another provider for treatment purposes,

2. in connection with a voluntary commitment,

3. in a civil proceeding in which the patient introduces his or her mental condition as an element of his claim or defense,

4. to certain agencies to collect service fees,

5. to the DPH commissioner for an institutional investigation, or

6. to the family member of a homicide victim if the patient was found not guilty of a crime by reason of insanity (CGS 52-146f).