Frequently Asked Questions

This section provides an overview on questions that commonly come up concerning confidentiality releases, U.S. Federal Laws on confidentiality, record retention and deletion, mandatory reporting, the use of surveillance cameras, answering subpoenas and much more. For ease, this section is set up in an easy-to-read question and answer format.

HIPPA & VAWA Confidentiality

Is our domestic violence or sexual assault victim advocacy agency required to follow HIPAA?

Generally not. U.S. HIPAA regulations apply to "covered entities", which are heath plans, health care clearinghouses, and health care providers. Domestic violence and sexual assault agencies rarely fall into one of those three categories. If you want to determine whether your agency is a covered entity, answer the series of questions on the U.S. HHS website, which is: http://www.cms.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf. If you are a covered entity, you will be required to follow the specific HIPAA regulations, so you should seek help from an attorney in your community who specializes in health care law to be sure you are complying with HIPAA requirements.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law originally enacted in 1996 with extensive security and privacy regulations, which guides how medical providers must handle patients’ protected health information in the context of payment for services. HIPAA set out a national minimum standard for privacy of health information; state standards may provide more protections. HIPAA applies to medical records maintained by health care providers, health plans, and health clearinghouses, and to the maintenance and transmission of those records. The extent of the privacy protection for an individual's medical information can depend on where the records are located and the purpose for which the information was compiled, and whether insurance payment is requested for a given medical procedure or service. See 45 CFR §§ 164.501 to 164.534.

What is the HIPAA privacy rule?

The HIPAA privacy rule creates a minimum standard for protection of private, protected health information, regardless how that information is maintained (i.e., on paper or electronically)(45 CFR § 164.520), and describes permitted uses and disclosures, and when consent for disclosure is and is not required. See 45 CFR §§164.506 to 164.514.

Which is the most protective: HIPAA, VAWA, or my state law?

As between HIPAA and VAWA, both are protective of personal information, but VAWA is generally seen as more protective, and having fewer exceptions to confidentiality. State laws can vary, and may be more or less protective than either HIPAA or VAWA. In any event, advocacy programs should follow the most protective confidentiality law that applies to them.

What are some exceptions to HIPAA confidentiality?

HIPAA permits certain limited disclosures of protected health when there is a risk of domestic violence, even in some circumstances where the patient does not consent to the disclosure. 45 CFR § 164.512. The HIPAA privacy rule provides for a permitted disclosure of protected health information about an individual whom the provider reasonably believes to be a victim of abuse, neglect or domestic violence. 45 CFR §164.512. When a provider makes a permitted disclosure, the provider is required to notify the individual of the disclosure unless informing the individual of the disclosure would place the individual at risk of serious harm. See 45 CFR §164.512(c). Victims of domestic violence who seek medical help are at grave risk if the fact that they sought help is revealed. Although HIPAA permits disclosure of protected health information of a victim of domestic violence without her consent in certain, limited circumstances, it does not require it, and advocacy agencies can help medical providers understand that they should rarely, if ever, share a victim's protected health information with government authorities unless absolutely required to do so.

We've been hearing a lot of information about electronic health records. What does that mean for victims and confidentiality?

HIPAA sets out specific security standards for electronically maintained health information. See 45 CFR § 164.302 to § 164.318 (minimum requirements for administrative safeguards, physical safeguards, technical safeguards, organizational requirements, and requirements for policies and procedures and documentation of electronically maintained protected health information). Victim advocacy programs should be aware of what the HIPAA regulations specifically require so that victim information can be as protected as possible.

We've provided substance abuse and mental health services up until now, and now we have a VAWA grant. How can we be sure that we are complying with VAWA?

Generally, both VAWA and HIPAA protect private information. Your agency can comply with VAWA confidentiality provisions by never releasing any personally identifying information without an informed, written, reasonably time‐limited release from an individual, unless, you are subject to a specific state‐law mandated reporting obligation (such as child abuse or neglect reporting) or a court order. Our model Client Limited Release of Information Form is available in English and Spanish.

What if the abuser wants access to a child's medical records under HIPAA?

Under federal HIPAA regulations, the personal representative of a minor normally acts on behalf of a minor vis a vis medical records. This means the personal representative (usually the parent) has a right to control access to the minor's health and mental health records. However, health care providers may refuse to treat a parent as a personal representative (and thus refuse to provide the parent with access to the minor's medical records) if the providers have a "reasonable belief" that: (a) The minor has been or may be subjected to domestic violence, abuse or neglect by the parent, guardian or other giving consent; or (b) Treating such person as the personal representative could endanger the minor; and the provider, in the exercise of professional judgment, decides that it is not in the best interest of the minor to give the parent, guardian or other such representative access. 45 C.F.R. § 164.502(g)(5). Victim advocacy agencies can provide training to medical providers on how to make this type of assessment more safely and accurately.