How can I obtain health information through HIPAA?

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains rules and policies designed to protect health information, described as the Privacy Rule.  The Privacy Rule is often problematic to many members of local CFR commmittees, in obtaining records for review.  The following information is provided to assist you in understanding the HIPAA Privacy Rule and how this law affects the work of child death investigation, review and reporting.

The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others to have access to protected health information for public health purposes and the importance of public health reporting by covered entities to identify threats to the public and individuals.  Thus, the Privacy Rule permits covered entities to disclose protected health information without authorization for specific health purposes.  Covered entities may disclose protected health information to report known suspected child abuse or neglect, if the report is made to a public health authority or other appropriate government authority that is authorized by law to receive such reports.  Generally, covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose.  However, covered entities are not required to make a minimum necessary determination for public health disclosures that are made pursant to an individual's authorization or for disclosures that are required by other law.

CFR Committees are designated Public Health Authorities (see Appendix 7 of the Policy & Protocol Manual) and are therefore exempt from requiring parental notification and permission to obtain and review a deceased child's medical records.  In the case of unexpected infant deaths, the prenatal records are often required for reviews, which are also mother's medical records.  These documents are also exempt from the HIPAA requirements of notification and authorization.

Because CFR Committees are considered public health authorities:

  • Requests for medical information to health care facilities do not need to be in the form of a subpoena, and
  • No signed release of information is necessary from the deceased child's parents or guardians

Committees will submit their requests for a child's medical history in writing to the medical records department of the health care facility that treated the child.  If you experience difficulty obtaining medical records for your committee review, you many choose to subpoena for the records, with the assistance of your District Attorney, stating the public health authorization under the HIPAA Privacy Rule.  See Appendix 5 of the Policy & Protocol Manual for a copy of the CFR statement of HIPAA-designated authority.  If necessary, verification of requests by the committees can be obtained by contacting OCA staff. 

For more information about HIPAA - please visit the Department of Health & Human Services website.
The CFR Policy & Protocol Manual can be found under "Protocols & Resources" on the left of this page.