Does Mandated Reporting Violate HIPAA Privacy Rule?

Violating a patient’s privacy and the HIPAA Privacy Rule is one of the barriers to reporting abuse or neglect for some healthcare professionals. Confidential relationships are part of connecting with patients and providing confidence in the therapeutic relationship. Yet, when a healthcare professional suspects their patient is being abused and state laws require they report, uncertainty can result.

Find out how mandated reporting and HIPAA laws intersect and which one takes precedence when a healthcare professional suspects abuse or neglect.

Does Mandated Reporting Violate HIPAA?

Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets national standards to protect individuals' medical records and personal health information. It’s intended to protect individuals' privacy while still allowing the flow of information needed to provide quality health care and protect health and wellbeing.

When mandated reporters, such as healthcare workers, suspect abuse or neglect of a patient, they are legally required to make a report that could include the alleged victim’s personal health information.

Healthcare professionals who violate HIPAA can be held accountable with civil and criminal penalties for violating patient privacy rights.

Yet, mandated reporters can also be held accountable with criminal penalties, including fines and jail time, for failing to report suspected abuse.

It is easy to see why healthcare professionals could be uncertain about this issue.

Does mandated reporting violate HIPAA?

The U.S. Department of Health and Human Services (HHS) states that the HIPAA Privacy Rule permits healthcare providers to disclose reports of abuse or neglect to public health authorities or other appropriate authorities.

“There is no conflict between the State [mandated reporting] law and the Privacy Rule, and no preemption. Covered entities may report such information and be in compliance with both the State [reporting] law and the [HIPAA] Privacy Rule.” - HHS.gov

Understanding HIPAA vs. Mandated Reporting Laws

Healthcare professionals have an incredible number of responsibilities to patients and to state and federal laws. Two of these include their legal duties to protect patient protected health information (HIPAA) and to protect vulnerable populations against abuse and neglect (mandated reporting).

Who Has to Follow HIPAA?

Congress has identified certain professionals who have to follow HIPAA guidelines. Known as “covered entities,” the professionals who have to follow HIPAA include:

1. Healthcare providers who conduct financial and administrative transactions electronically (includes hospitals, clinics, and most physicians and health care practitioners)
2. Health plans
3. Health plan clearinghouses (an institution that electronically transmits different types of medical claims data to insurance carriers)

Does Law Enforcement Have to Follow HIPAA?

No, law enforcement does not have to follow HIPAA. The HIPAA privacy rule is for the above-mentioned covered entities that hold individually identifiable health information, called protected health information or PHI.

HIPAA does not apply to:

• Law enforcement
• Many state agencies, such as Child Protective Services or Adult Protective Services
• Employers
• Schools and school districts

When Can HIPAA PHI be Revealed to Law Enforcement?

Covered entities may reveal HIPAA information to law enforcement in certain situations, such as with an individual’s signed HIPAA authorization.

There are situations in which a healthcare professional or other covered entity may provide HIPAA-protected information to law enforcement without the authorization of the patient, including:

• To prevent or lessen the severity of an imminent threat to an individual or the public
• As evidence of a crime that occurred on the covered entity premises (such as a hospital)
• To alert law enforcement of death under suspicion of criminal conduct
• To alert law enforcement of criminal activity
• To report when required by law to do so (reporting gunshots or stab wounds)
• To report suspected abuse as required by law (abuse or neglect of children, elderly, or dependent adults)
• To comply with court orders
• To respond to a law enforcement request for purposes of identifying or locating a suspect, fugitive, witness, or missing person

What Exactly Violates HIPAA?

Most HIPAA violations surround the issues of patient medical records. Some of the most common HIPAA violations include “snooping” on healthcare records, denying patients access to their medical records, or failing to dispose of PHI properly.

Of course, there are also plenty of real-life examples of penalties for “impermissible disclosure” of PHI, like the covered entities who impermissibly disclosed PHI on social media, in response to Yelp reviews, for marketing purposes, and to patient employers without authorization. HIPAA violations like these can lead to penalties for the covered entities at fault.

When Can HIPAA Be Broken?

HIPAA defers to the judgment of covered entities when it comes to making determinations about the nature and severity of a threat that would warrant breaking the Privacy Rule.

If you believe that a patient’s health or safety is threatened or that the patient is a threat to the health and safety of an individual or the public, HIPAA allows for the disclosure of information to prevent or lessen that threat.

Disclosures that may prevent or lessen a threat of harm aren’t restricted to law enforcement, either.

HHS states: “Health care providers may disclose the necessary protected health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.”

What Information is Not Protected by HIPAA?

HIPAA is meant to protect personal health information, but there are exceptions to the Privacy Rule.

For example, health information in education records, such as a child’s visit to a school nurse, is subject to the Family Educational Rights and Privacy Act (FERPA) and is not considered protected health information under HIPAA.

Other scenarios when patient information may be shared without the patient’s authorization include:

• Disclosing directory information (patient’s location and general health status) if a family member calls and identifies a patient by name in an emergency department
• Disclosing PHI from one healthcare provider to another provider
• Disclosing test results to a patient’s family member involved in their care
• To report child abuse or neglect
• To an organization responsible for providing workers' compensation benefits
• To an individual exposed to or at risk of contracting a communicable disease

Who Are Mandated Reporters?

The Child Abuse Prevention and Treatment Act (CAPTA) provides Federal funding (grants) and guidance to States in support of prevention, assessment, investigation, prosecution, and treatment activities. Under CAPTA, states must have a statewide law or program that includes procedures for receiving, screening, and investigating reports of known or suspected child abuse and neglect.

These state-specific programs identify the people required by law to report suspected abuse. These people are known as mandated reporters.

In most states, mandated reporters are identified by profession. Those who work with children (or other vulnerable populations, such as elderly and dependent adults) are often designated as mandated reporters. This often includes medical professionals, law enforcement, teachers, and daycare providers, among others.

Medical Professionals in California are Mandated Reporters

California’s Child Abuse and Neglect Reporting Act (CANRA) was passed in 1980. CANRA provides definitions and procedures for mandated reporting of child abuse in CA.

California penal code section 11165.7 identifies medical professionals as mandated reporters in CA, including:

(21) A physician and surgeon, psychiatrist, psychologist, dentist, resident, intern, podiatrist, chiropractor, licensed nurse, dental hygienist, optometrist, marriage and family therapist, clinical social worker, professional clinical counselor, or any other person who is currently licensed under Division 2 (commencing with Section 500) of the Business and Professions Code. (22) An emergency medical technician I or II, paramedic, or other person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code.

What Types of Abuse Must Be Reported Under CANRA?

CANRA requires mandated reporters to report known or reasonably suspected abuse or neglect of children under the age of 18.

Child abuse or neglect includes physical injury or death, sexual abuse or exploitation, neglect, the willful harming or injuring of a child or the endangering of the person or health of a child, and unlawful corporal punishment.

Additionally, any mandated reporter may, but is not required to, make a report if they reasonably suspect that a child is suffering—or is at substantial risk of suffering—serious emotional damage, evidenced by states of being or behavior, including, but not limited to, severe anxiety, depression, withdrawal, or untoward aggressive behavior toward self or others.

Are Mandated Reporters Protected Under CANRA?

CANRA protects mandated reporters. CANRA states that mandated reporters are immune from liability (civil or criminal) for reporting suspected or known child abuse or neglect.

CANRA also specifies that mandated reporters who gain a reasonable suspicion of abuse or neglect outside of their professional capacity (while not at their work location or outside of their working hours) are immune from liability.

The only time this immunity is waived is in the instance of intentional false reporting; if it is proven that a false report was made and the reporter knew the report was false and made it in reckless disregard of the truth.

Can Mandated Reporters Report Anonymously?

CANRA allows for confidential, but not anonymous, reporting.

Mandated reporters in California must identify themselves to the county welfare office when they make a report.

CANRA protects the confidentiality of mandated reporters, limiting access to reports to authorized persons and agencies. Violation of the confidentiality of reports is a crime punishable by jail time, financial penalties, or both.

What Law Covers Elder Abuse Reporting in California?

While CANRA dictates a healthcare professional’s responsibilities in reporting child abuse, California’s Elder Abuse and Dependent Adult Civil Protection Act (EADACPA) identifies the mandated reporters of adult abuse. Under EADACPA, anyone providing health services or social services to an elderly or dependent adult is a mandated reporter of abuse or neglect.

This means that healthcare professionals are legally obligated by multiple laws to report suspected abuse of children, dependent adults, and elderly adults in the state of California.

CA Healthcare Professionals Can Report Abuse and Remain HIPAA Compliant

Healthcare professionals have state and federal laws that dictate their obligations to patient care. California state laws require healthcare professionals to report known and suspected instances of abuse or neglect of children, dependent adults, and elderly adults. Healthcare professionals can sometimes be uncertain about whether or not mandated reporting violates the HIPAA Privacy Rule, but need not be. HIPAA rules are clear that mandatory reporting of suspected abuse is a clear exception, and not a violation, of protected health information.

To learn more about your obligations as a mandated reporter in California, the CA Department of Social Services has partnered with Simple to provide profession-specific training for mandated reporters at mandatedreportertraining.com.