Point-of-Service Information Sharing Between Criminal Justice and Behavioral Health Partners: Addressing Common Misconceptions

Petrila suggested that rather than beginning efforts to share information by turning immediately to a specific situation (a common temptation for stakeholders starting to create information sharing arrangements), communities should first develop clear goals for information sharing and a framework to guide that effort. For example, instead of deciding whether or not a particular mental health clinician can tell a local law enforcement agency about a patient’s medicines in any given situation, first decide why information sharing is needed between the two entities in the first place.

Communities should seek to answer four important questions to guide their data-sharing efforts:

1. Why do you want to share information?
2. What type of information do you want to share?
3. With whom do you want to share the information?
4. Who decides if you will get to share it?

Once the framework for information sharing is established, it may be formalized into Business Associate Agreements (BAAs) or other types of agreements that create governance structures and rules for information sharing and use.

For additional information about Business Associate Agreements, consult the following resources: sample agreement provisions from the U.S. Department of Health & Human Services, or a sample agreement from the Camden Coalition of Healthcare Providers.

Why do you want to share information?

Partners need to be clear about why they want to share the information. Does the group want to collect individually identifiable information and use this information for point-of-service decision making by law enforcement or clinical staff? Does the group want to link people detained in the jail to existing case managers in the community? While this may seem like a simple process, many stakeholders fail to explore these questions. Furthermore, there may be restrictions on access by partners who are non-covered entities, so understanding the purpose of information sharing with non-covered entities is critical to establishing a legal and effective information-sharing system.

What type of information do you want to share?

The next step is to determine what type of information is needed to support point-of-service actions and decision-making.  Stakeholders should try to specify exactly what information is needed and for what purpose, as conversations between partners may founder when the request is vague or broad (for example, simply asking for “health information”).

With whom do you want to share the information?

Partners should clarify with whom the information will be shared. Sharing information with law enforcement, a hospital or a researcher each require different considerations and agreements. Petrila explained that it is important to remember that HIPAA was designed to help agencies share information—the “P” in HIPAA stands for “portability.” All entities covered by HIPAA can share information among themselves. It is when a covered entity wants to share with a non-covered entity that special agreements are needed.

What are considered covered entities?

Who decides if you will get to share it?

People providing their personal information make the first decision regarding the sharing and use of identified protected health information. One strategy found effective in increasing information sharing is to have a standardized universal Release of Information form consented to by an individual that allows named agencies to access the provided information. Only one agency has to obtain the signed waiver, which then facilitates quick and useful information sharing with the other named entities.

To determine who can share information, stakeholders should also address questions about governance in their agreements in order to safeguard the information sharing effort and, where identifiers are used, ensure that privacy is protected. For example, the following questions may arise:

• What if a party that was not part of the original agreement wishes to access information?
• What if a party to the agreement wishes to use information for a purpose not specified in the original agreement?
• What if a party wishes to withdraw from the agreement?

Stakeholders should think deeply about the governance structure and should address questions that may arise through their legal agreements.

As noted above, information sharing with non-covered entities will require an information sharing agreement. The type of agreement depends on the information and the circumstances in which the information will be shared. In the case of protected health information covered by HIPAA, agreements may include BAAs, Data Use Agreements (DAUs), contracts, or other forms of agreements. The type of agreement required also depends on the intended use. For example, whether a BAA is appropriate depends on the type of work the prospective business associate is providing the covered entity.

What is Considered a Business Associate

By law, the HIPAA Privacy Rule applies only to covered entities—health plans, health care clearinghouses and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.

 The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse and will help the covered entity comply with some of their duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions. The business associate should not obtain information for independent use or purposes, except as needed for the proper management and administration of the business associate.

Types of business associates may include the following:

• Corrections
• Court services
• District court
• Human services – outreach and housing
• Law enforcement
• Fire department (if they do not bill for services)

For more information on business associates, visit the U.S. Department of Health and Human Services webpage on Business Associates.

For more information on drafting BAAs, visit the U.S. Department of Health and Human Services webpage on Business Associate Contracts. 

The Sequential Intercept Model (SIM) shows the progression of how people move through the criminal justice system. As people come into contact with the various intercept points, information about the person is collected and often retained; it may be of interest to other parties making decisions about the person. As a result, the SIM can be used to shape conversations about information sharing. At each point along the model, the following questions can be considered: What types of information are collected and which might enhance the decisions made? Who provides the information? Who might object to sharing the information? Who may want it at a later stage? For what purposes might the information be used? The extent to which information follows a person through the justice system can be a determining factor in the continuity of care provided to people with mental and substance use disorders.

• Watch the entirety of John Petrila’s presentation
• HIPAA FAQs for Professionals, from the U.S. Department of Health and Human Services
• HIPAA Disclosures for Law Enforcement Purposes, from the U.S. Department of Health and Human Services
• Information Sharing in Criminal Justice–Mental Health Collaborations: Working with HIPAA and Other Privacy Laws
• HIPAA Requirements and Florida Law: Disclosures of PHI for Law Enforcement Purposes
• HPIAA Privacy Rule and Sharing Information Related to Mental Health, from the U.S. Department of Health and Human Services Office for Civil Rights
• Legal Agreements and Supporting Documents from Actionable Intelligence for Social Policy