AbstractIn response to a case of an undocumented patient who was reported to immigration authorities, this commentary considers whether a patient’s immigration status should be deemed protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. A legal argument, supported by clinical data, is offered that immigration status should be regarded as PHI not subject to valid exception for release without patient authorization. This argument concludes that covered entities (eg, hospitals and health care professionals) are legally precluded under the HIPAA Privacy Rule from disclosing a patient’s immigration status.
ABC Hospital prided itself on providing comprehensive care to the community, which included a sizeable population of undocumented immigrants. Dr A, a neurosurgeon, was first on the agenda to speak at ABC’s monthly meeting. Everyone on the board had heard of the case about which Dr A was to speak, since it attracted local media attention. Dr A described a case in which MJ, an undocumented patient admitted to evaluate causes of his headaches and balance issues, was found to have a brain tumor, for which Dr A had secured charity funds to perform surgery. Immigration authorities had been searching for MJ, on whom a deportation order had been issued, and requested information from ABC. An ABC employee revealed MJ’s room number, clinical condition, surgery date, and date of expected discharge. Upon discharge, just outside the hospital, MJ was apprehended by immigration officials and taken to a local detention center. As it was Dr A’s view that disclosure of MJ’s information compromised MJ’s care and recovery, Dr A questioned whether members of the care team and the organization were obligated under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to protect MJ’s privacy and the confidentiality of MJ’s information, despite requests for information about MJ from immigration officials.
In recent years, clinicians and health care organizations have raised questions about how to regard a patient’s immigration status. Are they required to report the immigration status of patients if requested by immigration officials? Will they face a penalty if they do release a patient’s immigration status? These questions have become especially relevant in the current political climate in which immigration enforcement policies and practices have been stepped up, both in the government and in society at large. For example, in 2013 the Arizona State House introduced a bill that would have mandated health care organizations to verify a patient’s immigration status and report to federal immigration authorities or local law enforcement any patients for whom hospital admissions officers or representatives were unable to confirm legal presence within the United States.1,2 The bill never passed, but its mere introduction reflects the strength of some factions’ belief that clinicians and health care organizations should play a role in curbing undocumented immigration. Instances of reporting patients, as happened in 2015 at a Houston area hospital where an undocumented woman sought medical treatment,3 also raise questions about what role clinicians and health care organizations should play in immigration enforcement. Hospital officials noticed that the patient had a fake driver’s license and, suspecting that she was undocumented, called the local police and federal immigration authorities, who found a fake Social Security card in her possession after she was arrested. Instead of treatment, the patient was faced with possible deportation.4 The case highlighted concerns about what medical professionals are supposed to report to immigration authorities.
In light of questions and uncertainties health professionals face about how to regard and respond to a patient’s immigration status, this article offers a legal and clinically supported argument for the view that, under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, immigration status should be regarded as protected health information (PHI) with no valid exception for unauthorized release. As such, clinicians and health care organizations are not free to disclose a patient’s immigration status to government authorities or anyone else without liability or penalty.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA Privacy Rule. The HIPAA Privacy Rule is a series of regulations enacted to help enforce HIPAA. A main goal of the Privacy Rule “is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.”5 The Privacy Rule accomplishes this goal by requiring that PHI not be disclosed by a “covered entity” (ie, health plans, health care clearinghouses, providers, and clinicians) except as permitted under certain exceptions.5-7
Protected health information. By definition, the Privacy Rule protects individually identifiable health information, which is defined as follows:
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provisions of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.6
PHI is individually identifiable health information that is transmitted or maintained in “any form or media,” which includes such information that is maintained or transmitted electronically.6 Some exceptions to this definition include employment and educational records.6
Immigration Status as PHI
Determining whether a patient’s immigration status (as collected by a clinician) is PHI means asking whether such information is individually identifiable health information. The most relevant element of this definition is how the information in question “relates to the past, present, or future physical or mental health or condition of an individual.” Information’s relationship to health (in this case, the relationship of immigration status to health) is the most relevant element, as other parts of the definition of individually identifiable health information are not likely in contention; the patient’s immigration status will be received by the covered entity and this information can be used to identify the patient. Therefore, if the immigration status of a patient can be found to relate to the patient’s health condition, it will be deemed individually identifiable information and hence will be considered PHI subject to the Privacy Rule’s protections.
There is no case law directly addressing the question of whether immigration status constitutes PHI; indeed, there are few cases analyzing what constitutes PHI in any context.8,9 Stacey Tovino, noting this lack of substantive case law, recommends focusing on the US Department of Health and Human Services (HHS) guidance in order to understand what constitutes PHI.10 One guidance document on the Privacy Rule explains that, in assessing PHI, “the relationship with health information is fundamental” and “identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI.”11 The guidance also notes that aggregate or statistical information would not constitute PHI, as it does not sufficiently identify an individual.11 Relevant case law also reflects this guidance.8,9 Key to understanding whether information constitutes PHI is “the relationship with health information.”11
At first glance, it is not immediately obvious that a patient’s immigration status would relate to a health condition or that it would have some relationship with health. Immigration status on its face is information that is not clinical in nature like a patient’s blood-pressure, pharmaceutical history, family health history, or blood diagnostics, for example. However, clinicians might ask patients about their immigration status, specifically for health reasons. For example, a recent study on the health of Mexican undocumented immigrants in the United States found that a significant percentage (23%) of participants in the study had a mental disorder.12 The authors of the study explain:
Undocumented immigration to the United States often presents with multiple stressors and contextual challenges, which may increase risk for mental disorders. For instance, physical, verbal, psychological and sexual violence is widespread among undocumented immigrants. Also, common to the undocumented experience is discrimination, stigmatization, marginalization, isolation, fear of deportation, exploitability, victimization, living in unsafe neighborhoods, and socioeconomic disadvantage.12
Clinicians recognize this reality, and it is a clinically relevant reason to ask patients about their immigration status. The study just referenced suggests that undocumented status is a risk factor for mental disorders. Pursuant to the HHS guidelines on PHI, information about immigration status has a clear relationship to health. Therefore, immigration status—as information collected by the clinician—meets the definition of individually identifiable health information because it relates to the “past, present, or future physical or mental health or condition of an individual,” and thus should be legally, clinically, and ethically regarded as PHI.
Privacy Rule Exceptions
As PHI, a patient’s immigration status is protected by HIPAA and cannot be released for purposes other than treatment, payment, or hospital operations without the patient’s consent without incurring legal consequences. This means that clinicians and health care organizations may not release such status to any authority, including officials of the federal government; if they do, they face a penalty under HIPAA. Some disclosures for other purposes require patient authorization, such as disclosure of PHI for marketing purposes.13 Other exceptions allow release of PHI absent patient authorization; most of these exceptions are for public health activities or are applicable to specific situations, such as reporting domestic violence or complying with workers’ compensation laws.14 The “crime on premises” exception is often considered in scenarios in which a patient of undocumented status seeks treatment. This exception states that “a covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.”15 Applying this exception can be flawed, however, as the fact that a person with undocumented status seeks treatment does not, without additional facts, constitute a crime on the premises.16 Additionally, it should be noted that the language of the exception specifies that a covered entity may disclose PHI in cases of a crime on the premises, not that the entity is required to do so. Thus, even when a patient with undocumented status seeking treatment commits what is deemed a crime on the premises, a clinician or health care organization is not mandated to disclose PHI.
Regarding valid exceptions that allow disclosure of PHI, clinicians should continue to be vigilant, especially in the current political climate. For example, another exception to unauthorized release of PHI is for “disclosures required by law.”17 That is, if a law mandates disclosure of undocumented status, such as the Arizona Bill referenced earlier would have done,1 clinicians might be legally required to disclose and report a patient’s immigration status to federal immigration officials. Currently, however, unless a valid exception applies, clinicians and health care organizations may not release patients’ immigration status upon request or demand, as I have argued here that such information can be validly considered PHI.
Clinicians and health care organizations today may have questions about whether they are allowed or required to release a patient’s immigration status to federal or state governmental authorities. The simple answer is “no” because, as I’ve argued here, a patient’s immigration status can be considered PHI under the HIPAA Privacy Rule. Immigration status is sufficiently related to health that this information meets the Privacy Rule definition of individually identifiable health information and is therefore PHI. It is important for clinicians and health care organizations to understand that releasing a patient’s immigration status to authorities, without valid exception, is a HIPAA violation.
- HB 2293, 51st Leg, 1st Sess (Ariz 2013).
Levintova H. New Arizona bill wants hospitals policing immigration. Mother Jones. January 28, 2013. https://www.motherjones.com/politics/2013/01/arizona-bill-hospitals-immigration-smith. Accessed June 19, 2018.
Marcotte A. Woman arrested at OB-GYN’s office for being an undocumented immigrant. Slate. September 14, 2015. http://www.slate.com/blogs/xx_factor/2015/09/14/woman_arrested_at_ob_gyn_office_her_crime_being_an_undocumented_immigrant.html. Accessed June 19, 2018.
Barajas M. Woman arrested at gynecologist appointment could face deportation. Houston Press. September 11, 2015. https://www.houstonpress.com/news/woman-arrested-at-gynecologist-appointment-could-face-deportation-7754827. Accessed September 5, 2018.
Office for Civil Rights, US Department of Health and Human Services. Summary of the HIPAA Privacy Rule. https://www.hhs.gov/sites/default/files/privacysummary.pdf. Updated May 2003. Accessed June 19, 2018.
45 CFR §160.103 (2018).
45 CFR §164.502 (2018).
Abbott v Texas Dept Mental Health and Mental Retardation, 212 SW3d 648 (Tex App 2006).
State ex rel. Cincinnati Enquirer v Daniels, 844 NE2d 1181 (Ohio 2006).
Tovino SA. Teaching the HIPAA Privacy Rule. St Louis Univ Law J. 2017;61:469-493.
Office for Civil Rights, US Department of Health and Human Services. Guidance regarding methods for de-identification of protected health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html. Published November 26, 2012. Accessed June 19, 2018.
- Garcini LM, Peña JM, Galvan T, Fagundes CP, Malcarne V, Klonoff EA. Mental disorders among undocumented Mexican immigrants in high-risk neighborhoods: prevalence, comorbidity, and vulnerabilities. J Counsult Clin Psych. 2017;85(10):927-936.
45 CFR §164.508 (2018).
45 CFR §164.512 (2018).
45 CFR §164.512(f)(5) (2018).
Sconyers J, Tate T. How should clinicians treat patients who might be undocumented? AMA J Ethics. 2016;18(3):229-236.
45 CFR §164.512(a) (2018).