In 2004, the Government Accountability Office ("GAO") issued a report concerning the prevalence of registered sex offenders living in long-term care facilities. While each state has adopted its own approach to sex offender notification and identification, long-term care facilities are in a unique position and face complex questions when a resident has been identified as a convicted sex offender. Such questions include whether a facility can disseminate information about an offender's convictions to staff members or other residents, or whether disclosing this information violates the HIPAA Privacy Rule. Ensuring the confidentiality of protected health information ("PHI") and averting serious consequences that could result from indiscriminate disclosure of such information while protecting the safety of all residents are among the most challenging issues confronting health care providers today.
PHI is defined as "individually identifiable health information ("IIHI") that is (1) transmitted by electronic media; (2) maintained in any medium described in the definition of electronic media; or (3) transmitted or maintained in any other form or medium." 45 CFR § 160.103. IIHI is defined as health information that is collected, created, or received by a health care provider, health plan, employer, or health care clearinghouse that pertains to the physical or mental health or condition of an individual or the provision of health care to that individual. Id. While some argue that information regarding a resident's status as a convicted sex offender is not PHI due to the fact that such information is made public through sex offender registries, the definitions of PHI and IIHI do not contain an exception allowing disclosure of publicly-available information. Regardless of the source of the information-be it from a sex offender registry, from law enforcement officials, or from the patient or resident directly-individually identifiable health information must be protected.
When faced with a resident or patient who is a convicted sex offender, health care providers should consider the following:
- HIPAA contains a narrow exception that enables the use or disclosure of PHI when such use or disclosure is "necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public" and is to "a person or persons reasonably able to prevent or lessen the threat, including the target. If a health care facility believes in good faith that a patient or resident poses a serious or imminent threat that can be lessened or averted by informing others of the patient's criminal history, staff members may be informed of the resident's status. However, staff members should be reminded that such information is PHI and cannot be disclosed to third parties absent patient consent, a court order, or another applicable HIPAA exception.
- Appropriate steps must be taken to protect the safety of other residents or patients, as well as staff members and visitors. Facilities should adopt a written policy that is communicated to all employees, outlining the types of behavior that will not be tolerated and that must immediately be reported to facility management. Any complaint of sexual harassment should be investigated as soon as the complaint is received, and appropriate action should be taken. Actions may include reporting the activity to law enforcement officials and, if necessary, discharging the resident or patient.
- Failure to implement policies and procedures to protect the safety of staff, residents, and visitors may subject the facility to liability.
While HIPAA imposes a duty on health care providers to protect the information that a resident or patient is a convicted sex offender, health care providers also owe a duty to other residents, staff members, and visitors to protect them from a known risk of harm. Facilities should take the necessary steps to protect others from potential harm.