HIPAA permits sharing information as required by the ICJ, including through the UNITY System.
Pursuant to Commission Rule 9-101(3), the Interstate Commission’s Executive Committee has requested an advisory opinion.
Effective May 19, 2021, the Interstate Commission adopted a new nationwide electronic information system, known as UNITY or the Uniform Nationwide Interstate Tracking for Youth system. As part of the transition, the Commission retired resources focused on JIDS (the previous electronic information system), including Advisory Opinion 01-2014 regarding HIPAA and JIDS. Since HIPAA remains an important topic, the Executive Committee requested a new advisory opinion to address the following questions:
- Does HIPAA permit member states to share information regarding juveniles and their families when necessary for transfers of supervision of adjudicated delinquents, returns (including non-delinquent runaways), and travel permits pursuant to the Interstate Compact for Juveniles (ICJ) and the ICJ Rules?
- Does HIPAA permit states to share information through Commission’s UNITY system?
Article I of the ICJ describes the authority and purposes of the Compact and, in relevant part, states:
". . . The compacting states also recognize that Congress, by enacting the Crime Control Act, 4 U.S.C. §112 has authorized and encouraged compacts for cooperative efforts and mutual assistance in the prevention of crime.
It is the purpose of this compact, through means of joint and cooperative action among the compact states to: (A) ensure that the adjudicated juveniles and status offenders subject to this compact are provided adequate supervision and services in the receiving state as ordered by the adjudicating judge or parole authority in the sending state; (B) ensure that the public safety interests of the citizens, including the victims of juvenile offenders, in both the sending and receiving states are adequately protected; (C) return juveniles who have run away, absconded or escaped from supervision or control or have been accused of an offense to the state requesting their return . . . (J) establish a system of uniform data collection on information pertaining to juveniles subject to this compact that allows access by authorized juvenile justice and criminal justice officials, and regular reporting of Compact activities to heads of state executive, judicial, and legislative branches and criminal justice administrators . . ."
Article III, K. of the ICJ describes the Interstate Commission, and in relevant part, provides:
"The Interstate Commission shall collect standardized data concerning the interstate movement of juveniles as directed through its rules which shall specify the data to be collected, the means of collection and data exchange reporting requirements. Such methods of data collection, exchange and reporting shall insofar as is reasonably possible conform to up-to-date technology and coordinate its information functions with the appropriate repository of records."
ICJ Rule 2-102(1) regarding Data Collection states:
"As required by Article III (K) of the compact, member states shall gather, maintain and report data regarding the interstate movement of juveniles who are supervised under this compact and the return of juveniles who have absconded, escaped or fled to avoid prosecution or run away."
ICJ Rule 3-101 regarding the Electronic Information System, provides:
“States shall use the electronic information system approved by the Commission to facilitate the supervision, travel notices, and return of juveniles pursuant to the Interstate Compact for Juveniles.”
HIPAA Permits Information Sharing Between Members States as Required by ICJ
As with any question regarding the application of HIPAA, it is important to understand that the purposes of the HIPAA Privacy Rule include protecting an individual’s privacy while allowing important law enforcement functions to continue. (See HIPAA Privacy Rule & Public Health, Guidance from Center for Disease Control and The U.S. Department of Health and Human Services, April 11, 2003). Thus, HIPAA exempts certain disclosures of health information for law enforcement purposes without an individual’s written authorization. The various conditions and requirements concerning these exempt disclosures are contained in the regulatory text of the HIPAA Privacy Rule and may be found at 45 CFR 164 et. seq. Under these provisions, protected health information may be disclosed for law enforcement purposes when a law requires such disclosures.
Based upon the HIPAA Privacy Rule and the above referenced provisions of the ICJ compact statute, there is clearly evidence of an intent for the enforcement of laws concerning juveniles and the protection of public safety. As discussed in ICJ Advisory Opinion 1-2012, disclosure of protected health information is permissible when required to be furnished by or received from state agencies which administer the ICJ acting pursuant to the provisions of the compact and its authorized rules. [See 45 CFR 164.512 (f)(1)(i)].
In addition, exempt disclosures include those in which a response is required to comply with a court order. [See 45 CFR 164.512 (f)(1)(ii)(A)-(B)]. As set forth in ICJ Article I, a principal purpose of the compact is to “ensure that the adjudicated juveniles and status offenders subject to this compact are provided adequate supervision and services in the receiving state as ordered by the adjudicating judge or parole authority.” Under this provision, the disclosure and tracking of protected health information, among authorized compact administrators’ offices, concerning any juvenile subject to compact supervision pursuant to court order, as required by the ICJ and its authorized rules would be exempt from HIPAA.
Regarding information related to non-delinquent runaways, the HIPAA Privacy Rule allows disclosures of protected health information (PHI) when consistent with applicable law and ethical standards, including “disclosures to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public” [see 45 CFR 164.512 (j)(1)(i)]; or to identify or apprehend an individual who appears to have escaped from lawful custody [See 45 CFR 164.512 (j)(1)(ii)(B)]. (emphasis added). These provisions apply to the return of juveniles who have absconded, escaped or fled to avoid prosecution or run away.
Additionally, HIPAA specifically authorizes disclosures of PHI to law enforcement officials who need the information in order to provide health care to the individual and for the health and safety of the individual. [See 45 CFR 164.512 (k)(5)]. Under these provisions it appears that disclosures of health information required to provide for treatment of juveniles subject to the ICJ, including non-delinquent runaways, would also be exempt from HIPAA requirements.
It is also important for compact administrators to be aware that at least one federal court opinion on the subject suggests that immunity from a private cause of action by an individual under HIPAA would apply to jurisdictions that are signatories to the interstate compact agreement in question. See Johnson v. Quander, 370 F.Supp.2d 79 (D.D.C. 2005).
HIPAA Permits States to Share Information through the Commission’s UNITY system
Both the ICJ and the ICJ Rules require the compact member states to implement the law enforcement and public protection aspects of the compact through “a system of uniform data collection” (See Article I, J). Furthermore, the ICJ and ICJ Rules specify this purpose shall be by means of, “[S]uch methods of data collection, exchange and reporting shall insofar as is reasonably possible conform to up-to-date technology and coordinate its information functions with the appropriate repository of records,” (See Article III, K).
According to ICJ Rule 3-101, “States shall use the electronic information system approved to facilitate the supervision, travel notices, and return of juveniles pursuant to the Interstate Compact for Juveniles.” Approved by the Executive Committee on September 9, 2019, UNITY is the approved “electronic information system” by which all compact transactions must be now transmitted.
Thus, since the Commission developed the UNITY system in compliance with the mandates of the ICJ statute and duly authorized rules, use of UNITY is permitted pursuant to the HIPAA exemptions with respect to both Personal Identifiable Information (PII) as well as Personal Health Information (PHI).
Additional Information Regarding UNITY & Security
UNITY is a browser-based system which enables all member states to manage workflow and communications, as well as provide consistent service to juveniles who are under court supervision or have run away to another state. It is an efficient, secure, and reliable application that meets capacity requirements, designed to comply with and the FBI’s Criminal Justice Information Services (CJIS) Security Policy, in order to protect the privacy of the juveniles. UNITY also complies with Section 508 of the US Rehabilitation Act, which include accessibility standards for electronic content.
The UNITY system and all its data is securely hosted on the Microsoft Azure Government Cloud, an FBI-certified and CJIS compliant platform. Microsoft Azure Government Cloud is a dedicated cloud specifically designed for U.S. federal, state, and local governments that provide security, protection, and compliance services that meet government security and compliance requirements. The hosted website uses Transport Layer Security (TLS) binding with a security certificate that ensures a strong SHA-2 and 2048-bit encryption on all communication from the browser to the application. This provides end-to-end encryption of network traffic and ensures privacy and message integrity.
UNITY operates a “robust multi-factor authentication system,” which is used in the implementation of the ICJ data requirements. The system features multi & two-factor authentication (MFA/2FA) to ensure secure access. By default, the login process initially requires a password-based authentication followed by a token-based authentication for two-factor authentication. This is implemented according to the CJIS Security Policy.
Security is configurable at the national, ICJ state office, and user role levels. As a baseline, UNITY is based on CJIS security requirements and uses role-based security to provide a seamless yet secure experience for users. UNITY uses standard password-type control for capturing passwords from the user. The stored encrypted password is never displayed anywhere in UNITY. Password security is set up as per CJIS requirements.
The UNITY system meets national security standards for justice applications consistent with CJIS Security Policy 7 and the Juvenile Justice Standards, as well as national security standards for justice applications and criminal justice information systems, including a CJIS secure cloud hosting solution.
The Compact requires member states to share information regarding juveniles and their families when necessary for transfers of supervision of adjudicated delinquents, returns (including non-delinquent runaways), and travel permits. This information includes health information about these juveniles which is otherwise protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However as discussed herein, the HIPAA Privacy Rules allows disclosures of protected health information when consistent with applicable law and ethical standards, including disclosures to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public or to identify or apprehend an individual who appears to have escaped from lawful custody. As described above, since the ICJ Commission developed the UNITY system in compliance with the mandates of the ICJ statute and duly authorized rules, as well as the FBI’s Criminal Justice Information Services (CJIS) Security Policy, the use of UNITY is permitted pursuant to the HIPAA exemptions with respect to both Personal Identifiable Information (PII) as well as Personal Health Information (PHI).