Information Sharing Considerations for Implementing the Consolidated Appropriations Act’s Requirements for Justice-Involved Children and Youth
Kinda Serafi, Jonah Frohlich, Chris Cantrell and Alice Leiter, Manatt Health
Background
On July 23, 2024, the Centers for Medicare & Medicaid Services (CMS) released a State Health Official (SHO) letter, “Provisions of Medicaid and CHIP Services to Incarcerated Youth.”[1] The SHO letter provides implementation guidance on section 5121 of the Consolidated Appropriations Act, 2023 (CAA), which requires states to provide targeted case management (TCM) and screening and diagnostic services for children and youth who are incarcerated post-disposition (i.e., post-conviction or adjudication) and enrolled in Medicaid or the Children’s Health Insurance Program (CHIP).[2] As highlighted in a previous expert perspective, incarcerated children and youth are at higher risk than the general population to experience untreated substance use disorders, sexual and/or physical abuse, and suicidal ideation. Notably, since Black children and youth experience incarceration at rates that are significantly higher than other populations, lack of access to health and social services during their incarceration can exacerbate health disparities and increase the likelihood of future involvement in the justice system. The CMS guidance not only underscores the importance of addressing health disparities among incarcerated children and youth, but also sets clear operational expectations for states in implementing the CAA’s requirements.
Per the CMS guidance, states are required to complete a CAA section 5121 operational plan no later than January 1, 2025.[3] These operational plans must include, among other things, actions for establishing an operational system to exchange information with the carceral system, which will contain sensitive information governed by a variety of state and federal rules. Although every state has its own framework for governing sensitive personal information, federal rules and requirements impose the same obligations on all states.
Over the next several months and beyond, states will need to assess their information sharing needs related to CAA section 5121 implementation and provide guidance to carceral facilities, community-based providers, managed care organizations (MCOs), and other implementation partners on supporting those needs in compliance with state and federal law. This expert perspective highlights key areas of CAA implementation that require information sharing, which states will need to consider as they work towards coming into full compliance.
Facilitating Enrollment in Medicaid and CHIP
Correctional facilities will need to set up processes to identify whether children and youth are already enrolled in Medicaid and assist them in submitting Medicaid applications if they are not yet enrolled. In addition, correctional facilities will need to communicate to the state Medicaid agency when a child or youth is incarcerated so that the state can suspend their coverage and communicate again when the child or youth is released into the community so that the state can turn full coverage back on.
To support these activities, states will need to establish processes to exchange the following types of information:
Status of Medicaid and CHIP Enrollment: Correctional facilities are obligated to identify whether a child or youth is already enrolled in Medicaid or whether Medicaid application assistance is needed.
The Health Insurance Portability and Accountability Act (HIPAA) deems Medicaid/CHIP agencies as “covered entities” that are eligible to share and receive protected health information (PHI) —including Medicaid enrollment information—without child or youth consent for purposes of treatment and care coordination, which includes determining eligibility for services.[4] Further, federal Medicaid regulations permit the use or disclosure of information concerning applicants and enrollees for purposes “directly connected with the administration” of the Medicaid and CHIP state plans, which would include the determination of a child’s or youth’s Medicaid enrollment status.[5],[6]
If a correctional facility is enrolled as a Medicaid provider, it also is considered a covered entity, and so using a Medicaid provider portal, or other mechanism, to check whether a child or youth is already enrolled in Medicaid would not require individual consent. If a state determines that a particular correctional facility is not a HIPAA covered entity—for example, if the correctional facility is not enrolled as a Medicaid provider—then it will need to assess, based on the particular circumstances, whether HIPAA rules permit disclosure of Medicaid enrollment information without consent.
Medicaid and CHIP Application Submissions: For children and youth who are not yet enrolled in Medicaid, correctional facilities will need to set up processes to assist them in submitting a Medicaid application to the state. If the child or youth is submitting the application on their own behalf and merely being assisted by the correctional facility in completing the application fields, no consent or data sharing agreements need to be in place. However, if correctional facilities will have access to state application portals and are submitting applications on behalf of children and youth, then Medicaid and CHIP agencies should ensure that necessary data sharing agreements between the state and the correctional facilities are in place.[7]
Incarceration Status and Release Date Information: States will also need to work with carceral facilities to establish processes for facilities to share incarceration status to facilitate suspension of Medicaid/CHIP coverage and the activation of payment for CAA-related benefits for incarcerated children and youth. States and facilities will need to establish similar processes to share release-date information to activate full-scope benefits when the child or youth reenters the community. In general, rules governing the disclosure of incarceration status and release dates are established at the state level, so Medicaid and CHIP agencies will need to assess what state-level laws and regulations may apply. Agencies will also need to work with carceral facilities to establish information systems to exchange this information, such as electronic interfaces (e.g., a provider portal), event notification services that alert Medicaid and CHIP agencies or other institutions when a child or youth is booked or released, or manual processes (e.g., sharing of daily inmate roster files via secure email).
Delivering Mandatory CAA Pre-Release Services
Once children and youth are enrolled in Medicaid or CHIP, the CAA requires states to provide screening and diagnostic services in the 30 days prior to release (or no later than one week post-release), as well as TCM in the 30 days prior to release, and for at least 30 days post-release. States and carceral facilities have flexibility in deciding whether to use embedded carceral providers or community-based providers that come to a carceral facility to deliver these services, though CMS has expressed a preference for community-based providers to promote greater continuity of care upon reentry.
For the provision of TCM, in addition to leveraging carceral providers or community-based providers, many states are also evaluating whether to leverage their Medicaid MCOs. To support delivery of these services for eligible children and youth, states will need to work with facilities to establish processes—including by leveraging health information exchange entities that may exist on the state level, as described further below—to exchange health history and service needs information (e.g., physical, behavioral, and dental health records; care needs assessments; and care plans) among facilities, community-based providers, and MCOs. This will include the following types of information, both of which have specific legal considerations for exchange:
Protected Health Information (PHI): Carceral facilities, community-based providers, and TCM service providers will generate and require access to PHI as they conduct screenings and deliver TCM services to incarcerated children and youth, such as conducting care needs assessments and developing and sharing care plans with pre-release service providers. As noted above, HIPAA permits the disclosure of PHI by and among covered entities for certain purposes—including treatment—without individual authorization. Covered entities may also disclose PHI without consent to social services agencies that provide health-related services to individuals for care coordination and case management.[8] As such, states can develop processes to exchange PHI across embedded and community-based service providers for the purposes of supporting pre-release service and TCM delivery without requiring individual consent. Per HIPAA requirements, in cases where PHI is shared with a non-covered entity, states should limit information exchange to the minimum amount of information necessary to support service provision and case management.[9]
Agencies must also take into account any state laws and regulations concerning the disclosure of specific types of PHI, such as mental health information, which may be more stringent than HIPAA regulations.
Substance-Use Disorder (SUD) Information: Incarcerated children and youth experience higher rates of untreated SUD conditions compared to the general population of children and youth , so states will need to ensure that information on SUD-related needs and services can be exchanged to facilitate timely access to coordinated services.[10] 42 C.F.R. Part 2 (or Part 2) is a set of federal regulations that is generally stricter than HIPAA in that it requires that consent be obtained in order for Part 2 providers or programs to disclose SUD information to other organizations, even when for purposes of treatment or care coordination. The recent Part 2 final rule provided several important updates that streamline the consent process, including: (1) allowing individuals to consent to current and future disclosures of their SUD records for treatment, payment, and care coordination purposes using a single form; (2) allowing forms to list the categories of entities that may receive SUD information, rather than listing individual entities; and (3) permitting covered entities and business associates to redisclose SUD information without further consent, when such disclosure is in accordance with HIPAA and those organizations received Part 2 SUD information under a broadly worded consent.[11],[12] However, when Part 2 SUD information is disclosed to entities not covered by HIPAA (e.g., a provider of housing support services, or pre- or post-release care managers who are not covered entities), in most cases redisclosure of such data will require additional consent. [13]
Since these rules only apply to providers and programs governed by Part 2 (often referred to as “Part 2 providers” or “Part 2 programs”), states will need to determine whether the carceral facilities and SUD treatment providers serving incarcerated children and youth are considered Part 2 providers or programs. Federal rules define Part 2 providers and programs as those that: (1) receive federal assistance; and (2) hold themselves out as providing and actually provide SUD diagnosis, treatment, or referral for treatment. For example, if a carceral facility-based provider only provides services to children and youth housed in the facility and does not “hold itself out” as providing services to the broader public, it may not be subject to Part 2 rules. Whether or not a facility providing SUD treatment is a Part 2 provider is a fact-specific determination, and states will need to analyze the application of the federal rules to carceral facilities and other providers on a facility-by-facility basis.
However, as noted above, some states have laws governing SUD information that are more restrictive than HIPAA, so even if SUD data is not subject to Part 2, states will need to carefully consider whether consent may still be required to disclose SUD information across entities participating in service delivery.
Consent Management In the event that consent is required to share Part 2 or other PHI, states will need consent management systems and processes to share information between carceral providers, Part 2 providers, Medicaid agencies and other institutions. This requires documentation that a child/youth or their authorized representative makes an informed decision to release information that is properly recorded and maintained. This release must be “meaningful,” such that the individual is informed about the purpose of sharing their information; with whom their information may be shared; the type of information that might be shared; and their individual rights to provide, modify, and revoke their consent. More information is available here. In addition, states should engage with youth and families with lived experiences in the criminal legal system as well as literacy/communication experts to craft consent requests that are designed specifically for children and youth. For example, electronic consent management services (eConsent Services) employed by some states include a standardized release of information (ROI) form that can be accessed, stored, managed, and updated by the individual or their authorized representative. Software systems can use those ROIs to support exchange of mental health and SUD information facilitated by statewide or regional health information exchange organizations (HIOs). When determining whether consent is required before PHI or Part 2 information can be exchanged, states must also evaluate the extent to which a minor is authorized under state law to consent to disclosures of specific types of health information, or whether a parent/guardian or personal representative must provide consent instead or in addition. Both HIPAA and Part 2 defer to state law on the issue of who is authorized to provide consent. |
Supporting Successful Reentry Into the Community
As part of TCM service delivery, the CAA requires that case managers support referrals to community-based service providers and follow up with those providers to ensure that the care plan is implemented. In general, supporting these activities will require the same types of information-sharing that will occur in the pre-release setting, including disclosure of PHI and SUD information. In addition, states will need to assess whether other types of information will need to be disclosed to ensure effective reentry, including health-related social needs information pertaining to past or future social service program enrollment information (e.g., food assistance), to support referrals to needed benefits outside of Medicaid and CHIP. In the event that consent for such disclosures is required, whether the child/youth can or his or her parent or authorized representative must provide such consent is a matter of state law.
States should work with carceral facilities, service providers, and other implementation partners to identify other types of information that require disclosure to support reentry, as well as what existing information sharing systems and infrastructure can be leveraged, or what additional systems and infrastructure are needed, to promote seamless handoffs to post-release services and care continuity.
Leveraging and Enhancing Mechanisms for Data Exchange Information exchange required by the CAA requires electronic systems to share individual-level information for purposes of Medicaid and CHIP enrollment, care coordination, and reentry support. On the federal level, efforts such as the Trusted Exchange Framework and Common Agreement do not currently support the state-level exchange of this type of information. However, many states have existing regional or statewide HIOs—whether established by state governments (e.g., North Carolina) or operating in concert with state agencies (e.g., Maryland, Minnesota, New York) —that can be employed to support the necessary information-sharing required by the CAA. These HIOs are designed to promote access to, and exchange and analysis of, health information by breaking down information silos between healthcare providers and plans. They strive to achieve better healthcare outcomes for patients and create efficiencies in state-funded healthcare programs such as Medicaid. States can access enhanced federal Medicaid matching funding to build new or enhance existing state health information technology infrastructure to improve access to mental health and SUD treatment and care coordination. State Medicaid agencies may qualify for enhanced federal financial participation (FFP) of 90% to design, develop, and install systems, and 75% FFP to maintain systems for sharing mental health or SUD information. The types of systems and services that Medicaid agencies may qualify for include: technology to facilitate information exchange between mental health and SUD treatment providers and schools, hospitals, primary care, and criminal justice settings, and establishing eConsent Management services that support the exchange of mental health and SUD treatment information using common health information exchange standards and application programming interfaces. More information is available here. |
The Bottom Line for Section 5121 Information Sharing Partners
As states continue to plan for the implementation of CAA requirements over the coming months, they will need to carefully consider the role that information-sharing plays in supporting Medicaid/CHIP enrollment, provision of CAA-mandated pre-release services, and connections to community-based services. Specific steps that states should take include the following:
- Identify information-sharing use cases to support CAA implementation, including information-sharing entities (e.g., jails), data types (e.g., PHI), and systems (e.g., electronic medical records).
- Assess existing information-sharing infrastructure available for CAA implementation partners to leverage, including regional or statewide HIOs.
- Assess existing information guidance and consent processes relevant to CAA implementation partners.
- Conduct a legal and regulatory analysis to identify applicable information-sharing laws, regulations and guidance, including those that are state-specific. Develop information-sharing guidance and tools, such as handbooks (e.g., California’s Cal-AIM Data Sharing Authorization Guidance[14]) and universal consent forms for CAA implementation partners.
- Facilitate necessary data-sharing agreements and/or update existing agreements.
- Provide ongoing technical assistance to implementation partners to reinforce expectations and minimize barriers to service delivery.
Across each of these steps, states should be engaging carceral facilities and other implementation partners to understand on-the-ground barriers and collaboratively develop solutions. States that are also implementing reentry section 1115 demonstrations will need to consider how best to align information-sharing processes across both the CAA and their demonstration initiatives.
[2] Eligible post-disposition youth are defined as under 21 years of age, or between the ages of 18 and 26 and eligible for Medicaid under the mandatory former foster care eligibility group, and incarcerated after conviction.
[3] States with section 1115 implementation plans that intend to subsume CAA requirements into the demonstration do not need to submit a separate CAA 5121 operational plan.
[4] US Department of Health and Human Services, Office of Civil Rights, “Covered Entities and Business Associates.”
[5] Social Security Act §1902(a)(7); 42 C.F.R. Part 431, Subpart F.
[6] 42 C.F.R. § 431.300 et seq; 42 C.F.R. § 457.1110(b).
[7] 42 C.F.R. § 431.306(g); § 435.945(i).
[10] Heaton, Leanne L. APA PsycNet, “Racial/ethnic differences of justice-involved youth in substance-related problems and services received.”
[11] 89 Fed. Reg. 12472 (2024).
[13] When Part 2 information is “disclosed for payment or health care operations activities to a lawful holder that is not a covered entity or business associate, the recipient may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the consent on behalf of such lawful holders.” (42 C.F.R §2.33(b)(3).) The lawful holder must have in place a contract with the contractor or legal representative that meets certain requirements set forth in §2.33(c).
[14] California Department of Health Care Services, Cal-AIM Data Sharing Authorization Guidance.