Federal Laws and the Right to Confidentiality
In the early 1970s, Congress recognized that the stigma associated with substance abuse and fear of prosecution deterred people from entering treatment. As a result, it enacted legislation that gave clients in a substance abuse treatment program a right to confidentiality (42 USC §290dd-2). For the 3 decades since the Federal confidentiality regulations (42 C.F.R. Part 2, or Part 2) were issued in response to the Federal mandate, confidentiality has been a cornerstone practice for substance abuse treatment programs across the country.
In December 2000, the Department of Health and Human Services (DHHS) issued the “Standards for Privacy of Individually Identifiable Health Information” final rule (Privacy Rule), pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. Parts 160 and 164, Subparts A and E. Substance abuse treatment programs that are subject to HIPAA must comply with the Privacy Rule. The Privacy Rule and other guidance regarding its requirements may be accessed through the DHHS Office for Civil Rights (OCR) Web site at www.hhs.gov/ocr/hipaa/. In addition, the Substance Abuse and Mental Health Services Administration (SAMHSA) has issued guidance titled “The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs,” which can be accessed through its Web site at www.hipaa.samhsa.gov.
How the Two Federal Laws Relate to Each Other and to State Law
Substance abuse treatment programs need to understand how both Federal laws—the older substance abuse-specific Part 2 regulations and the Privacy Rule—apply to their programs.
Part 2 applies to all programs (individuals or organizations) specializing, in whole or in part, in providing treatment, counseling, or assessment and referral services for substance use disorders (§§2.11, 2.12(e)). (Any citations in this appendix that begin with §2 refer to sections of 42 C.F.R. Part 2.) Part 2 applies only to programs that receive Federal assistance, including indirect forms of Federal aid, such as tax-exempt status or State or local government funding that is from (in whole or in part) the Federal government or any form of Medicaid or Medicare funding for any purpose.
The Privacy Rule applies to healthcare providers (persons or organizations that furnish, bill, or are paid for health care in the normal course of business) who transmit health information
In electronic form (generally, via computer-based technology) and
In connection with transactions for which DHHS has adopted a HIPAA standard, such as submitting healthcare claims to Medicaid or private payors.
Drug and alcohol programs are healthcare providers because they furnish health care in the normal course of business. However, only those programs that transmit health information in electronic form and in connection with a HIPAA transaction, such as a healthcare claim, are subject to the Privacy Rule (such programs, along with health plans and healthcare clearinghouses, are HIPAA “covered entities”). (For a list of the HIPAA transactions for which standards have been adopted, see 45 C.F.R. Part 162. Note that once a program is subject to HIPAA, all “protected health information”[see below] that the program transmits or maintains about individuals is covered by the Privacy Rule—whether the information is in oral, written, or electronic form.)
Part 2 requirements
The Part 2 requirements
Apply to information about any individual who has applied for or received any substance-abuse-related assessment, treatment, or referral services and prohibit all disclosures of information about that person that are not specifically permitted by nine limited exceptions.
Are more restrictive of communications in many instances than either the doctor-patient or the attorney-client privilege.
Apply to information about current and former clients from the time they make an appointment and apply to any information that would identify them as individuals who use substances either directly or by implication.
Apply to information about clients who are mandated into treatment as well as to information about those who enter treatment voluntarily.
Apply whether the person seeking information already has that information, has other ways of getting it, has some form of official status, is authorized by State law, or comes armed with a subpoena or search warrant.
Violating Part 2 is punishable by a fine of up to $500 for a first offense and up to $5,000 for each subsequent offense (§2.4).
Privacy Rule requirements
Under the Privacy Rule, a program may not use or disclose protected health information except as permitted or required by the Rule. See 45 C.F.R. §164.502(a). Protected health information is defined as individually identifiable health information held or transmitted by a covered entity or its “business associate,” with limited exceptions. See 45 C.F.R. §160.103. It does not include such information in employment records or in certain educational records. The Privacy Rule permits disclosures in many circumstances in which Part 2 would not. Most importantly, the Privacy Rule does not require that the client consent to disclosures made for “treatment, payment or health care operations” (§§164.502(a)(1)(ii); 164.506(c)). (Citations in the form §164…refer to sections in 45 C.F.R. Part 164.) Part 2 requires client consent for almost all such disclosures. There are civil and criminal penalties for violations of the Privacy Rule.
State laws and regulations
Covered entities will usually be able to comply with both Privacy Rule and applicable State law provisions. However, there may be situations in which the provisions of the Privacy Rule and State law are contrary, which generally means the covered entity would find it impossible to comply with both. If contrary, the Privacy Rule overrides State law, unless the State law is more stringent; that is, unless the State law provides greater privacy protection for the individual who is the subject of the protected health information. If the State law is more stringent, programs must comply with the State law. A Privacy Rule provision would also not prevail over a contrary State law provision where DHHS had granted an exception.
Working with both sets of regulations
Substance abuse treatment programs that are already complying with Part 2 should not have a difficult time complying with the Privacy Rule, as it parallels the requirements of Part 2 in many areas. Programs subject to both sets of rules must comply with both, unless there is a conflict between them. Generally, this will mean that substance abuse treatment programs should continue to follow Part 2. In some instances, programs will have to establish new policies and procedures or alter existing policies and procedures.
Security of records
Part 2 requires programs to maintain written records in a secure room, a locked file cabinet, a safe, or other similar container. It requires programs to adopt written procedures to regulate access to and use of clients’ records. Either the program director or a single staff person should be designated to process inquiries and requests for information (§2.16).
Section 164.530(c) of the Privacy Rule requires programs that are covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. The issue of security is addressed in more detail through a separate Security Rule issued by DHHS on February 20, 2003, that establishes the administrative, physical, and technical safeguards required to guard the integrity, confidentiality, and availability of protected health information that is electronically stored, maintained, or transmitted. See 45 C.F.R. §164.306. Alcohol and substance abuse programs that are covered entities must be in compliance with the Security Rule by April 20, 2005. The Security Rule can be accessed through the Centers for Medicare and Medicaid Services Web site at www.cms.hhs.gov.
More information can be obtained from the technical assistance publication “The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs,” which can be found atwww.hipaa.samhsa.gov. For printed copies, contact SAMHSA’s Health Information Network at (800) 729-6686 or (301) 468-2600; TDD (for hearing impaired) (800) 487-4889.