| |
Footnotes
1In August 2002, HHS adopted modifications to the Privacy Rule.
2 The compliance date for the Privacy Rule was April 14, 2003. However, small health plans, as defined by the Privacy Rule, are not required to be in compliance until April 14, 2004.
3 This guidance applies to substance abuse treatment programs that are also covered entities as defined by the Privacy Rule. Programs should seek legal counsel for assistance in determining whether they are covered entities.
4The Part 2 regulations apply to substance abuse treatment "programs" as defined by 42 CFR §2.11 that are "federally assisted" as defined by 42 CFR §2.12(b).
5 The Privacy Rule generally defines a health care provider to include a person or organization who furnishes, bills or is paid for health care in the normal course of business, which would include substance abuse treatment programs.
6 A substance abuse treatment program is defined as an individual or entity that provides alcohol or drug abuse diagnosis, treatment or referral. For the purposes of this document, the term "program" includes both individual substance abuse providers and substance abuse provider organizations.
7 Neither Part 2 nor the Privacy Rule protects employment records held by a program in its role as employer. Note that while 42 CFR Part 2 arguably applies to substance abuse patient records covered by the Family Educational Rights and Privacy Act (FERPA) (20 USC §1232g; 34 CFR Part 99), the Privacy Rule does not.
8PHI is defined as individually identifiable health information held or transmitted by a covered entity or its "business associate," with limited exceptions. See 45 CFR §160.103.
9The Privacy Rule includes numerous elements that make information identifiable, such as, but not limited to, information regarding employers, relatives and household members that are not necessarily identifiable information under Part 2. Such information should be protected consistent with the Privacy Rule requirements.
10 Part 2 uses the term "disclosure" to cover what the Privacy Rule refers to as "uses" and "disclosures." See the definition of these terms in 45 CFR §160.103. Some Privacy Rule provisions differ for "uses" and "disclosures." For convenience, we generally use the Part 2 term "disclosure" throughout to encompass both uses and disclosures under the Privacy Rule. In some instances, however, specific uses or disclosures are discussed.
11 This document uses the term "consent" when referring to any written permission provided by a patient for the use or disclosure of identifiable health information. The Privacy Rule uses the term "authorization" for certain permissions, and also permits, but does not require, programs to obtain "consent" for the use and disclosure of PHI for purposes of treatment, payment, or health care operations.
12 See the Privacy Rule's definitions of "treatment," "payment," and "health care operations" at 45 CFR §164.501. When a substance abuse treatment program obtains information about a patient from a school, relatives, health care providers and health plans for treatment or payment activities, when it refers a patient to other providers and services and when it coordinates care with other health care providers, it almost always makes an implicit disclosure that the patient has applied for or has received alcohol or drug abuse treatment services and thus the program is required to treat these contacts as disclosures and obtain patient consent prior to such contact. In most of these instances, the disclosure from the program is for treatment purposes and the additional Privacy Rule statements would not have to be added to the consent forms. Note that programs may add the Privacy Rule statements in all circumstances, and programs may find it more convenient to use only one kind of consent form.
13The only exception to this rule is when the program director determines that a minor applying for services lacks capacity for rational choice and that the minor applicant's situation poses a substantial threat to life or physical well being of the minor or any other person that may be reduced by communicating relevant facts to the minor's parent or guardian. See 42 CFR §2.14(d).
14In applying the Privacy Rule, programs should consider whether the program and the entity with "direct administrative control" over the program are two separate legal entities. If they are two separate legal entities, PHI flowing between the program and the other entity will generally be governed by the Privacy Rule's requirements regarding "disclosure" rather than "use" of PHI. However, the Privacy Rule recognizes that health care providers may have different organizational arrangements and has established different rules to reflect such arrangements. See the Privacy Rule's provisions regarding hybrid entities (45 CFR §164.105(a) and (c)), affiliated covered entities (45 CFR §164.105(b) and (c)), and organized health care arrangements (OHCAs) (45 CFR §160.103 (definition of "business associate" and "OHCA"), 45 CFR §164.506(c)(5), and 45 CFR §164.520(d)).
15 As noted above, when a program makes an inquiry about, or refers, a patient, it is often making an implicit disclosure that the patient is in substance abuse treatment.
16 A memorandum of understanding would generally be used between government entities rather than a business associate contract.
17 Under the Privacy Rule, a "health oversight agency" is an agency or authority or the United States, a State, a territory, a political subdivision of a State or a territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such a public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance or to enforce civil rights laws for which health information is relevant (45 CFR §164.501). Disclosures to health oversight agencies when an individual is the subject of the investigation are prohibited under certain circumstances by the Privacy Rule (45 CFR §164.512(d)(2)).
18This last section addresses issues on which Part 2 is largely silent. Thus, these can be seen as new requirements imposed by the Privacy Rule to which programs now must adhere.
19 The Privacy Rule also requires that the notice contain information about any more restrictive law. For example, if State law further limits disclosure of HIV-related information, that restriction should also appear in the notice.
20 Programs often need to provide PHI to criminal justice agencies that mandate patients into treatment. Under Part 2, such disclosures may be made pursuant to a non-revocable consent that complies with 42 CFR §2.35. Under the Privacy Rule, such disclosures may be made pursuant to an authorization or pursuant to a court order. In order to comply with both rules, programs may find it helpful to ask the court in such a situation to issue an order that the program disclose necessary information to the court and other law enforcement personnel.
21 A substance abuse treatment program engaging in these kinds of activities must be careful in contacting the patient that it does not make any patient-identifying disclosures to others. If the program does not intend to contact the patient, they do not need to include this statement.
22 This is also voluntary. However, if this statement is not included, any changes in privacy practices described in the notice will apply only to PHI the program created or received after issuing a revised notice reflecting such changes. 45 CFR §164.520(b)(1)(v)(C).
23 There is an exception in emergency situations. If treatment is provided on an emergency basis, the program must provide the notice as soon as practicable after the emergency is resolved. See 45 CFR §164.520(c)(2)(i)(B).
24 The Privacy Rule requires access to information in a designated record set for as long as the PHI is maintained in the designated record set. "Designated record set" is defined as "[a] group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals." 45 CFR §164.501. The program must document the designated record sets that are subject to access and the titles of the persons or offices responsible for receiving and processing requests for access (45 CFR §164.524(e)). It must retain the documentation for six (6) years from the date it was last effective, whichever is later (45 CFR §164.530(j)). Under Part 2, the information need not be contained in a designated record set. Thus, programs could permit access to all disclosable patient records.
25 The Privacy Rule defines "psychotherapy notes" as "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date." 45 CFR §164.501.
26 Information obtained by patient access to his or her own record is subject to Part 2's restriction on use of the information to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient. See 42 CFR §2.23(b).
27 There are special provisions under the Privacy Rule that are applicable to accounting for recurrent disclosures and certain research disclosures. See 45 CFR §§164.528(b)(3) and (b)(4).
28 There are special provisions under the Privacy Rule that are applicable to accounting for research. See 45 CFR §164.528(b)(4)).
29When a program authorizes access to an entire universe of records,
e.g., for public health surveillance activities, the Privacy Rule's accounting
requirement can be met without the program having to make a notation in
each medical record that has been accessed by public health authorities.
See Office for Civil Rights, Frequently Asked Questions, www.hhs.gov/ocr/hipaa.
|
