HIPAA Home Page
 
The Confidentiality Of Alcohol And Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications For Alcohol and Substance Abuse Programs
Blue Rule
  
 


II.    How the Privacy Rule affects disclosures of information

A.     The General Rule

The "general rules" established by Part 2 and the Privacy Rule regarding uses and disclosures of patient health information are very different.10

Substance abuse treatment programs must comply with both rules. Generally, this will mean that they will continue to follow Part 2's general rule and not disclose information unless they can obtain consent or point to an exception to that rule that specifically permits the disclosure. Programs must then make sure that the disclosure is also permissible under the Privacy Rule.

B.   When disclosures are permitted

1.   Part 2 Consent11 and Privacy Rule Authorization


42 CFR Part 2


Programs may not use or disclose any information about any patient unless the patient has consented in writing (on a form that meets the requirements established by the regulations) or unless another very limited exception specified in the regulations applies. Any disclosure must be limited to the information necessary to carry out the purpose of the disclosure.


The Privacy Rule


The Privacy Rule permits uses and disclosures for "treatment, payment and health care operations" as well as certain other disclosures without the individual's prior written authorization. Disclosures not otherwise specifically permitted or required by the Privacy Rule must have an authorization that meets certain requirements. With certain exceptions, the Privacy Rule generally requires that uses and disclosures of PHI be the minimum necessary for the intended purpose of the use or disclosure.

Substance abuse treatment programs most often make disclosures after a patient has signed a consent form that meets the requirements of 42 CFR §2.31. Note that a disclosure under Part 2 includes the acknowledgment that someone has applied to or is enrolled in the program, and thus is only permitted if the patient has signed a consent form (or another of the regulations' narrow exceptions applies). See 42 CFR §§2.11 and 2.13. A Part 2 consent form must include the following elements:

  • Name or general designation of the program or person permitted to make the disclosure;
  • Name or title of the individual or name of the organization to which disclosure is to be made;
  • Name of the patient;
  • Purpose of the disclosure;
  • How much and what kind of information is to be disclosed;
  • Signature of patient (and, in some States, a parent or guardian);
  • Date on which consent is signed;
  • Statement that the consent is subject to revocation at any time except to the extent that the program has already acted on it; and
  • Date, event, or condition upon which consent will expire if not previously revoked.

When programs operating under Part 2 disclose information pursuant to a consent form, they must include a written statement that the information cannot be redisclosed. See 42 CFR §2.32.

The core required elements for the Privacy Rule written authorization are similar to those of Part 2. However, to comply with the Privacy Rule authorization requirements, the Part 2 consent must also contain a statement reflecting the ability or inability of the substance abuse treatment program to condition treatment on whether the patient signs the form as described in 45 CFR §164.508(c)(2)(ii). In addition, the consent may be signed by a personal representative, and if so, must include a description of such representative's authority to act for the patient. See 45 CFR §164.508(c)(1)(vi). Finally, the consent must be written in plain language. See 45 CFR §164.508(c)(3).

The requirements above must be met with respect to the Part 2 consent form when the purpose of the disclosure is not for "treatment, payment or health care operations" or for any other permitted or required disclosure under the Privacy Rule. See 45 CFR §164.502(a).12 The statements would have to be added when the consent form authorizes a program to make a disclosure for which an authorization is required under the Privacy Rule, e.g., those disclosures addressed by 45 CFR §164.508.

The Privacy Rule imposes three additional steps programs must take when disclosing information pursuant to a patient's written consent:

  • Programs must ensure that the consent complies with the applicable requirements of 45 CFR §164.508.
  • Programs must give patients a copy of the signed form (45 CFR §164.508(c)(4)).
  • Programs must keep a copy of each signed form for six (6) years from its expiration date (45 CFR §164.508(b)(6)).

Therefore, substance abuse treatment programs should generally continue to use the consent form for disclosures subject to Part 2. If the Privacy Rule requires authorization for the disclosures, the substance abuse treatment program may use the Part 2 consent form with additional elements required by the Privacy Rule as listed above.

Minors

The Privacy Rule defers to requirements in other applicable laws regarding the use or disclosure of health information regarding minors and, thus, does not change the rules in Part 2 regarding minors and consent. See 45 CFR §164.502(g). A minor must always sign the consent form for a program to release information even to his or her parent or guardian (42 CFR §2.14).13 Some States require programs to obtain parental permission before providing treatment to a minor. In these States only, programs must get the signatures of both the minor and a parent, guardian, or other person legally responsible for the minor (42 CFR §2.14(c)(2)).

Revocation of Consent

Part 2 permits a patient to revoke consent orally (see 42 CFR §2.31(a)(8)); the Privacy Rule requires written revocation of an authorization (45 CFR §164.508(b)(5)). Substance abuse treatment programs must continue to honor verbal revocations but may want to obtain written revocation when possible or at a minimum document the revocation in the patient's record. Both Part 2 and the Privacy Rule allow the program to make a disclosure for services already rendered in reliance on a signed consent or authorization form. See 42 CFR §2.31(a)(8) and 45 CFR §164.508(b)(5)(i).

2.   Other permissible disclosures under Part 2

Substance abuse treatment programs are accustomed to complying with Part 2's general rule prohibiting disclosure, unless the patient has consented in writing or the disclosure falls within one of the regulations' limited exceptions (e.g., child abuse reporting, medical emergencies). In some instances, the Privacy Rule does not require a change in these practices. In others, the Privacy Rule will require some modification of programs' practices.

a.   When little or no changes may be needed

Programs should generally continue to follow the rules in Part 2 regarding:

i.   Internal program communications

Both Part 2 and the Privacy Rule allow for communications within programs on a "need to know" basis. Part 2 requires that the communication of information within the program (or to an entity with direct administrative control over the program)14 be limited to those persons who have a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment or referral for treatment of alcohol or drug abuse. See 42 CFR §2.12(c)(3). Similarly, the Privacy Rule requires programs to identify the staff persons or classes of persons in its workforce who need access to PHI, the categories of PHI they need access to, and any conditions appropriate to such access. See 45 CFR §164.514(d)(2)(i). The program must then make reasonable efforts to limit access of such persons or classes of persons to PHI based on these determinations. See 45 CFR §164.514(d)(2)(ii). Substance abuse treatment programs subject to the Privacy Rule will have to establish written policies to comply with the minimum necessary requirement of the Privacy Rule, although in practice, the programs should be able to operate as they have under Part 2 in this regard.

ii.   Crimes on program premises or against program personnel

Part 2 permits programs to disclose limited information to law enforcement officers. Such disclosures must be directly related to crimes and threats to commit crimes on program premises or against program personnel and must be limited to the circumstances of the incident and the patient's status, name, address and last known whereabouts. See 42 CFR §2.12(c)(5). The Privacy Rule permits programs to disclose to law enforcement officials PHI that the program believes in good faith constitutes evidence of a crime that occurred on the program's premises. See 45 CFR §164.512(f)(5). It also permits any member of the program's staff who is the victim of a crime to report certain information about the suspected perpetrator to law enforcement officials. See 45 CFR §164.502(j)(2). Programs should continue to follow the rules established by Part 2.

iii.   Child abuse reporting

Part 2 permits programs to comply with State laws that require the reporting of child abuse and neglect. See 42 CFR §2.12(c)(6). The Privacy Rule also permits such reporting. See 45 CFR §164.512(b)(1)(ii). However, Part 2 limits programs to making only an initial report; it does not allow programs to respond to follow-up requests for information or to subpoenas, unless the patient has signed a consent form or a court has issued an order that complies with the rule (see "Subpoenas and court-ordered disclosures," below). Programs should continue to follow the rules established by Part 2.

iv.   Medical emergencies

Part 2 allows patient-identifying information to be disclosed to medical personnel who have a need for the information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention. See 42 CFR §2.51. A program can disclose information only to medical personnel and must limit the amount of information to that which is necessary to treat the emergency medical condition. Immediately following the disclosure, the program must document the following in the patient's records:

  • The name and affiliation of the medical personnel to whom disclosure was made;
  • The name of the individual making the disclosure;
  • The date and time of the disclosure; and
  • The nature of the emergency.

These practices are not affected by the Privacy Rule.

v.   Subpoenas and court-ordered disclosures

Part 2 permits programs to release information in response to a subpoena if the patient signs a consent permitting release of the information requested in the subpoena. When the patient does not consent, Part 2 prohibits programs from releasing information in response to a subpoena, unless a court has issued an order that complies with the rule. See 42 CFR Part 2, Subpart E. Subpart E sets out the procedure the court must follow, the findings it must make, and the limits it must place on any disclosure it authorizes.

The Privacy Rule permits a program to disclose PHI pursuant to a subpoena without a prior written authorization, if it receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the individual has been given notice of the request for PHI and the opportunity to object, or reasonable efforts have been made to secure a qualified protective order. See 45 CFR §164.512(e)(1)(ii). The Privacy Rule has different requirements regarding court orders, but programs can comply with both Part 2 and the Privacy Rule by continuing to follow the Part 2's court order requirements. Unless the disclosure requires authorization under the Privacy Rule, the Part 2 consent form can be used.

b.   When some change is required

i.   Disclosures that do not reveal patient-identifying information

Part 2 permits a substance abuse treatment program to disclose information about a patient if the disclosure does not identify the patient as an alcohol or drug abuser or as someone who has applied for or received substance abuse assessment or treatment services. See 42 CFR §§2.11 and 2.12(a). This allows a program that is part of a larger entity, such as a hospital, to disclose information about a patient so long as it does not explicitly or implicitly disclose the fact that the patient is an alcohol or drug abuser. For example, a program that is part of a hospital could disclose to a public health department that a named patient has TB by identifying itself only as part of the hospital and not as a substance abuse treatment program and by taking care not to mention that the patient is in substance abuse treatment.

Many programs that are part of larger entities are accustomed to using this exception in Part 2 to gather information about patients from, for example, other health care providers, schools, and employers, or to refer patients to other providers.15 Some of these practices by programs that are part of larger entities will continue to be permissible under the Privacy Rule, which does not require patients to authorize disclosures for purposes of treatment, payment or health care operations. The Privacy Rule also permits programs to share information about an individual's treatment or payment related to the individual's health care with persons involved in the individual's care. See 45 CFR §164.510(b).

The Privacy Rule also allows for certain disclosures to be made without authorization that are not for treatment, payment or health care operations. See 45 CFR §164.512. For example, the Privacy Rule permits a program to disclose, without the patient's prior authorization, to a public health department that the patient has TB when the health department is authorized to collect such information. However, any program that is accustomed to making "non-patient identifying" disclosures of information that do not identify the subject as a substance abuser and that are not for treatment purposes should consult the Privacy Rule directly to determine whether those disclosures continue to be permissible.

Part 2 does not permit freestanding programs to make inquiries about patients or refer patients to other providers without written consent. The Privacy Rule does not change this prohibition.

ii.   Disclosures to agencies that provide services to programs

    Disclosures to Qualified Service Organizations

Both Part 2 and the Privacy Rule recognize that substance abuse treatment programs sometimes need to disclose information about patients to persons or agencies that provide services to the program, such as legal or accounting services. The Part 2 regulations call such service providers "qualified service organizations" and permit programs to sign "qualified service organization agreements" (QSOAs) allowing them to disclose patient-identifying information needed by the organization to provide services to the program. See 42 CFR §2.12(c)(4). In the agreements, the outside service providers acknowledge that in receiving, storing, processing or otherwise dealing with patients' records they are fully bound by Part 2 and promise to safeguard the information, including resisting in judicial proceedings any effort to obtain access to the information, except as permitted by the Part 2 regulations.

Under the Privacy Rule, such outside service providers are "business associates" of the substance abuse treatment program and the program must have a business associate agreement with the business associate in order to share PHI needed by the organization to provide services (see 45 CFR §§160.103 and 164.502(e)).16 The Privacy Rule has different requirements regarding the content of the business associate contract (the HHS Office for Civil Rights has published sample contract language). See 67 Federal Register 53264 (August 14, 2002).

Substance abuse treatment programs must meet the requirements of both Part 2 and the Privacy Rule if they are going to continue to share information with lawyers, accountants and others that provide services to the program.

Transition Provisions: The Privacy Rule permits programs to continue to use current contracts with service providers until April 14, 2004, if the contract existed prior to October 15, 2002, and the contract is not subsequently renewed or modified. Any contract that is renewed or modified after October 15, 2002, must comply with the business associate contract requirements. See 45 CFR §164.532(d).

Disclosures to accreditation bodies

Part 2 permits disclosures to accreditation bodies such as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) under either the QSO provision or the "audit and evaluation" exception, discussed below. The Privacy Rule, however, considers accreditation bodies business associates conducting health care operations on behalf of the covered entity. See 45 CFR §§160.103; 164.501. Substance abuse treatment programs subject to the Privacy Rule who undergo accreditation will have to sign business associate contracts with accreditation organizations. Additionally, substance abuse treatment programs must comply with Part 2, either by ensuring that the business associate contract contains all the requirements of a QSOA or by fulfilling the mandates of the audit and evaluation provisions.

iii.   Audit and evaluation

Both Part 2 and the Privacy Rule permit programs to disclose patient-identifying information to qualified persons who are conducting an audit or evaluation of the program, without patient consent, provided that certain safeguards are met. The Privacy Rule requires that uses and disclosures be limited to the minimum necessary to accomplish the audit or evaluation. Each rule has its own additional requirements. Substance abuse treatment programs subject to both Part 2 and the Privacy Rule must combine those requirements. Three options result:

  • If the audit or evaluation is conducted by a program or its employees, it is permissible under both sets of regulations; no patient consent or authorization is required. See 42 CFR §2.12(c)(3) and 45 CFR §164.502(a)(1)(ii).
  • If the audit or evaluation is conducted by a "health oversight agency,"17 the program may disclose patient-identifying information so long as the health oversight agency makes the written commitments required by 42 CFR §2.53(d) and the disclosure meets the requirements in 45 CFR §164.512(d). If the health oversight agency copies or removes patient records from the program, it must agree in writing to abide by the requirements of 42 CFR §2.53(b).
  • If an audit or evaluation is conducted by an outside entity on behalf of the program as opposed to a "health oversight agency," the program must have a signed a business associate contract with the auditor or evaluator that satisfies the requirements of both the Privacy Rule and Part 2 by incorporating either the necessary QSO agreement requirements (as discussed above in II.B.2.b.ii) or the appropriate provisions of 42 CFR §2.53.
    iv.   Research

The Part 2 regulations and the Privacy Rule have different requirements for disclosures of health information to researchers. See 42 CFR §2.52 and 45 CFR §164.512(i). This will be the subject of additional guidance.


Blue Rule

10 Part 2 uses the term "disclosure" to cover what the Privacy Rule refers to as "uses" and "disclosures." See the definition of these terms in 45 CFR §160.103. Some Privacy Rule provisions differ for "uses" and "disclosures." For convenience, we generally use the Part 2 term "disclosure" throughout to encompass both uses and disclosures under the Privacy Rule. In some instances, however, specific uses or disclosures are discussed.
11 This document uses the term "consent" when referring to any written permission provided by a patient for the use or disclosure of identifiable health information. The Privacy Rule uses the term "authorization" for certain permissions, and also permits, but does not require, programs to obtain "consent" for the use and disclosure of PHI for purposes of treatment, payment, or health care operations.
12 See the Privacy Rule's definitions of "treatment," "payment," and "health care operations" at 45 CFR §164.501. When a substance abuse treatment program obtains information about a patient from a school, relatives, health care providers and health plans for treatment or payment activities, when it refers a patient to other providers and services and when it coordinates care with other health care providers, it almost always makes an implicit disclosure that the patient has applied for or has received alcohol or drug abuse treatment services and thus the program is required to treat these contacts as disclosures and obtain patient consent prior to such contact. In most of these instances, the disclosure from the program is for treatment purposes and the additional Privacy Rule statements would not have to be added to the consent forms. Note that programs may add the Privacy Rule statements in all circumstances, and programs may find it more convenient to use only one kind of consent form.
13The only exception to this rule is when the program director determines that a minor applying for services lacks capacity for rational choice and that the minor applicant's situation poses a substantial threat to life or physical well being of the minor or any other person that may be reduced by communicating relevant facts to the minor's parent or guardian. See 42 CFR §2.14(d).
14In applying the Privacy Rule, programs should consider whether the program and the entity with "direct administrative control" over the program are two separate legal entities. If they are two separate legal entities, PHI flowing between the program and the other entity will generally be governed by the Privacy Rule's requirements regarding "disclosure" rather than "use" of PHI. However, the Privacy Rule recognizes that health care providers may have different organizational arrangements and has established different rules to reflect such arrangements. See the Privacy Rule's provisions regarding hybrid entities (45 CFR §164.105(a) and (c)), affiliated covered entities (45 CFR §164.105(b) and (c)), and organized health care arrangements (OHCAs) (45 CFR §160.103 (definition of "business associate" and "OHCA"), 45 CFR §164.506(c)(5), and 45 CFR §164.520(d)).
15 As noted above, when a program makes an inquiry about, or refers, a patient, it is often making an implicit disclosure that the patient is in substance abuse treatment.
16 A memorandum of understanding would generally be used between government entities rather than a business associate contract.
17 Under the Privacy Rule, a "health oversight agency" is an agency or authority or the United States, a State, a territory, a political subdivision of a State or a territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such a public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance or to enforce civil rights laws for which health information is relevant (45 CFR §164.501). Disclosures to health oversight agencies when an individual is the subject of the investigation are prohibited under certain circumstances by the Privacy Rule (45 CFR §164.512(d)(2)).


Back to Table of Contents


Back to SAMHSA's HIPPA Main Page
Home Page

Go to SAMHSA Home Page
 

This page was last updated on 03 June, 2004
SAMHSA is An Agency of the U.S. Department of Health & Human Services
  Click for Non-frames / text version of site
Privacy Statement  |  Site Disclaimer  |   Accessibility