Health Insurance Portability and Accountability Act (HIPAA)

This section explores the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Drug and Alcohol Confidentiality Laws and Regulations.

HIPAA GENERALLY

The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, was enacted in 1996 to improve efficiency in healthcare by standardizing data exchanges and setting and enforcing confidentiality standards for health data. [1] HIPAA sets forth different rules, including HIPAA’s Privacy Rule. HIPAA’s Privacy Rule aims to protect an individual's protected health information (PHI), but also disclose it when necessary to promote high-quality health care and the public's health and well-being. The HIPAA Privacy Rule accomplishes this end by allowing for the use and disclosure of the minimum amount of PHI necessary to accomplish the intended purpose. Remember, too, that HIPAA Privacy Rule’s sets a floor for privacy protections and does not preempt any federal or state laws or regulations that may be more stringent and provide greater protections to PHI.

Back to top

PROTECTED HEALTH INFORMATION

HIPAA’s Privacy Rule applies to protected health information (PHI) handled by certain entities. PHI is individually identifiable information maintained or transmitted by covered entities in any form or media, whether electronic, paper, or oral. Under HIPAA’s Privacy Rule, individually identifiable health information is individual or demographic data that does both the following:

  • Relates to an individual’s past, present, or future physical or mental health or condition, or the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
  • Identifies an individual, or which it is reasonable to believe could be used to identify an individual. [2]

Individually identifiable health information includes many common identifiers such as names, addresses, birth dates, photos, and social security numbers. [3]

However, information that is de-identified, including aggregate data without personal identifiers, is not governed by the restrictions regarding the use and disclosure of personally identifiable information.

Back to top

ENTITIES GOVERNED BY THE PRIVACY RULE

HIPAA’s Privacy Rule (or “Privacy Rule”) applies only to entities that can be classified as a covered entity, a hybrid entity, or a business associate to a covered entity or a hybrid entity. The Privacy Rule defines covered entities as health plans, health care clearinghouses, and healthcare providers that electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards. [4] Generally, these transactions concern billing and payment for services or insurance coverage. Examples of covered entities include hospitals, academic medical centers, physicians, and other health care providers that electronically transmit claims information directly or through an intermediary to a health plan.

Under the Privacy Rule, any legal entity that meets the definition of a covered entity, regardless of size, generally will be subject in its entirety to the Privacy Rule. However, the Privacy Rule also provides a way for covered entities to avoid global application of the Privacy Rule through a process called designation. Designation establishes which parts of the entity must comply with the Privacy Rule. Any single legal entity may elect to be a hybrid entity if it performs some covered and non-covered functions as part of its business operations.

For example, a university may be a single legal entity that includes an academic medical center’s hospital that conducts research for HHS. Because the hospital is part of the university, the whole university would be a covered entity. However, the university can elect to become a hybrid entity through designation. To do so, it must designate the hospital as a health care component. The Privacy rule would then only apply to the hospital and any PHI created, received, or maintained by, or on behalf of, the hospital. 

Back to top

THE RELEASE OF PROTECTED HEALTH INFORMATION

Generally, written consent must be obtained before disclosing PHI. [6] An authorization must contain the following eight (8) elements:

  1. Specific description of PHI to be released;
  2. Name/description of persons or class of persons authorized to disclose PHI;
  3. Name/description of persons or class of persons authorized to receive PHI;
  4. Expiration date or event;
  5. Statement of individual’s right/procedure to revoke authorization;
  6. Statement that disclosed PHI may be subject to re-disclosure by recipient and not protected by the Privacy Rule;
  7. Signature of individual & date (or of personal representative with description of that person’s authority to act); and
  8. Purpose of disclosure (“at request of individual” suffices)

Back to top

EXCEPTIONS TO REQUIREMENT OF OBTAINING AUTHORIZATION PRIOR TO RELEASE

HIPAA’s Privacy Rule also provides for the disclosure of PHI without obtaining authorization. The following describes the circumstances under which an individual’s protected health information may be released:

  • For treatment, payment and billing operations
  • In response to a threat to health or safety
  • In a situation of abuse, neglect, or domestic violence
  • To law enforcement
  • In response to a court order
  • In response to a subpoena
  • To an individual’s other treatment providers

TREATMENT, PAYMENT, AND BILLING OPERATIONS

This provision permits healthcare organizations to transmit PHI without consent. The provision is designed to allow health care entities the necessary level of discretion to carry out routine healthcare delivery. In practice, this provision applies to organizations in charge of coordinating care, performing case management, processing payments, and improving the quality of care.

HEALTH OR SAFETY THREAT

A covered entity may disclose PHI to prevent or lessen a serious, imminent threat to health or safety of others, to person(s) reasonably able to prevent/lessen the threat

ABUSE, NEGLECT OR DOMESTIC VIOLENCE

Under certain circumstances, entities covered by the Privacy Rule may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence. [7] For example, state child abuse reporting laws may require mandated reporters (who may also be covered entities) to disclose protected health information if they suspect a child is a victim of abuse.

LAW ENFORCEMENT

Law enforcement officials such as police and probation officers are not covered entities themselves; however, covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under any of the following circumstances:

  • To uphold the law (e.g. court orders, court-ordered warrants, subpoenas, administrative requests)  (see also “Court Orders” and Subpoenas below)
  • To identify or locate a suspect, fugitive, material witness, or missing person
  • To respond to a law enforcement official’s request for information about a victim of a crime
  • To alert law enforcement of a person’s death, if criminal activity may have caused the death
  • To share evidence of a crime that occurred a covered entity’s premises
  • During a medical emergency not occurring on premises, to inform law enforcement about the commission, nature, location, victims, or perpetrator of the crime.

COURT ORDERS

HIPAA’s Privacy Rule also provides for the disclosure of PHI without obtaining authorization in response to a court order, but gives no direction as to what the court order must contain. [8]

SUBPOENAS

Covered entities may disclose PHI pursuant to a subpoena without the individual’s written authorization if the person seeking disclosure has demonstrated that s/he has made reasonable efforts to notify the individual of the request for the disclosure or has obtained a protective order prohibiting the use the PHI for any other purpose than the litigation for which it was requested. [9]

STUDIES

HIPAA’s Privacy Rule balances the privacy of individually identifiable health information and researchers’ access to medical information necessary to conduct vital research. [10]  The Privacy Rule builds upon existing federal protections for research involving human subjects (e.g., the Common Rule, 45 CFR Part 46, Subpart A, and the Food and Drug Administration’s human subject protection regulations, 21 CFR Parts 50 and 56) which have provisions that are similar to, but distinct from, the Privacy Rule’s provisions for research.

Covered entities may use and disclose protected health information for research if the individual signs an authorization disclosure of protected health information for research in the following situations:

  • Institutional Review Board (IRB) Approval. The covered entities must have obtained documented Institutional Review Board (IRB) or Privacy Board Approval [11] to conduct records research, when researchers are unable to use de-identified information, and the research could not practicably be conducted if research participants’ authorization were required. [12]
  • Preparatory to Research. The researcher, either in writing or orally, must represent that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research purpose. [13]
  • Research on Protected Health Information of Decedents. The researcher must represent, either in writing or orally, that the use or disclosure being sought is solely for research on the protected health information of decedents, that the protected health information being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. [14]
  • Limited Data Sets with a Data Use Agreement. The covered entity and the researcher must enter into a data use agreement that explains the limitations of the data set and how it will be used (e.g. for research, public health, or health care operations).  These limitations must satisfy the requirements in 45 CFR 164.514, which outlines standards for the de-identification of protected health information. [15]

OTHER TREATMENT PROVIDERS

HIPAA’s Privacy Rule allows a health care provider to release records to an individual’s other treatment provider(s) without first obtaining a signed authorization. [16]

However, HIPPA’s Privacy Rule does not permit covered entities to disclose psychotherapy notes without written authorization. Improper disclosures under the Privacy Rule may carry civil monetary or even criminal penalties.

Under the Privacy Rule, individuals have the right to receive from covered entities an accounting of all research disclosures, except those that have been made with authorization or with limited data. [17]

Back to top

HIPAA AND MINORS

Generally, HIPAA’s protections and rights belong to the individual who is the subject of the PHI. [18] With some exceptions, s/he has access to the PHI records and controls disclosure and third party access. However, sometimes the individual’s personal representative retains disclosure rights. [19] In most circumstances, a minor does not control his or her own health records. Rather, the minor’s parent, guardian, or other person acting in loco parentis is the minor’s personal representative and controls the health care records. [20]

However, unemancipated [21] minors control their own health records in three situations: (1) when the minor consented to health care services and no other consent was required by law, (2) when the minor lawfully obtained health care services without the consent of a minor’s parent, guardian, or other person acting in loco parentis, and the minor obtained other consent required by law, and (3) the minor’s parent or guardian agreed to confidentiality between the health care provider and the minor. [22]

Moreover, HIPAA does not overrule state or other applicable laws that require, permit, or prohibit disclosure of minors’ records to their parents. [23] In such situations, HIPAA defers to state law. [24] Furthermore, when a parent is not the minor’s personal representative and state law is silent as to the parent’s access to the minor’s records, the health care provider may exercise discretion to grant or deny access to a parent requesting information. [25]

Back to top

HIPAA AND THE JUVENILE JUSTICE SYSTEMS AND CHILD WELFARE SYSTEMS

HIPAA governs the release of a minor’s PHI by a covered entity to persons and agencies in the juvenile justice and child welfare systems when a minor is involved with one or both of those systems. Moreover, juvenile justice and child welfare agencies that are covered entities (or hybrid entities) [26] as defined by HIPAA must follow the Privacy Rule with regard access to and disclosure of a minor’s PHI, with some exceptions as described below. 

A covered entity may disclose PHI [27] to a correctional institution (i.e., secure detention and secure care facilities) or law enforcement official having custody of a youth without obtaining prior consent if the information is needed for:

  • Providing healthcare to the youth;
  • Ensuring health and safety of that youth, other youth or employees of the correctional institution, including those who transport youth; or
  • Law enforcement at the correctional facility.

Youth in the custody of correctional institutions (“inmates”) include youth both prior to and after adjudication when the youth are held in juvenile facilities. They do not include youth on probation or supervised release. [28]

Correctional institutions that are covered entities must follow the Privacy Rule with the following exceptions:

  • A correctional institution does not have to comply with the notice of privacy practices requirements.
  • A correctional institution may deny an inmate’s request to obtain a copy of PHI if it would jeopardize the inmate’s health, safety, security, custody, or rehabilitation or of other inmates, or the safety of any officer, employee, or person responsible for transporting the inmate. [29]  The correctional institution is not required to provide an opportunity for review of the denial. [30]

This ground for denial is restricted to an inmate’s request to obtain a copy of PHI. [31]

Back to top

HIPAA AND FERPA

Sometimes schools handle health information, and health care entities handle education information. Imagine a public school’s psychologist who maintains her students’ mental health records or a mental health treatment facility administrator that keeps students’ education records for the facility’s on-grounds school. Only one of these laws at a time can apply to a piece of information, and each law treats sharing differently, so it is essential to identify which law applies and to know what it allows. [32]

Education records, including any health care information in them, are covered by FERPA and not HIPAA’s Privacy Rule. [33]  This is because HIPAA Privacy Rule excludes from its definition of protected health information any individually identifiable health information contained in an education record covered by FERPA, as well as treatment records that are included in a student’s education record. [34]

As a result, in most cases, HIPAA does not apply to health information maintained by an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA. HIPAA might apply to health services at a private elementary or secondary school that receives no federal funding or a public school that outsources it’s health care to a HIPAA-covered entities such as hospitals, clinics, or government health departments. Conversely, FERPA will apply to the health information contained in education records at schools that have health centers operated by schools. For example, records maintained by a school nurse employed by, or under contact to, a school district are education records governed by FERPA. Therefore, parents (and eligible students) have access to these education records and generally control third-party access to them. [35]

Like FERPA, HIPAA limits initial disclosures to the minimum amount of information necessary to accomplish the intended purpose. Unlike FERPA (20 U.S.C. 1232g(b)1(L)), HIPAA does not allow for the unauthorized release of records to child welfare caseworkers. But caseworkers may receive PHI through other means. A child welfare agency may receive a child’s PHI if it the agency is a covered entity that receives PHI to perform certain administrative or financial transactions. The agency might also receive PHI as a result of mandatory reporting or disclosure. And, of course, the parent can consent to the disclosure. Moreover, unlike FERPA, HIPAA does not prohibit redisclsoure.

Finally, both HIPAA and FERPA have special provisions that allow for the release of records without consent in various situations, detailed above, such as court orders, subpoenas, and emergencies. Both laws also have special provisions that to apply to children in detention and placement. FERPA facilitates the release of education records when children are detained pre-adjudication and when they are released from detention or placement. HIPAA applies to medical providers in secure placements and detention, but youth who are detained aren’t entitled to a privacy notice or a copy of PHI resulting from treatment while in placement/detention.

Back to top

Federal Drug and Alcohol Confidentiality Laws and Regulations

In the substance abuse treatment field, confidentiality is governed by the federal drug and alcohol (FDAC) laws (42 U.S.C. § 290dd-2) and regulations (42 CFR Part 2). These FDAC laws and regulations outline the limited circumstances when information about an individual’s drug or alcohol treatment may be disclosed without the individual’s consent. [36] The regulations, known as “Part 2,” strictly limit disclosures about individuals obtaining diagnosis, referral or treatment in federally assisted programs. [37] Any information that might reasonably identify an individual is protected by Part 2, and all permissible disclosures are limited to the information necessary to carry out the purpose of the disclosure. [38] As a corollary, anyone who receives information from a substance abuse program is prohibited from re-disclosing it. [39]

Part 2 applies to any federally regulated or assisted substance abuse education, treatment, or prevention programs (“federally assisted programs”). [40] Therefore, these regulations apply to both freestanding programs and programs that are part of larger organizations, such as a substance abuse clinic in a county mental health department or a county jail. [41] The regulations categorically exclude the interchange or records within the Uniformed Services or within those components of the Department of Veterans Affairs furnishing health care to veterans; or between such components and the Uniformed Services. [42]

Part 2 is similar to HIPAA in that it sets a federal privacy floor. This means that Part 2 preempts state laws that are less protective of substance abuse treatment records, but preserves provisions of state law that are more stringent. [43] Moreover, state law cannot compel any disclosure that is prohibited under federal law. [44]

Back to top

THE RELEASE OF INFORMATION COVERED BY PART 2

The release of information covered by Part 2 requires specific patient consent. A patient consent form must be written and contain the following elements to be valid: [45]

  1.  Names/designations of the persons authorized to disclose information;
  2.  Names/designation of persons or organization authorized to receive the information;
  3. Patient’s name who is the subject of the disclosure;
  4. Purpose of the disclosure;
  5. Specifics as to how much and what kind of information will be disclosed;
  6. Statement of individual’s right to revoke authorization and the procedure to revoke authorization;
  7. The program’s ability to condition treatment, payment, enrollment, or eligibility of benefits on the patient’s agreeing to sign the consent, by stating either that the program may not condition these services on the patient’s signing the consent or that these are the consequences for the patient’s refusal to sign the consent;
  8. Date, event, or condition upon which the consent expires if not previously revoked (when consent is used in a criminal justice setting, expiration of the consent may be conditioned on the completion of, or termination from, a program instead of a date);
  9. Signature of the patient (and/or other authorized person); and
  10. Date on which the consent is signed

Back to top

FDAC AND MINORS

In states where minors can voluntarily consent to substance abuse treatment without parental consent, FDAC laws require the minor to consent in writing to the disclosure of records, including disclosure to the minor’s own parents. [46]

Back to top

EXCEPTIONS TO REQUIREMENT OF OBTAINING SIGNED AUTHORIZATION PRIOR TO RELEASE

Although prior written consent is generally required, Part 2 does include certain narrow provisions and exceptions where disclosure is allowed without patient consent. These provisions detail the release of protected information to conduct scientific research [47] and audits, [48] and the treatment of a person who is experiencing a medical emergency. [49]

RESEARCH EXCEPTION

Specifically, under the scientific research exception, the recipient of the research must do two things. First, they must prove that they have: (1) “qualif[ications] to conduct the research”; (2) “a research protocol” for securing and redisclosing the PHI that does not identify any patient; and (3) three or more individuals who have certified in writing that they reviewed the patient protection protocols and determined that “the risks of disclosure are outweighed by the benefits of the research.” [50] Second, the researchers must agree that they will not identify any individual in any report or otherwise disclose patient identities. [51]

AUDIT

Under the audit exception, a person may review PHI if that person is acting on behalf of a public or private entity that is authorized by the regulations to perform audits and that person agrees in writing to comply with limitations on redisclsoure described in the regulations. [52]

MEDICAL EMERGENCIES

Under the medical emergency exception, PHI may by disclosed to medical personnel who have a “need for the information” for the purpose of treating a condition which (1) “poses an immediate threat” to the health or safety of any individual and (2) “requires immediate medical intervention.” [53]

Back to top

GENERAL EXCLUSIONS FROM PART 2 RESTRICTIONS

There are other circumstances when PHI can be released without patient consent. But, these circumstances are not exceptions to consent. They are more general exclusions from Part 2’s restrictions on disclosure and use.

First, the restrictions on disclosure and use in Part 2 do not apply among people working within the same substance abuse treatment program or between a program and an entity having direct administrative control over that program. [54] For example, the staff of a detention center’s clinic may share information with detention center administrators where needed to provide substance abuse treatment to the clinic’s patients.[55]

Second, information may be released to qualified service organizations. These include a person or entity that provides services such as data processing, bill collection, or accounting for the program. [56]

Third, the restrictions on disclosure and use in Part 2 do not apply to a patient’s commission (or threat) of a crime on the premises of a substance abuse treatment program or against personnel. [57] In situations of crimes (or threats) on program premises or against personnel, program personnel can notify law enforcement.[58] However, this notification can only include, “the circumstances of the incident, including the patient status of the individual committing or threatening to commit the crime, that individual’s name and address, and that individual’s last known whereabouts.” [59]

Finally, the restrictions on disclosure and use in Part 2 do not apply to reporting suspected child abuse. [60] But, Part 2 protects the patient’s original alcohol or drug abuse records maintained by the program. [61]

Back to top

PART 2 AND THE JUVENILE JUSTICE AND CHILD WELFARE SYSTEMS

Many of Part 2’s rules and exceptions apply to youth in the juvenile justice or child welfare system. [62] For example, a researcher who wants to study the instance of substance abuse on system-involved youth will have to meet the requirements of the studies exception. And, a substance abuse treatment center at a school must disclose information to medical personnel at a juvenile detention center if necessary to treat a medical emergency. [63]  

In addition, Part 2 specifically may address the needs of some youth in the juvenile justice and child welfare systems through provisions on privacy notification for “inmates,” [64] patient referrals, [65] and court orders.[66]

First, Part 2 requires that programs notify all patients – including “inmates” – of the federal protections for drug and alcohol abuse records. [67]

Second, Part 2 allows for disclosures regarding substance abuse treatment when participation in treatment is a condition of a criminal proceeding’s outcome (e.g. as part of a drug court program). [68] However, a program may only disclose information about a patient to individuals who have a need for the information to monitor the patient’s progress, such as probation and parole officers. [69] In these situations, courts can require a patient to sign a confidentiality waiver that allows the programs (or other entities that monitor progress) to share information with the court. [70] And. anyone who receives patient information under this provision of Part 2 may only re-disclose it to individuals who will use the information to carry out “official duties” with regard to conditional release or other actions that were specified in the waiver. [71]

Third, Part 2 explains the narrow circumstances when judge can issue a court order for the release of protected information that is relevant in criminal or non-criminal matters. Specifically, Part 2 states that substance abuse records may not be used to initiate or substantiate criminal charges against a current or former patient or to conduct any investigation of them, unless a court order has been obtained. [72] Part 2 implements this requirement by specifying a high burden to obtaining a court order. [73]

A court can only order release of PHI under Part 2 if gives the patient notice and a hearing on the proposed disclosure and a review of the evidence that finds: (1) the crime is extremely serious; (2) there is a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution; (3) other ways of obtaining information are not effective or available; and (4) the potential injury to the patient, the physician-patient relationship, and the ability of the program to provide services to other patients is outweighed by the public interest and need for the disclosure. [74]

In the non-criminal context, Part 2 also mandates particular procedures and criteria for orders authorizing disclosures. [75] Like the order in criminal proceedings, Part 2 requires notice to the patient and a review of evidence. [76] But, unlike the order in criminal proceedings, the patient does not get a hearing on the proposed disclosure. [77] Moreover, the findings required to make the disclosure are fewer: (1) other ways of obtaining the information are not effective or available and (2) the public interest and need for the disclosure outweighs the potential injury to the patient, the physician-patient relationship, and the treatment services. [78]

In general, these orders may authorize a disclosure or use of patient information, but cannot compel disclosure. [79] A subpoena or other legal mandate would have to be served simultaneously to compel disclosure. [80]

Back to top

General Resources

Federal Law Statutory Compilation: Confidentiality, Privacy, and Information Sharing Provisions - This table catalogues key sections of FERPA, HIPAA, and the Confidentiality of Alcohol and Drug Abuse Patient Records of the Public Health Service Act. For each key component of legislation, the table includes excerpted text and a brief summary highlighting the real world implications of the act. Resource available at http://www.promoteprevent.org/sites/www.promoteprevent.org/files/resources/federal_law_statutory_compilation_2012.pdf.

Back to top

Resources on HIPAA

What You Need to Know About HIPAA - Geared towards family practice clinicians, this article discusses HIPAA compliance and highlights the regulations that impact primary care the most, such as regulations for transaction, privacy, and security. Resource available at http://www.aafp.org/fpm/2001/0300/p43.html

Summary of the HIPPA Privacy Rule - The purpose of the Privacy Rule is to set national standards for protection of health information. This resource provides an overview of the Privacy Rule including who is covered, what information is protected, and how protected information can be used and shared between government agencies. Resource available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

Online Courses on Confidentiality and Communication for Federal Drug and Alcohol Laws and HIPAA The website offers an introductory online course for front-line workers, and an advanced course for senior policy-makers on confidentiality and communication regarding the Federal Drug and Alcohol Laws and HIPAA. Both courses provide sample forms and have the option for continuing education credits. Resource available at http://www.lac.org  

The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs - As a resource for alcohol and substance abuse programs, this document provides information on the Privacy Rule, situations when it is applicable, and its effect on disclosures of information. The document also explains major changes required by the Privacy Rule to ensure compliance. Resource available at http://www.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pdf

Protecting Minors Health Information Under Federal Medical Privacy Regulations - This guide for healthcare providers describes the rights of individuals under HIPAA and helps the reader maneuver the legal details of parental/guardian access to child health records given various circumstances and scenarios. Resource available at http://www.aclu.org/FilesPDFs/med_privacy_guide.pdf

Health Information Privacy Web Page - This section of the Health and Human Services (HHS) website details relevant privacy and security rules in HIPAA. There are sections on this site that provide details on the HIPAA administrative simplification statute, enforcement activities, and frequently asked questions. Resource available at http://www.hhs.gov/ocr/privacy/

Back to top

Resources on FDAC Laws

Patient Privacy and Confidentiality in the Changing Health Care Environment: HIPAA, 42 C.F.R. Part 2, and Health Care Reform – This training provides an overview of federal laws governing the confidentiality of health records, including alcohol and drug treatment records http://lac.org/resources/substance-use-resources/confidentiality-resources/training-material-patient-privacy-confidentiality-changing-health-care-environment-hipaa-42-c-f-r-part-2-health-care-reform/

FAQ on Applying the Substance Abuse Confidentiality Regulation to Health Information Exchange - These lists of frequently asked questions explains the specific subsections of the substance abuse confidentiality regulations and explores how they will impact information sharing in the healthcare world. Resources available at http://www.samhsa.gov/about-us/who-we-are/laws/confidentiality-regulations-faqs

Substance Abuse Confidentiality Regulations Web page - This web page connects to resources from the “Applying Substance Abuse Confidentiality Regulations to Health Information Exchange: FAQ Meeting”. It includes the meeting agenda and webcast, as well as answers to frequently asked questions on substance abuse confidentiality regulations. Resource available at http://www.samhsa.gov/healthPrivacy/. See also http://www.samhsa.gov/laws-regulations-guidelines/medical-records-privacy-confidentiality.

Back to top


[1] 2 U.S.C. § 201 et seq. (42 U.S.C. 1320d-2).

[2] 45 C.F.R. § 160.103.

[3] 45 C.F.R. §164.501.

[4] 45 C.F.R. § 160.103.

[5] 45 C.F.R. § 164.504; See also Health & Human Services National Institutes of Health, “To Whom Does the Privacy Rule Apply and Whom Will it Affect,” last updated Feb. 2, 2007, last visited Dec. 2, 2013 at http://privacyruleandresearch.nih.gov/pr_06.asp.

[6] But in certain circumstances a covered entity may use or disclose PHI without first obtaining signed authorization, for example for treatment, payment or health care operations and for public interest and benefit activities. 45 C.F.R. § 164.502(a).

[7] 45 C.F.R. § 164.512(c).

[8] 45 C.F.R. § 164.512(e).

[9] 45 C.F.R. § 164.512(e).

[10] 45 C.F.R. §§ 164.501, 164.508, 164.512(i); See also 45 CFR §§ 164.514(e), 164.528, 164.532.

[11] The Privacy Board – which is distinct from an IRB -- was founded to help researchers meet the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These requirements may affect any research that uses certain protected health data. Under the HIPAA Privacy Rule, any research that involves protected health information, regardless of the source of funding, must be authorized by the individuals whose health data they intend to use, or the researcher must obtain a Waiver of Authorization. The Privacy Board was specifically established to review requests for a Waiver of Authorization.

[12] See 45 C.F.R. § 164.512(i)(1)(i).

[13] See 45 C.F.R. § 164.512(i)(1)(ii).

[14] See 45 C.F.R. § 164.512(i)(1)(iii).

[15]45 CFR 164.514.

[16] 45 C.F.R. § 164.506(c).

[17] See 45 C.F.R. 164.528.

[18] 45 C.F.R. § 160.103.

[19] 45 C.F.R. § 164.502(g)(1).

[20] 45 C.F.R. § 164.502(g)(3).

[21] HIPAA defers to state law for the definition of emancipation.

[22] 45 C.F.R. § 164.502(g).

[23] 45 C.F.R. § 164.502(g)(3)(1); 45 C.F.R. § 1640.202.

[24] 45 C.F.R. § 164.502(g)(3)(1); 45 C.F.R. § 1640.202.

[25] See Protecting Minors’ Health Information under the Federal Medical Privacy Regulations (ACLU Reproductive Freedom Project, 2003) at 9, available at http://www.aclu.org/ReproductiveRights/ReproductiveRights.cfm?ID=12118&c=223.

[26] Agencies must obtain a legal opinion from their legal counsel to determine if they are a covered entity under HIPAA.

[27] Recall, PHI is a youth’s individually identifiable health information.

[28] 45 C.F.R. § 164.512(k)(5)(iii).

[29] 45 C.F.R. § 164.512(a)(2)(ii).

[30] Id. The scenario described in the text accompanying footnote 29 is an “unreviewable grounds for denial.”

[31] 45 C.F.R. § 164.512(a).

[32] For a more complete discussion on the application of these laws together, see us dep’t health & human services, us dep’t of education, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, Nov. 2008, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf (“Joint Guidance DHHS & DoE 2008”).

[33] Federal Register (December 28, 2000), p. 82483.

[34] Joint Guidance DHHS & DoE 2008, supra at note 32.

[35] Id.

[36] 42 U.S.C. § 290dd-2(b)(1).

[37] Id.

[38] 42 C.F.R. § 2.3(a).

[39] 42 C.F.R. § 2.32.

[40] These are programs that receive federal financial assistance in any form, including money not used directly for drug and alcohol treatment; or programs that are run by state or local government units that receive any federal money; or programs that have IRS tax exempt status. 42 C.F.R. § 2.11. Even clinics that don’t meet any of these requirements must comply if their state law requires them to follow Part 2. Id.

[41] Id.

[42] 42 U.S.C. § 290dd-2(e)(1).

[43] 42 C.F.R. §2.20.

[44] Id.

[45] 42 C.F.R. § 2.31(a); 45 C.F.R. § 164.508(c).

[46] 42 U.S.C. § 290dd-2(b)(1).

[47] 42 C.F.R. §2.52.

[48] 42 C.F.R. §2.53.

[49] 42 C.F.R. §2.51; See Substance Abuse & Mental Health Services Admin. U.S. Dep’t Health & Human Services FAQs on Applying the Substance Abuse Confidentiality Regulations 42 C.F.R. Part 2 available at http://www.samhsa.gov/healthPrivacy/docs/PrivacySAMHSAFAQsII.pdf (last visited Jan 1, 2014).

[50] 42 C.F.R. §2.53; § 2.51.

[51] 42 C.F.R. §2.52.

[52] 42 C.F.R. §2.53.

[53] 42 C.F.R. §2.51. Furthermore, this exception includes a “special rule” that allows disclosure of PHI to personnel of the Food and Drug Administration if there the health of any individual may be threatened by an error in manufacture, labeling, or sale or f a product under FDA jurisdiction and the information provided will be used to notify patients or physicians of potential dangers.

[54] 42 C.F.R. § 2.12 (c)(3). See also 42 C.F.R. § 2.11 (defining treatment).

[55] 42 C.F.R. § 2.12 (c)(3).

[56] 42 C.F.R. §§ 2.3, 2.12, 2.13. Qualified Service Organizations receive information for the purpose of data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting or other professional services or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy.

[57] 42 C.F.R. § 2.12(c)(5).

[58] Id.

[59] 42 C.F.R. §2.12(5)(ii).

[60] 42 C.F.R. § 2.12(c)(6).

[61] Id.

[62] See supra text accompanying footnotes 54 –60.

[63] 42 C.F.R. §2.51. Furthermore, this exception includes a “special rule” that allows disclosure of PHI to personnel of the Food and Drug Administration if there the health of any individual may be threatened by an error in manufacture, labeling, or sale or f a product under FDA jurisdiction and the information provided will be used to notify patients or physicians of potential dangers.

[64] 42 C.F.R. § 2.22.

[65] 42 C.F.R. §2.35.

[66] 42 C.F.R. §2.61-2.65.

[67] C.F.R. § 2.22.

[68] 42 C.F.R. §2.35.

[69] Id.

[70] Id.

[71] Id.

[72] 42 U.S.C. §290dd-2(b)(c).

[73] 42 C.F.R. § 2.65.

[74] 42 U.S.C. §290dd-2(b)(c).

[75] 42 C.F.R. § 2.64.

[76] Id.

[77] Id.

[78] Id.

[79] 42 U.S.C. §290dd-2(b)(2); 42 C.F.R. § 2.2; 45 C.F.R. §164.512(j).

[80] 42 U.S.C. §290dd-2(b)(2); 42 C.F.R. § 2.2; 45 C.F.R. §164.512(j).