What Are My Rights? A Guide to Patient Confidentiality
Know Your Rights
By Kimberly E. Larsen, Esquire
Personal struggles dealing with addiction and the treatment thereof are just that – personal. As such, concerns over patient confidentiality and privacy are deeply embedded in the legal system. This article is intended to give you a brief and uncomplicated overview of some of the law associated with confidentiality in the treatment of alcohol and drug abuse.
Applicable Federal Law
In today’s society addiction is more readily understood to be a type of disease rather than a moral affliction. However in the not so distant past, there was a negative stigma which shrouded societal perception regarding addiction, this stigma still exists today but fortunately on a lesser scale.
The 1970s brought such fear to light and sparked legitimate concerns over disclosure and use of drug abuse patient records.
In the past, fear of discrimination, isolation and the like often prevented people from seeking treatment on their own. The 1970s brought such fear to light and sparked legitimate concerns over disclosure and use of drug abuse patient records. Once illuminated, these concerns catalyzed the creation of the Drug Abuse Prevention, Treatment, and Rehabilitation Act and Federal confidentiality regulations frequently identified as “Part 2”.
December of 2002 revealed the “Standards for Privacy of Individually Identifiable Health Information” commonly referred to as the “Privacy Rule.” These regulations were generated by the U.S. Department of Health and Human Services (“HHS”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
One of the ambitions of the Privacy Rule is to foster an individual’s sense of privacy protection by addressing how, and to what extent, certain parties such as physicians, medical providers, health insurance companies, etc., may use and/or disclose an individual’s health information. Parties that are subject to the Privacy Rule are identified as “covered entities.” This information is defined as “protected health information” (“PHI”).
PHI: Protected Health Information
PHI means individually identifiable health information, or information that is a subset of health information, including demographic information collected from an individual such as:
- Created or received by a health care provider, health plan, employer, or health care clearinghouse
- Related to the past, present, or future physical or mental health or condition of an individual
- Related to the provision of health care to an individual
- Related to the past, present, or future payment for the provision of health care to an individual
- Identifies the individual
What is important about the Privacy Rule with respect to addiction treatment is that substance abuse treatment programs which are subject to HIPAA must abide with the parameters of the Privacy Rule. Generally speaking, programs that already observe Part 2 will comply with the Privacy Rule as the two are analogous in numerous areas.
It was previously noted that both Part 2 and the Privacy Rule often subject a substance abuse program to similar requirements. For general clarification, the purpose of Part 2 is to protect information that could “reasonably be used” to identify a person. Part 2 goes on to mandate that if disclosure is permissible in some given situation, then the disclosure must be narrowly limited to information necessary to carry out the purpose of that disclosure. Turning to the Privacy Rule, this regulation forbids a program to use or disclose PHI except as permitted by the Rule.
While these two regulations contain many similar requirements, two pertinent differences in the two regulations are:
1. The respective definitions as to what each deems to be information that is protected; and
2. That Part 2’s definition of “disclosure” is such that it loosely encompasses what the Privacy Rule refers to as “uses” and “disclosures.”
…substance abuse programs must observe both rules.
Generally speaking, substance abuse programs must observe both rules. As such a program in accordance with Part 2’s general rule will disallow the disclosure of information unless consent is obtained or an exception specifically permits the particular disclosure.
Additionally the Privacy Rule offers patients new Federal privacy rights. Among these new rights is the right to ask for certain limitations with regard to the uses and disclosures of PHI as well as the right to access, amend, and receive “an accounting of disclosures” of PHI.
When am I Not Protected?
There are certain instances where disclosure of PHI is permitted regardless of patient consent. These situations are fact and circumstance oriented. In other words, permissible disclosure relies heavily on external factors which may necessitate disclosure in an attempt to service, resolve and/or mitigate some given situation. For example disclosure may be crucial in instances where child abuse is being reported or where the situation concerns serious threats to public health and/or safety. For purposes of this limited article, a few scenarios have been succinctly outlined in order to give you a general overview of how their rights may be affected.
Medical Emergencies: In an instance where some condition threatens the immediate health of some person and which requires urgent medical attention, PHI may be disclosed to medical personnel in order to treat that condition. Disclosed information should be limited to only that which is essential to treat the particular medical emergency. Furthermore, when disclosing PHI under this provision, the program is only entitled to disclose to medical personnel.
Subpoenas and Court Orders: PHI may be disclosed by certain “covered entities” if the information being requested is through a court order. Disclosure may also be permissible in response to a subpoena or some other legal process provided that certain assurances regarding notice to the individual or a protective order are afforded.
Generally speaking, the party requesting PHI through a subpoena should demonstrate that PHI is relevant to those legal proceedings, and/or the need for information clearly outweighs the private interest of the individual; or that the inability to obtain such PHI will result in undue hardship.
Law Enforcement Purposes: PHI may be disclosed to law enforcement under the following conditions subject, once again, to specified conditions;
1. As a means of identifying or locating a person of interest (e.g. suspect, fugitive, etc.);
2. In response to a law enforcement’s request for information pertaining to a victim or suspected victim of a crime;
3. In order to notify law enforcement of a person’s death;
4. If a covered entity reasons that PHI is evidence of a crime that transpired on that entity’s premises;
5. By a covered health care provider in a medical emergency, not occurring on its premises, in order to notify law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime; and
6. As required by law (e.g. court ordered warrants, subpoenas, etc.).
The Privacy Rule was intended to create “a federal floor of protection”, but not a “ceiling”…
State Law Can Vary
When the Privacy Standards became effective, the provisions created a national standard which Congress deemed essential to protect individuals’ medical records and other personal health information. The Privacy Rule was intended to create “a federal floor of protection,” but not a “ceiling” of protection. Broadly speaking, Federal law is not intended to preempt state law that provides greater protections. Rather Federal law purports to preempt only provisions of state law which are less stringent than the comparable standards and requirements. In other words, if your state has stricter privacy laws in effect or other applicable law relating to patient privacy that does not conflict with Federal regulations, whether by deferment or design, then those stricter standards are applicable.
For instance under Part 2, a minor must always sign a consent form for a program to release information even to his or her parent or guardian. However a few states mandate that programs acquire parental permission before providing treatment to a minor. Therefore, and only in those particular states, programs must get the signatures of both the minor and an individual legally responsible for that minor.
You should consult your state’s general laws or code of regulations to further determine your specific rights.
Every Case is Unique
In closing, it is imperative to note that this brief article is intended to be a quick snapshot into the vast world of patient rights. Additionally, many areas of the law regarding health care confidentiality have not been addressed; you should be aware that the scope of the Federal regulations mentioned herein is much more complicated then this article portrays. Almost every provision mentioned throughout this article has an exception correlated with it. And certainly every case is as unique as the individual who it affects.
The relevant law is intended to protect both patients and public alike. As such one will often find that balancing the scales of justice requires weighing numerous facts within the bounds of the law itself.
If you feel that your rights have been violated or wish to learn more about the Federal regulations regarding your HIPAA privacy rights in conjunction with confidentiality of alcohol and drug abuse patient records, contact the Department of Health and Human Services or your own state’s department of health.
Contributor Biography: Kimberly E. Larsen, Esq. is a junior associate with the law firm, Martinous Law Associates, Ltd., based in Providence, Rhode Island. Kim practices civil litigation and criminal defense in Rhode Island and Massachusetts.
21 U.S.C. 1175
The Drug Abuse Prevention, Treatment and Rehabilitation Act is codified at 42 U.S.C. 290ee-3.
42 CFR Part 2 (Confidentiality of Alcohol and Drug Abuse Patient Records).
Modifications to the Privacy Rule were adopted in August of 2002 by HHS and are denoted at 45 CFR Part 160 and 164 (Standards for Privacy of Individually Identifiable Health Information; Final Rule.)
45 C.F.R. Â§Â§160.102,160.103.
45 C.F.R. Â§ 164.103.
To determine whether a substance abuse program is subject to the Privacy Rule, it must be determined whether that substance abuse program is a “covered entity” under the Privacy Rule.
42 CFR Â§Â§2.11 and 2.13(a).
For the purposes of this article, consent refers to any written permission provided by the patient for the use or disclosure of identifiable health information.
Substance Abuse and Mental Health Services Administration (“SAMHSA”), Center for Substance Abuse Treatment. (June 2004). The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs (p. 16); see generally 45 CFR Â§Â§ 164.522, 164.524, 164.526, 164.528.
42 CFR Â§2.51.
45 CFR Â§164.512(e).
Office for Civil Rights Privacy Brief. Summary of the HIPAA Privacy Rule. (May 2003). (p. 7).
42 CFR Â§2.14 (with exceptions).
Substance Abuse and Mental Health Services Administration (“SAMHSA”), Center for Substance Abuse Treatment. (June 2004). The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs (p. 8).
All Treatment does not provide medical advice, diagnosis or treatment. See additional information.