Special to the Center for Innovative Practices
For those individuals who are at risk for or who seek or have been in treatment for alcohol or drug problems there is a compelling need to protect their privacy. Arguably the confidentiality restrictions encompassed by 42 CFR Part 2 will be more germane to case management conferences than HIPAA since HIPAA only applies to the transmission of health information by a health care covered entity.However, 42 CFR Part 2 applies only to drug and alcohol programs, including drug and alcohol education programs that admit students on the basis of involvement or suspected involved in, or being at risk for alcohol or drug use.42 CFR Part 2 applies when a provider meets the definition of a program and receives federal assistance. Program includes any person or organization that holds itself out as providing alcohol or drug abuse diagnosis, treatment, referral for treatment or prevention. Although receiving federal assistance appears on its face self-explanatory, the definition includes those organizations assisted by the IRS through a grant of tax exempt status, licensed by the federal government to conduct business, or when the program is operated by the federal government.
Although HIPAA covers health care plans and health care clearinghouses, for purposes of this memo we will focus on health care providers. Health care providers include doctors, clinics, psychologists, etc. if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard for the entity. Health care includes preventative, diagnostic, therapeutic, counseling and assessment services with respect to the physical or mental condition of an individual. If the provider meets these requirements, it will be considered a “covered entity.”Once a program meets the definition of a covered entity, all patient identifying information transmitted or maintained by the program in any medium is protected by HIPAA. If a covered entity engages in functions that are both covered by HIPAA and those that are not covered by HIPAA, the HIPAA privacy rule would only apply to the covered provisions.Patient identifying information would include demographics that relates to (1) the individual’s past, present or future physical or mental health condition; (2) the provision of health care to the individual; or (3) the past, present, or future payment for the provision of health care to the individual ((Legal Action Center, 2012).This information can only be disclosed except as permitted by HIPAA or with proper consent in writing by the client. A covered entity can disclose protected health information for its own treatment, payment, and health care operations without client consent. However, only the minimum amount of information that is necessary to accomplish the intended purpose can be shared.In most cases parents are the personal representatives for minor children and can therefore exercise individual rights such as access to the youth’s medical records. In some cases, however, the parent is not considered the youth’s personal representative. In those cases, HIPAA defers to state and other law to determine the rights of parents to access or control the protected health information. If the law is silent, the covered entity has the discretion to provide or deny a parent access.Federal Education Reporting Privacy Act (FERPA)
Education records includes those files, documents and other materials that contain information directly related to a student that are maintained by the school. However, certain information should not be maintained in the student’s education record, which therefore protects against improper disclosure, including notes made by the school counselor or psychologist and law enforcement information.
Education records cannot be disclosed to a third party outside of the school system, without prior written consent of the student’s parents, except in limited circumstances such as a court order. If an exception exists, schools are still under an obligation to notify the parents before releasing the record.
Comparison of 42 CFR Part 2 and HIPAA
Both 42 CFR Part 2 and HIPAA protect patient identifying information, 42 CRF Part 2 only protects information that identifies an individual as being a patient in a drug or alcohol program or has having a drug or alcohol problem whereas HIPAA protects any health information that identifies an individual. Under 42 CFR Part 2, memories and impressions of program staff regarding a patient even if never recorded in any form are also protected.
42 CFR Part 2 protects patients who have applied for, participated in or received an interview, counseling or any other service, including those who have been evaluated for treatment but never received treatment and whether or not they are admitted to the program. It would not include a person who does not show up for an appointment that was arranged by a third party. HIPAA on the other hand does not make distinctions between patients, applicants and no-shows. Both regulations protect former and deceased patients.
Uses and Disclosures
Within both HIPAA and 42 CFR Part 22 there are permitted disclosures of protected information. However, for purposes of this memo, only those circumstances which would apply to a case management conference are discussed. Disclosure should only be that which is necessary in light of the purpose of the communication; i.e., the less is better standard should apply. All disclosures should be documented and 42 CFR Part 2 requires any disclosure made by patient consent be accompanied by a statement that the information disclosed is protected by federal law and the recipient cannot make any further disclosures unless permitted by the regulations.
Clients under both regulations have the right to request that the program restrict certain users or disclosures of the client’s protected health information. Although a program is not required to agree to the restriction on disclosures to a qualified service organization or business associate or in response to an audit or evaluation, if the program does agree then it is bound by the agreement and may not disclose the restricted information.
Disclosure is permitted when written informed consent has been provided by the client. Consent is called an authorization in HIPAA. Written informed consent is valid until it has been revoked. HIPAA requires the revocation to be in writing but 42 CFR Part 2 has honored verbal revocations.
42 CFR Part 2 permits that consent cannot be revoked until a certain specified date or condition occurs when a client is mandated into treatment as a condition of a criminal proceeding. If the client voluntarily sought treatment, he/she can revoke consent at any time. Keep in mind, though, that if the client did not sign a consent form during the criminal proceeding, and the client leaves before providing consent, the program is prohibited from disclosing to the referring criminal justice system agency unless authorized in the court order. HIPAA, on the other hand, allows disclosure in response to orders of a court or administrative tribunal.
42 CFR Part 2 allows a program to condition treatment, payment enrollment, or eligibility of benefits on the patient agreeing to sign consent; however, HIPAA prohibits conditioning treatment, payment enrollment in a health plan or eligibility for benefits on the patient providing consent, but can provide the consequences upon failure to consent, such as being denied services if refusing to consent to disclosure for purposes of treatment, payment of health care operations or if permitted by state law.
Both HIPAA and 42 CFR Part 2 leave the issue of who is a minor and whether a minor can obtain health care or alcohol or drug treatment without parental consent to state law. 42 CFR Part 2 requires that the program always obtain minor’s consent for disclosure and parent’s consent for disclosure to a 3rd party only if state law requires parental permission to provide treatment to the minor. Therefore if parental consent is not required for treatment, parental consent is not required for disclosure. 42 CFR Part 2 requires minor’s written consent even when the disclosure is to the minor’s parents. 42 CFR Part 2 would also not allow disclosure to a GAL unless minor consented or court ordered.
HIPAA provides that if parental or guardian consent is not needed for a minor to obtain treatment, said person is not considered the personal representative of the minor and minor can act on his own. However, if parental or guardian consent is required for a minor to obtain treatment, the parent or guardian is considered the personal representative and would have access to the minor’s record with or without consent of the minor.
HIPAA and 42 CFR Part 2 both allow consent to be provided by a legal guardian if the person has been found incompetent by a court. Consent is also required to disclosure information to client’s attorney.
Two way or multiple party consent forms are permissible that authorize communications back and forth between the parties as long as spelled out in the consent form. The client can revoke consent to one or more of the parties and if so the rest of the consent still remains in effect.
Disclosure without consent may be permitted if there is a medical emergency. 42 CFR Part 2 requires that the situation pose an immediate threat to health which requires immediate medical intervention (narrower). HIPAA is broader in that it permits disclosure without consent for treatment or health care operations.
HIPAA permits health care providers to notify and inform family members and others involved in the individual’s care of the individual’s location and condition without consent in emergency situations if determined to be in the best interests of the individual. Unlike 42 CFR Part 2 which only permits disclosure to medical personnel unless authorized by consent. Once disclosed in a medical emergency, the information loses its 42 CFR Part 2 protection and can be re-disclosed as permitted by HIPAA.
A state or federal court may issue an order that authorizes a program to make a disclosure that would otherwise be prohibited. HIPAA does not have any specific requirements. 42 CFR Part 2 requires the client be given notice that a party is requesting the order and opportunity to make an oral or written statement to the court against disclosure.
With respect to 42 CFR Part 2, the court must find that there is “good cause” for the disclosure. Disclosure must be limited to information essential to fulfill purpose of order and restricted to those who need it. A court cannot disclose confidential communications by a patient unless necessary to protect against a threat to life or serious bodily injury; necessary to investigate or prosecute an extremely serious crime; or in connection with a proceeding in which that client has already presented evidence concerning confidential communications.
HIPAA allows disclosure to law enforcement agencies in response to a warrant, subpoena or other investigative demand (permissive). Under 24 CFR Part 2, even if there is a subpoena or warrant, disclosure is only permitted if the client consented or pursuant to a court order. Again the program and client must be given an opportunity to be heard before the court prior to disclosure and disclosure should only be permitted for good cause.
4.Crime at program/against program personnel
When a client commits or threatens to commit a crime on program premises, both regulations allow the program to report the crime to law enforcement.
Relationship to State Law
Both HIPAA and 42 CFR Part 2 preempt state law. However, for states which require greater confidentiality 42 CFR Part 2 would permit more restrictive state provisions. Under HIPAA if a program would find it impossible to comply with both state and federal requirements, or if state law stands as an obstacle then state law is preempted by HIPAA, unless the law is necessary to prevent fraud or abuse or the state law relates to privacy and is more stringent.
Where Do We Go From Here
Understanding and complying with these confidentiality provisions is an essential part of case management practices. It is important to ensure that self-incriminating statements shared during a conference are not later used as evidence against a youth in delinquency adjudications or criminal trials. It is also important to avoid a net widening effect as the client becomes involved in multiple systems. Difficulties against unlawful disclosure are compounded as more agencies are involved.
The bottom line is that it is best to secure written consent from youth and parents, which include written statements that describe the purpose of case management, public policy needs, agencies’ ability to receive and disclose information on an as needed basis, how agencies will use data obtained from disclosures and expected outcomes.
In order to ensure understanding of these confidentiality provisions, the following should be undertaken:
- Training on the legal requirements;
- Development of guidance material such as standard consent forms and flow charts documenting how and when disclosure is permitted; and
- Development of monitoring practices to ensure compliance.
Monitoring practices is an important aspect not to overlook. Just because you train staff it doesn’t necessarily mean they will fully understand what can and cannot be disclosed. The practical application of enforcing confidentiality laws is as difficult as implementing evidence based programs with fidelity. Principles and guidance embedded within implementation science are also applicable to ensuring compliance with confidentiality provisions.
IHBTOhio.org is presented by The Center for Innovative Practices | Part of the Begun Center for Violence Prevention
at Case Western Reserve University’s Mandel School of Applied Social Services
Campus Location: 11235 Bellflower Road Room 375 | Cleveland, OH 44106
Mailing Address: 10900 Euclid Avenue | Cleveland, OH 44106-7164
Telephone: 216-368-5235 | email: firstname.lastname@example.org
© 2019 Center for Innovative Practices, Cleveland, Ohio 44106