Summary of HIPAA and Federal Drug and Alcohol Confidentiality Law
By Michelle Riske-Norris
Special to the Center for Innovative Practices

The following is a brief summary of my research on the Federal Drug and Alcohol Confidentiality Law (42 CFR Part 2) and (HIPAA) which I thought would be useful before our meeting. I also included a brief summary of the Federal Education Reporting Privacy Act (FERPA).  This overview is cursory and only meant to provide a brief overview.

The nuances and intricacies of these laws can be quite confusing.  The issue researched was how these two laws affect information shared during a case management conference.  Specifically what information can be shared by therapists and practitioners during these types of meetings and whether there were any restrictions or constraints which may impede open discourse?  Understanding these laws will help to avoid inappropriate use of information and minimize potential negative colhippa-logolateral consequences of information sharing.

While information sharing is optimal during a case management conference to ensure coordinated case plans for the youth and families who are served by multiple agencies to improve outcomes for these individuals, nevertheless there are restrictions in how and what confidential information can be disclosed. If there is improper disclosure, the individual and/or organization could face fines and penalties ranging from $500 to $50,000 for the first offense.

Unauthorized disclosure violates the individual’s due process rights. This summary assumes that the client is a youth; therefore, additional considerations are discussed involving the role and influence of parents and guardians. While these laws have many similarities in terms of confidentiality restrictions there are some differences, especially in terms of what information can be disclosed to the parents.

Both regulations establish standards for maintenance, use and disclosure of health information, including what must be done before a disclosure of confidential information can be made, the manner in which the information may be disclosed, and to whom it may be disclosed (Legal Action Center, 2012).

As a general rule of law, personally identifiable information should only be disclosed, shared or used in a manner that is consistent with federal, state and local laws.  As a rule of thumb information should not be shared unless informed voluntary authorization is provided by the youth and/or parents/guardians.

These restrictions on disclosure do not pertain to mandated child abuse reporting laws and other laws that require disclosure for public safety reasons. There are also a few other exceptions where disclosure be may be permitted without informed consent but these instances are usually rare.

According to the US Department of Health and Human Services, these two laws do not conflict and in most instances both can be given effect (65 Federal Register 82480-93 – December 28, 2000).  However in those instances where these two federal laws conflict, usually the most recently enacted law will prevail, except when an earlier law has a narrow, precise or specific subject matter and the later enacted law treats the subject more generally (Legal Action Center, 2012).  For example, many HIPAA provisions permit, but do not mandate disclosure of health information, while 42 CFR Part 2 prohibits all disclosures except those specifically allowed by the regulations. Since 42 CFR Part 2 is more restrictive this law will prevail over HIPAA.

IHBTOhio.org is presented by The Center for Innovative Practices | Part of the Begun Center for Violence Prevention
at Case Western Reserve University’s Mandel School of Applied Social Services
Campus Location: 11235 Bellflower Road Room 375  | Cleveland, OH 44106
Mailing Address: 10900 Euclid Avenue | Cleveland, OH 44106-7164
Telephone: 216-368-5235 | email: pxm6@case.edu
© 2019 Center for Innovative Practices, Cleveland, Ohio 44106