TAP 13: Confidentiality of Patient Records for Alcohol and Other Drug Treatment
The regulations that protect the identities of persons in alcohol or drug abuse treatment have their genesis in two statutes of the early 1970's: the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970 and the Drug Abuse Prevention, Treatment and Rehabilitation Act of 1972. These statutes were implemented by regulations issued by the then Department of Health, Education and Welfare (HEW) in 1975. Revised in 1987 by one of HEW's successors, the Department of Health and Human Services, the regulations are set out at title 42, part 2, of the Code of Federal Regulations. Recently, Congress reaffirmed and reorganized the original confidentiality statutes by merging them into one act, the Public Health Service Act, now title 42, section 290dd–3, of the United States Code. The merger had no effect on the confidentiality regulations. Throughout this document, references to the confidentiality law or regulations will mean the regulations at title 42, part 2, of the Code of Federal Regulations.
The Federal drug and alcohol confidentiality laws are predicated on the public health view that people with substance abuse problems are likelier to seek (and succeed at) treatment if they are assured that their need for treatment will not be disclosed unnecessarily to others. The congressional committee that put the original drug confidentiality statute into final form noted in its report: "The conferees wish to stress their conviction that the strictest adherence to . . . [confidentiality] is absolutely essential to the success of all drug abuse prevention programs. Every patient and former patient must be assured that his right to privacy will be protected. Without that assurance, fear of public disclosure of drug abuse or of records that will attach for life will discourage thousands from seeking the treatment they must have if this tragic national problem is to be overcome."1 In keeping with this view, the drug and alcohol confidentiality regulations restrict both the disclosure and the use of information about individuals in federally assisted drug or alcohol abuse treatment programs.2
The Federal alcohol and drug confidentiality regulations restrict the disclosure and use of "patient identifying" information about individuals in substance abuse treatment. Patient-identifying information is information that reveals that a person is receiving, has received, or has applied for substance abuse treatment.3 What the regulations protect is not the individual's identity per se, but rather his or her identity as a participant in or applicant for substance abuse treatment.
The regulations apply to holders, recipients, and seekers of patient-identifying information. An individual or program in possession of such information—for example, a federally assisted substance abuse program—may not release it except as authorized by the patient concerned or as otherwise permitted by the regulations. Anyone who receives such information from a substance abuse program may not redisclose it without patient consent or as otherwise authorized by the regulations and may not use it except for certain purposes discussed below under "Exceptions to the Rule for Holders of Patient-Identifying Information." Finally, anyone seeking such information may not compel its disclosure except as permitted by the regulations.4
The Federal drug and alcohol confidentiality regulations are stricter than most other confidentiality rules. In general, they apply whether the person seeking the information already has it, is seeking it for a judicial or administrative proceeding, is a law enforcement or other government official,5 has a subpoena or a search warrant, or is the spouse, parent, relative, employer, or friend of the patient.
Violators of the regulations are subject to a criminal penalty in the form of a fine of up to $500 for the first offense and up to $5,000 for each subsequent offense.6 Violators that are licensed or State certified (which would include virtually all programs and their professional employees) jeopardize their license or certification. The patients concerned may also sue violators for unauthorized disclosure.7
State confidentiality law may be more restrictive than but may not override the Federal regulations. Where State law is not stricter and conflicts with the Federal regulations, State law must yield. Even where State law conflicts with the regulations, however, the State law can usually be complied with through one of the many exceptions to the regulations.
The general rule is that a federally assisted drug or alcohol abuse program may not disclose, directly or indirectly, the identity of its former, current, or would-be patients. However, the rule is not absolute, and most requests for patient-identifying information can be accommodated by one or another exception to the rule. This section explores the elements of the rule.
The regulations apply to federally assisted organizations and individual practitioners (for example, psychologists, physicians, or even acupuncturists) that specialize in providing, in whole or in part, individualized (that is, one-to-one)8 alcohol or drug abuse diagnosis, treatment, or referral for treatment.9 The regulations apply to both freestanding programs and programs that are part of larger organizations, for example, a detoxification unit in a general hospital or a substance abuse clinic in a county mental health department. Part- and full-time employees, volunteers, student interns, former staff, and executive, administrative, clinical, and support personnel must comply with the regulations.
A program is federally assisted if it is directly funded by the Federal Government, is operated by the Federal Government, is certified for medicaid reimbursement, receives Federal block grant funds through a State or local government, is licensed by the Federal Government (for example, to dispense methadone), or is exempt from paying taxes under a provision of the Federal Internal Revenue Code.
A disclosure of patient-identifying information is any communication that directly or indirectly identifies someone as being in, having been in, or having applied for treatment in a substance abuse program. A program will have made a patient-identifying disclosure where it discloses a patient's record, permits an employee to testify about a patient's treatment, allows a receptionist to confirm that a particular person is a patient of the program, uses stationery that suggests that the addressee may be one of its patients, or discloses anecdotal material from which a patient's identity may be inferred.
A patient is anyone who has applied for or received a diagnostic examination or interview, treatment, or referral for treatment for drug or alcohol abuse from a drug or alcohol program. Applicants for such services are covered by the regulations even if they fail to show for their initial appointment or evaluation or, having been interviewed or diagnosed, elect not to follow up or enter treatment. The regulations protect current, former, and deceased patients.
The Federal confidentiality regulations are strict, but not absolute. They allow patient-identifying disclosures in several situations.
Patient-identifying information may be disclosed within a program, or to an entity having direct administrative control over a program, if the recipient of the disclosure needs the information to provide substance abuse services to the patient. "Within the program" means within the organization or organizational unit that provides substance abuse services. This means, for example, that the staff of a detoxification unit within a hospital may share patient-identifying information with one another—and with hospital administrators with direct supervisory oversight for the program—where such sharing of information is needed to provide substance abuse services to the program's patients. The program may also share information, where necessary, with, for example, the hospital's recordkeeping or billing departments, since those units are integral to the program's functioning. However, the program may not freely share patient-identifying information with other parts or units of the hospital. Anyone within or in direct administrative control of a program who receives patient-identifying information is bound by the confidentiality regulations and may not redisclose the information except as allowed by the regulations.
Generally, a program may disclose any information about a patient if the patient authorizes it by signing a valid consent form.10 To be valid, a consent must specify the following:
A proper consent—that is, a consent that includes the foregoing features—will permit a holder of patient-identifying information to make patient-identifying disclosures to outsiders, such as probation officers, employers, or relatives of the patient. When making a disclosure pursuant to such a consent, a program need not send a copy of the consent to the recipient of the disclosed material. Where, however, the program is asked for a disclosure by someone outside the program, it will have to receive a copy of the consent before it may respond to the request. The regulations permit a program to make a patient-identifying disclosure pursuant to a copy (as opposed to the original) of a consent.13
Whenever a disclosure is made pursuant to a consent, it must be accompanied by a written notice prohibiting redisclosure.14 The notice prohibiting redisclosure warns the recipient that the information disclosed is protected by Federal law and may not be redisclosed except with the patient's consent or under an exception to the regulations. The prohibition-on-redisclosure notice must be sent to the recipient even where the disclosure was made orally.
That programs may not disclose patient-identifying information does not mean that they may not disclose a patient's identity. (Patient-identifying information is information that reveals that the patient is in, has been in, or has applied for substance abuse treatment.) What programs are prohibited from disclosing—except where authorized by the patient or the regulations—is a patient's participation in treatment. Thus, a disclosure may reveal a patient's name, address, or even telephone number without violating the regulations.15 What a given disclosure may not reveal is the nature of the services received by the patient or provided by the program.16
Programs may disclose information to a "qualified service organization" without the patient's consent.17 A "service organization" is a person or agency that provides services—such as data processing, dosage preparation, laboratory analyses, vocational counseling, or legal, medical, accounting, or other professional services—to a program that the program does not provide for itself. As the provision of such services may entail patient-identifying disclosures, the outside agency must be "qualified" to communicate freely with the treatment program. To become qualified, the service organization must enter a written agreement with the program in which it acknowledges that it is bound by the Federal confidentiality regulations, promises not to redisclose patient-identifying information to which it becomes privy, and promises to resist unauthorized efforts to gain access to any patient-identifying information that may come into its possession.18
Once the program and the outside agency have entered an agreement of this kind, the program may freely communicate information from patient records to the qualified service organization, but only that information needed by the organization to provide services to the program. Although programs may enter into qualified service organization agreements with a variety of outside organizations, they are not permitted—according to a legal opinion of the Department of Health and Human Services, which revised the regulations in 1987—to enter them with one another (unless the one offers a service that the other cannot provide) or with law enforcement agencies. A program need not inform its patients of the qualified service organization agreements to which it is a party.
The regulations permit a program to release patient-identifying information to the police where a patient commits or threatens to commit a crime on the premises or against program staff. Under these circumstances, the program may give the police the patient's name, address, and last known whereabouts. The exception does not permit the program to report a patient's other crimes.
Even without consent, patient-identifying information may be disclosed to certain persons in a medical emergency.19 A medical emergency is a situation that poses an immediate threat to the health of an individual (it need not be the patient) and requires immediate medical intervention.20 Under this exception, a program may release patient-identifying information to medical personnel who need the information to treat the medical condition. The medical-emergency exception may not be invoked to disclose patient-identifying information to the patient's family or other nonmedical personnel.
All States require people in certain positions or occupations to report cases of suspected child abuse or neglect to the relevant child welfare authorities. In 1986, the Federal regulations were amended to permit substance abuse programs to comply with such laws. Today, the Federal regulations "do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities."21 This means that program staff may make reports to local child abuse hotlines and even confirm the reports in writing. However, the regulations "continue to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect." This means that while a program may make State-mandated child abuse reports, it must still protect patient records from subsequent disclosures (even as against local child welfare investigators) and, absent patient consent or a court order, may not permit them to be used in child abuse proceedings against the patient.
Under certain circumstances, a program may allow a researcher to have access to its patients' records.22 In the event, the program director must determine that the researcher is qualified, that the researcher has a protocol under which the security of patient records is assured,23 and that patient-identifying information will not be redisclosed. Additionally, three or more independent evaluators must have reviewed the research protocol and determined that the rights and welfare of the patients concerned will be adequately protected and that the potential benefits of the research outweigh the risks to patient confidentiality. Researchers are barred from redisclosing patient-identifying information except back to the program itself.
Certain qualified individuals or organizations may have access to program records for audits or evaluations of the program.24 By definition, an audit or evaluation is a time-limited activity that may not be used to gain access to program records on an ongoing basis. Audits or evaluations may be conducted by regulatory agencies, funders, private third-party payers, and private peer review organizations.25 Information disclosed during an audit or evaluation may not be redisclosed except pursuant to a court order (where a program is being investigated) or to determine compliance by the program with medicaid or medicare regulations. If the auditor or evaluator wishes to copy or remove records, he or she must agree in writing to protect patient-identifying infor-mation, destroy all such information on completion of the audit or evaluation, and not use the information except for purposes of the audit or evaluation.
A Federal, State, or local court may authorize a program to make a disclosure of confidential patient-identifying information. A court may issue such an order, however, only after following certain procedures and making certain determinations specified in the regulations.26 A subpoena, search warrant, or arrest warrant, even when it is signed by a judge, is not sufficient, by itself, to require or even permit a program to make a disclosure.27
Before a court can issue an order authorizing a disclosure, the program and the patient whose records are sought must be given notice of the application for the order and some opportunity to make an oral or written statement in response. (However, if the information is being sought to investigate or prosecute a patient, the patient is not entitled to notice.28 Similarly, where the program is being investigated, the program is not entitled to notice.29) The application and any court order must use a fictitious name for the patient. All court order proceedings in connection with the application must be confidential unless the patient requests otherwise.30
Before it may order the disclosure of confidential patient information, a court must find that there is "good cause" for the disclosure. A court can find good cause only if it determines that the public interest and the need for disclosure outweigh any adverse effect that the disclosure may have on the patient, the doctor-patient relationship, or the effectiveness of the program's treatment services. If the information is available from another source, the court may not issue the order.31 The judge is entitled to examine the records before making a decision.32
Even where good cause for dis-closure exists, there are limits to the scope of the disclosure that the court may authorize. In fact, disclosure must be limited to the information essential to the purpose of the order, and the dissemination of the information must be restricted to those persons who need it to fulfill the purpose of the order. The court should also take steps to protect the patient's confidentiality, for example, by sealing the records of the proceeding.33
Where the information sought is a "confidential communication," it may not be disclosed unless the disclosure is necessary to protect against a threat to life or of serious bodily injury, is necessary to investigate or prosecute an extremely serious crime, or is connected with a proceeding in which the patient has already presented evidence concerning the confidential communication.34 In all other situations, not even a court can order disclosure of a confidential communication.
Where an investigative, law enforcement, or prosecutorial agency seeks an order authorizing a disclosure for the purpose of investigating or prosecuting a patient,35 it must demonstrate the following:
Where the order is sought to prosecute a patient, the court must follow the same procedures that apply to court-ordered disclosures generally (except that the patient need not be given notice). In addition, a court order authorizing a disclosure for the purpose of investigating or prosecuting a patient must limit the disclosure to those parts of the patient's record that are essential to the purpose of the order. Further, only those law enforcement and prosecutorial officials responsible for conducting the investigation or prosecution may have access to the information. As with other applications, the court may not order the disclosure of "confidential communications" except in narrowly defined circumstances (see "Procedures and Restrictions" above). Under no circumstances may a court authorize a program to turn over a patient's entire record to a law enforcement, investigative, or prose-cutorial agency.38
That patient-identifying information may be disclosed pursuant to one of the many exceptions to the general rule does not mean that the disclosed information is no longer protected. Indeed, as noted above, information released pursuant to a consent must be accompanied by a written notice informing the recipient that the information he or she has received is protected by Federal law and may not be redisclosed except as provided for in the regulations. No one who receives patient-identifying information under the regulations—including third-party payers, government employees, program staff, administrators, criminal investigators and law enforcement personnel, court personnel, researchers, auditors, evaluators, and employees of qualified service organizations—may redisclose it unless authorized to do so by the patient, a court order, or another exception to the regulations.
Except pursuant to a court order, information subject to the regulations may not be used to initiate, investigate, or substantiate criminal charges against a patient. In addition, patient-identifying information obtained in violation of the regulations can be excluded from evidence in both civil and criminal proceedings.
Rep. No. 92_920, 92d Cong., 2d Sess., p. 33 (in
242 CFR § 2.3(a).
342 CFR § 2.11.
442 CFR § 2.13(b).
542 CFR §§ 2.13(b), 2.20. This includes public health officials. However, holders of patient-identifying information can invoke exceptions to the regulations to comply with their public health obligations, such as the reporting of cases of tuberculosis as mandated by State law.
642 CFR § 2.4. Violations may be reported
to the local
7Evidence used or obtained in violation of
the regulations may be excluded in both civil and criminal cases. See
8Programs that provide generalized services are not covered by the regulations. Thus, a classroom education program aimed at all the students in a class or a grade is not covered. However, should an employee of such a program engage a student in one-to-one or even group counseling, the program would become subject to the regulations.
9The regulations apply whether a program provides all three or just one of the following services for drug or alcohol abuse: diagnosis, treatment, or referral for treatment.
1042 CFR §§ 2.31, 2.33. It should be noted that consents authorize but do not compel programs to make a disclosure.
11Depending on State law, a consent for a patient referred by the criminal justice system may be made irrevocable for a period of time (42 CFR § 2.35). Some States have statutes that provide for the automatic expiration of such consents after 60 or 90 days.
12If the patient has died, the executor or administrator of the estate or, if there is none, the spouse or closest other relative of the deceased patient may sign (42 CFR § 2.15(b)(2)). If the patient dies while in the program, no consent is needed to disclose information relating to the cause of death to such agencies as are empowered to collect vital statistics or inquire into causes of death (42 CFR § 2.15(b)(1)). If the patient is incompetent, a person appointed by a court to oversee his or her affairs may sign (42 CFR § 2.15(a)). If the patient is a minor, the patient must still always sign the consent form. If State law requires parental consent for treating a minor, a parent's signature will be required, in addition to the minor's, for any release (42CFR § 2.14(c)). If the State permits the minor to be treated without parental consent, the minor's signature alone may authorize a disclosure (42CFR § 2.14(b)).
13Disclosures to a central methadone registry must be made with patient consent (42 CFR § 2.34). A central registry collects information about patients applying for methadone maintenance or detoxification. (The registry is intended to prevent dual enrollments.) A program may disclose records to any central registry not more than 200 miles away. Such disclosures may be made only when a patient is accepted for treatment, changes type or dosage of drug, or ends, interrupts, or resumes treatment. Patient consent is required in writing, but programs may refuse to enroll patients who will not consent. Disclosed information must be limited to the patient's name and identifying information, dosage of drug, and relevant dates. The registry may disclose to its member programs the names, addresses, and telephone numbers of any other programs in which the patient is enrolled. Those programs may then communicate with one another without patient consent, but only to the extent necessary to verify that no error has been made or to prevent or eliminate any multiple enrollment.
1442 CFR § 2.32.
15Thus, if a patient threatened to harm his or her spouse, the program might make an anonymous telephone call to the spouse or even the police. To be effective, of course, such a call would require the program to disclose the patient's name. It would not, however, require the program to disclose its name or the fact that the patient is in substance abuse treatment.
16Where a program is part of a larger organization, such as a general hospital, and is required to make reports of communicable diseases, such as tuberculosis or human immunodeficiency virus, it can discharge its reporting obligation by using the larger organization's name and address. Thus, the detoxification unit of a general hospital would make the necessary report under the name of the hospital. It should be noted that some courts have found a duty to warn where there is an identifiable victim. In such cases, a program may very well have to notify both the relevant authorities and the potential victim, and, in the process, may even have to disclose patient-identifying information.
1742 CFR § 2.12(c)(4).
1842 CFR § 2.11.
1942 CFR § 2.51.
20A typical example of a medical emergency is a suicide threat or a drug overdose.
2142 CFR § 2.12(c)(6).
2242 CFR § 2.52.
2342 CFR § 2.16.
2442 CFR § 2.53.
25Accounting audits do not usually fall under the audit-and-evaluation exception to the regulations. These are usually conducted pursuant to a qualified service organization agreement.
2642 CFR §§ 2.63–2.67.
2742 CFR § 2.61.
2842 CFR § 2.65.
2942 CFR § 2.66.
3042 CFR §§ 2.64–2.66.
3142 CFR § 2.64(d).
3242 CFR § 2.64(c).
3342 CFR § 2.64(e).
3442 CFR § 2.63.
3542 CFR § 2.65.
3642 CFR § 2.63 sets forth a list of serious crimes for which a court may order disclosure of patient records. The list does not include the possession or sale of illegal drugs.
37Note that the regulations do not permit courts to order those "who have received patient identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient." 42 CFR § 2.62.
38 The regulations also contain special provisions regarding court orders authorizing disclosures for purposes of investigating or prosecuting a program or its employees and court orders authorizing a government agency to place an undercover agent or informant in a program to gather evidence of serious criminal conduct by the program or its employees (42 CFR §§ 2.66–2.67). The regulations set strict prerequisites for obtaining such orders and prohibit the use of information obtained through these means to initiate or substantiate criminal prosecutions against patients.