 
|
| Home | Documents | Information Exchange Services |
Special Topics |
Resources | State Information |
Online Resources |
|
This page contains links to external Web sites. TAP 18: Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance
Checklist for Monitoring Alcohol and Other Drug Confidentiality ComplianceTechnical Assistance Publication Series18U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Rockwall II, 5600 Fisher Lane Introduction of TAP 18: Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance This publication is part of the Substance Abuse Prevention and Treatment Block Grant technical assistance program. All material appearing in this volume except quoted passages from copyrighted sources is in the public domain and may be reproduced or copied without permission from the Center for Substance Abuse Treatment (CSAT) or the authors. Citation of the source is appreciated. This publication was prepared under contract number 270-93-0004 from the Substance Abuse and Mental Health Services Administration (SAMHSA). Gayle Saunders, of CSAT, served as the Government project officer. The opinions expressed herein are the views of the authors and do not necessarily reflect the official position of CSAT or any other part of the U.S. Department of Health and Human Services (DHHS). DHHS Publication No. (SMA) 96-3083 Printed 1996 ForewordThe Center for Substance Abuse Treatment (CSAT) of the Substance Abuse and Mental Health Services Administration (SAMHSA) is pleased to present this document, Number 18 in the Technical Assistance Publication (TAP) series. Alcohol and drug treatment and prevention program staff and management, as well as State agency officials often have questions about the disclosure of information relating to alcohol and other drug (AOD) diagnosis and treatment. This TAP is designed to answer some of those questions. It provides an easy-to-use checklist that should enable both AOD programs and State and other government monitoring agencies to quickly determine whether a breach of patient confidentiality has occurred under the Federal law and regulations governing patient confidentiality. This TAP is one of several products developed by the Legal Action Center pursuant to a grant by CSAT to provide information on improving methods of collaboration between AOD treatment and prevention programs and State public health providers. Appendix B in this document is a presentation on the emerging issue of managed care and its impact on the confidentiality of AOD records. This is another area of concern to AOD programs and State government agencies. It is also an area in which these agencies are having to interact with new health care entities such as health maintenance organizations (HMOs). Nothing in this publication should be construed as authorizing or permitting any person to perform an act that is not permitted under the regulations governing confidentiality of substance abuse patient records as cited throughout these materials, or by any other Federal or State laws. David J. Mactas IntroductionThe Federal alcohol and other drug (AOD) confidentiality law requires covered programs to strictly maintain the confidentiality of AOD patient records. The law (42 U.S.C. § 290dd-2) and its accompanying regulations (42 C.F.R. Part 2, referred to in this guide as "the regulations" came about through Congress' recognition that safeguards on privacy serve the important purpose of encouraging persons to seek AOD dependence care by preventing the disclosure of information related to their AOD diagnosis and treatment, which could stigmatize them in their communities. Although remarkably effective, the laws are also complex. Questions about which disclosures are and are not permissible sometimes confuse AOD treatment programs and the State agencies responsible for funding and evaluating them. This guideline is designed to alleviate some of that confusion. It provides an easy-to-use checklist that should enable the compliance personnel of both AOD programs and State and other government monitoring agencies to quickly determine whether complaints alleging a breach of patient confidentiality are justified under the Federal confidentiality law. Two important caveats apply. First, this checklist should only be consulted to determine whether a prior disclosure complied with the law. It should not be consulted to determine whether to make a disclosure in the first instance. For such decisions, programs and State agency staff should consult more detailed analyses of the Federal regulations, such as that contained in the Legal Action Center's book, Confidentiality: A Guide to the Federal Law and Regulations. Because the checklist is written in summary form (hence its easy-to-use style), sole reliance on it could result in inadvertent breaches of the regulations. The second caveat is that when using the checklist for its intended purpose–to evaluate whether prior communications complied with the law–compliance personnel should consult more detailed analyses in order to understand the nuances of the law. In short, the checklist provides a conceptual framework and the basic principles to guide compliance personnel. In complex cases, compliance personnel should consult a more comprehensive source. The best way to use the guide is as follows. In all instances, consult Sections I and II first. Begin with Section I to determine whether the regulations even apply to the alleged confidentiality violation. For example, was the alleged breach by a "program" and about a "patient" as those terms are defined in the regulations? Second, consult Section II to determine whether a "disclosure" of patient-identifying information was made. Only after concluding that the regulations apply (Section I) and that a disclosure of patient-identifying information was made (Section II), will one need to consult Sections III-V to determine whether the disclosure was authorized under the regulations. Sections III: A–I cover nearly all of the rules (sometimes called "exceptions") that authorize AOD programs to disclose patient-identifying information. Compliance personnel first should consult those rules that most likely apply. If a rule applies, one need not go further. The communication was legal under the regulations. If a rule does not apply, consult other rules to see if they apply. Section III does not cover absolutely every rule in the regulations. For example, it omits discussion of the rules about reporting vital statistics (§ 2.15(b)) and central registries for methadone and detoxification programs (§ 2.34). Compliance personnel should consult the regulations directly for any rules not covered by this checklist. Section IV discusses search and arrest warrants, which are related to the discussion in Section IV–I. The two sections should be read in tandem. Finally, Section V discusses the regulations as they apply to persons who are not formally part of an AOD program but who nevertheless are bound by the regulations because they received patient-identifying information from an AOD program in circumstances authorized by the regulations. Within each section and its subparts, there is a checklist that the user can follow to ascertain whether the disclosure complied with the law, followed by a summary of the rule. In using the guide, bear in mind that in addition to the Federal law, many States may have laws and regulations that govern the confidentiality of AOD information. Make sure that you are familiar with such State laws; this guide does not incorporate them. Most States also have laws governing the confidentiality of HIV-related information (HIV confidentiality is determined only by State law; there is no Federal HIV confidentiality law), as well as the confidentiality of mental health and medical records. This guide does not address those State laws. Thus, even if a disclosure complies with the Federal AOD confidentiality law, compliance personnel might also choose to determine whether the disclosure violates any State confidentiality laws (e.g., those pertaining to AOD, HIV, mental health, or medical records). For instances in which a State's confidentiality law (AOD or otherwise) is more restrictive than the Federal law, a program must follow the stricter State law. For example, if a program has disclosed a patient's HIV status after the patient has signed a consent form that is proper under the Federal AOD confidentiality law, compliance personnel must also determine whether the State imposes any additional requirements for disclosing HIV-related information (e.g., a special HIV consent form). For instances in which a State's confidentiality law or any other State law is less protective of confidentiality than the Federal law, however, the Federal law controls. For example, if a State law mandates a program to notify parents about certain conduct by minor patients, but the Federal regulations absolutely prohibit such disclosure, the program cannot make the disclosure; the Federal law controls. However, there is usually a way to disclose properly under the Federal law, for example, by obtaining patient consent or a court order that meets the Federal requirements. Accordingly, there is rarely an irreconcilable conflict with State law. In addition, under 45 C.F.R. Part 96.132(e), States that receive Federal block grant funding for AOD treatment services, are required to:
Checklist for Monitoring Alcohol and Other Drug Confidentiality ComplianceI. DOES 42 C.F.R. PART 2 APPLY?
Summary of the RuleThe Federal regulations only apply to "programs" as defined under the law (§ 2.11). "programs" are organizations or individual practitioners who:
Summary of the RuleEven if the alleged disclosure was made by a "program," the regulations only apply if the person whose confidentiality allegedly was breached was a "patient." A "patient." is anyone who has applied for or received a diagnostic examination or interview, counseling, treatment, or referral for treatment for AOD abuse from a program (§ 2.11). Applicants for such AOD services are covered by the regulations even if they fail to show for an initial appointment that they arranged or, having been interviewed or diagnosed, elect not to follow up or enter treatment. The regulations protect current, former, and deceased patients. II.WAS THERE A "DISCLOSURE" OF PATIENT-IDENTIFYING INFORMATION? Issue:Did the disclosure reveal "patient-identifying information?"
Summary of the RuleThe Federal regulations generally prohibit programs from disclosing "patient-identifying information." "Patient-identifying information" means any information that identifies a patient as (i) having applied for or received AOD-related services (diagnosis, treatment, counseling, or referral for treatment), or (ii) being an AOD abuser (§ 2.11, 2.12). By prohibiting "disclosures," the regulations do not merely refer to explicit statements, such as that a specified person is a patient or is an AOD abuser. Rather, the term "disclosure" includes implicit disclosures, such as the following:
III. IF THERE WAS A DISCLOSURE, WAS THERE PROPER AUTHORIZATION?
Issue: Was the disclosure authorized by a valid consent form?
If "no," go to question 11.
Summary of the RuleGenerally, a program may disclose any information about a patient if the patient authorizes the disclosure by signing a valid consent form ('§ 2.31, 2.33). A consent form under the Federal regulations is much more detailed than a general medical release. It must contain all of the following nine elements. If the form is missing even one of these elements, it is not valid:
Issue: Was the disclosure an authorized internal communication?
Summary of the RulePatient-identifying information may be disclosed within a program, or to an entity having direct administrative control over a program, if the recipient of the disclosure needs the information in connection with his or her duties arising out of the provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment (§ 2.12(c)(3)). "Within the program" means within the organization or organizational unit that provides AOD-related services. Thus for entities that only provide AOD treatment in part, they may only share patient-identifying information within that part. For example, the staff of a detoxification unit within a hospital may share patient-identifying information with one another—and with hospital administrators with direct supervisory oversight for the program—where such sharing of information is needed to provide AOD-related services to the program's patients. The program may also share information, as necessary, with, for example, the hospital's recordkeeping or billing departments, because those administrative units are integral to the program's functioning. However, the program may not freely share patient-identifying information with other parts or units of the hospital (because they are not part of the "program" or an entity with direct administrative control over the program). Note, however, that such communications are possible with the patient's proper consent (see Section I.A). Anyone within or in direct administrative control of a program that receives patient-identifying information is bound by the confidentiality regulations and may not redisclose the information except as allowed by the regulations (§ 2.12(d)(2)(ii)).
Issue: Was the disclosure made pursuant to a qualified service organization agreement (QSOA)?
Summary of the RulePrograms may disclose patient-identifying information to a "qualified service organization" without the patient's consent (§ 2.12(c)(4)). A "qualified service organization" is a person or agency that provides services to the program, such as data processing, dosage preparation, laboratory analyses, vocational counseling, or legal, medical, accounting, or other professional services that the program does not provide for itself. The department of health can also be a "service organization" if it provides health-related services to the program. Examples of such services include offering tests for HIV, tuberculosis, and sexually transmitted diseases; providing treatment for communicable diseases; or monitoring the patient's case to ensure that he or she is receiving treatment. Managed care companies can, in limited circumstances, also be "service organizations," provided they are providing a service, such as legal, medical, accounting, or laboratory services. For example, if individuals enrolled in a managed care program can receive AOD treatment from any certified AOD program, but must receive primary health care from the managed care provider's staff physicians, the managed care provider could be considered a "service organization"; it is rendering medical services. In order to receive patient-identifying information, the "service organization" must enter into a written agreement with the program in which it acknowledges that it is bound by the Federal confidentiality regulations, promises not to redisclose patient-identifying information to which it becomes privy, and promises to resist unauthorized efforts to gain access to any patient-identifying information in its possession (§ 2.11). Once the program and the outside agency have entered into this QSOA, the program may freely communicate information from patient records to the "qualified service organization," but only that information that is specified in the QSOA and that is needed by the organization to provide services to the program. Although AOD programs may enter into QSOAs with a variety of outside organizations, they are not permitted—according to a legal opinion of the DHHS—to enter into them with one another (unless the services offered by one of the programs does not pertain to AOD-related services) or with law enforcement agencies. A program is not required to inform its patients of the QSOAs to which it is a party.
Issue: Was the disclosure made properly in a medical emergency?
Summary of the RuleEven without consent, patient-identifying information may be disclosed to medical personnel in a medical emergency (§ 2.51). A medical emergency is a situation that poses an immediate threat to the health of any individual (it need not be the patient) and requires immediate medical intervention. Typical examples of a medical emergency include a suicide threat, a drug overdose, or a patient with active and infectious tuberculosis who is not taking his or her medications. This rule permits the program to release patient-identifying information to medical personnel who need the information to treat the medical condition. The program may not use the medical emergency rule to contact family members or the police. When releasing information pursuant to a medical emergency, programs must document the disclosure in the patient's record, setting forth the name of the recipient and his or her affiliation with any health care facility, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency (§ 2.51(c)).
Issue: Was the disclosure made in response to a crime on program premises or against program personnel?
Summary of the RuleThe regulations permit a program to release patient-identifying information to the police if a patient commits or threatens to commit a crime either (i) on the premises (against anyone) or (ii) against program staff anywhere. When reporting such a crime, in addition to the particulars of the crime, the program may give the police the patient's name, address, and last known whereabouts. The program may not release to the police the names of other patients who were victims or witnesses to the crime without those patients' prior written consent. This rule does not authorize disclosure of a patient's confession to a past crime unless the crime was on the program premises or against program personnel.
Issue: Was the disclosure authorized by the child abuse reporting rule?
Summary of the RuleIn 1987, the regulations were amended to permit AOD programs to comply with State laws requiring people in certain positions or occupations to report cases of suspected child abuse or neglect. Accordingly, the regulations "do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities" (§ 2.12(c)(6)). Under this rule, program staff may make reports to local child abuse hotlines and even confirm the reports in writing. However, the program's disclosures must stop there. The regulations continue "to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect." This means that although a program may make State-mandated child abuse reports, patient files must be withheld from child protection agencies absent patient consent or a court order.
Issue: Was the disclosure authorized under the research rule?
Summary of the ruleA program may allow a researcher to have access to its patients' records under the following circumstances: First, the program director must determine (i) that the researcher is qualified, (ii) that the researcher has a protocol under which the security of patient records is assured (per § 2.16), and (iii) that patient-identifying information will not be redisclosed. In addition, the researcher must provide a written statement that three or more independent evaluators have reviewed the research protocol and determined that the rights and welfare of the patients concerned will be adequately protected and that the potential benefits of the research outweigh the risks to patient confidentiality (§ 2.52(a)). If a researcher satisfies the above standard, the researcher may proceed but is barred from redisclosing patient-identifying information except back to the program itself. No report may identify any individual patient (§ 2.52(b)).
Issue: Was the disclosure authorized under the audit and evaluation rule?
Summary of the RuleGovernment agencies that fund or regulate a program, private persons that provide financial assistance or third-party payments to a program, peer-review organizations that perform utilization or quality control review, and persons whom the program director determines are "qualified" may have access to program records for audits or evaluations of the program (§ .53). Examples of such funding or oversight agencies include Government agencies that administer the Medicaid program and that contract with AOD programs, insurance and managed care companies, and State agencies that license and regulate AOD programs. Any person or organization that conducts an audit or evaluation must agree in writing that it will redisclose patient-identifying information only (i) back to the program, or (ii) to a Government agency that is overseeing a Medicare or Medicaid audit or evaluation. Such person or organization also must agree in writing to use the information only for the audit or evaluation or pursuant to a court order to investigate or prosecute the program (not a patient) (§ 2.53(c) and (d)). The agencies listed in the first paragraph above also may copy or remove records, but only if they agree in writing to (i) safeguard the confidentiality of patient-identifying information in accordance with the security requirements of § 2.16 of the regulations (or more stringent requirements), (ii) destroy all such information on completion of the audit or evaluation, (iii) redisclose patient-identifying information back to the program or to a Government agency that is overseeing a Medicaid or Medicare audit or evaluation, and (iv) not use the information except for purposes of the audit or evaluation or to investigate or prosecute criminal or other activities as authorized by a court order entered under § 2.66 (§ 2.53(b)-(d)). Thus a State regulatory agency could not obtain patient records pursuant to an audit and then store them permanently on a computer database. Any other person or organization determined by the program director to be "qualified" and that pledges in writing to observe the restrictions on redisclosure and use that are specified two paragraphs above may also inspect patient records for audit or evaluation purpose without consent. Only the agencies listed in the first paragraph, however, may copy or remove records.
Issue: Was the disclosure made in response to a valid court order?
Summary of the RuleA Federal, State, or local court may authorize a program to make a disclosure of patient-identifying information. A court may issue such an order, however, only after following certain procedures and making certain determinations specified in the regulations (§ 2.63-2.67). A subpoena, search warrant, or arrest warrant, even when it is signed by a judge, is not sufficient, by itself, to require or even permit a program to make a disclosure (§ 2.61). For guidance on how to respond to search and arrest warrants, see Section IV. When faced with a subpoena, a program may contact the patient referenced in the subpoena and seek the patient's consent to release the subpoenaed information. Alternatively, a program may contact the party that issued the subpoena and attempt to persuade the party to seek a proper court order. If that fails, the program could move to quash the subpoena. With respect to court orders, the applicant for the court order must follow certain procedures, such as using a fictitious name, like John Doe, to refer to any patient (unless the patient has consented to the use of his or her real name). In addition, the applicant generally must give the program and the patient "adequate notice" of an opportunity to file a written response to the application or appear in person for the limited purpose of responding to the application (§ 2.64(a) and (b)). If the court order was requested in order to criminally investigate or prosecute a patient, however, the patient need not receive notice. (§ 2.65) Likewise, if the court order was requested in order to criminally prosecute or investigate the program, the program need not receive notice (§ 2.66). This checklist is limited to those requirements for which AOD programs can properly be held accountable (i.e., the program made no disclosure until and unless a court ordered it to do so under the Federal regulations, and the program only disclosed the information listed in the court order). (The AOD program and its lawyer also are responsible for properly filing a request for a court order if the program initiates the application.) AOD programs cannot be held accountable for procedural or substantive errors made by a court, prosecuting attorney, and so on. This is not to suggest, however, that the program should not take steps to ensure that a third party who seeks a court order has followed the proper procedures, such as providing proper notice and holding a hearing with respect to whether the disclosure should be made. Furthermore, the program and/or the patient concerned could file an appeal if the court issued the order improperly. IV. RESPONDING TO SEARCH AND ARREST WARRANTS Issue: Did the AOD program respond appropriately to a search or arrest warrant?
Summary of the RuleAs discussed in Section III.I, neither a search warrant nor an arrest warrant, in and of itself, constitutes the type of court order authorized under the regulations. Consequently, programs may not disclose patient-identifying information in response to such warrants. On the other hand, the regulations do not require a program to forcibly resist a law enforcement officer who insists on entry. The DHHS has ruled that when faced with an arrest or search warrant without a valid court order, programs generally should:
If all of the above fail, programs should not forcibly resist. They may permit the law enforcement officials to enter, but they should not point out the patient sought in the arrest warrant or the records sought in the search warrant. V. DISCLOSURES BY THIRD PARTIES Issue: Did a third party who received patient-identifying information from an AOD program redisclose it without authorization? Third-Party Payers
Entities With Administrative Control Over Programs
Consent
QSOAs
Research
Audit and Evaluation
Summary of the RuleAs discussed in Sections III.A, C, G, and H, third parties who receive patient-identifying information from AOD programs pursuant to consent forms, QSOAs, or the research or audit and evaluation rules are generally prohibited from redisclosing it. This section will not repeat the details regarding redisclosure under these rules (see Summary of the Rule for Sections III.A, C, G, and H). In addition, the regulations require third-party payers who receive patient-identifying information from programs to comply with the regulations, regardless of whether they received a notice prohibiting redisclosure (§ 2.12(d)(2)(i)). Likewise, entities with direct administrative control over programs, which receive information from programs pursuant to the internal communications' exception (see Section III.B), must abide by the disclosure restrictions in the regulations (§ 2.12(d)(2)(ii). Note, however, that the prohibitions against redisclosing information obtained from an AOD program apply to the information actually received from the AOD program and not from the patient. For example, if a third party receives patient-identifying information from an AOD program, and the patient self-discloses the identical information to the third party, the third party can redisclose the information. This is because the third party is not redisclosing information it received pursuant to the consent form or QSOA, but rather, information it received from the patient.
Appendix A—The Confidentiality Law (42 U.S.C. § 290dd-2)This statute, which Congress enacted in 1992, consolidates and replaces (without substantive change) the two separate but identical laws Congress originally enacted to govern the confidentiality of alcohol abuse patient records (previously codified as 42 U.S.C. § 290dd-3) and drug abuse patient records (previously codified as 42 U.S.C. § 290ee-3). (The text of those laws, now replaced by this 1992 statute, is set out in § 2.1 of the confidentiality regulations that are reprinted in the following pages.) The term "substance abuse" in the current law refers to both alcohol and drug abuse. The regulations themselves were not revised as a result of Congress' 1992 consolidation but were revised slightly in 1995. The revised regulations appear on page 30. § 290dd-2: Confidentiality of Records(a) Requirement Records of the identity, diagnosis, prognosis, or treatment of any patient that are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States shall, except as provided in subsection (e) of this section, be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b) of this section. (b) Permitted disclosure
The content of any record referred to in subsection (a) of this section may be disclosed in accordance with the prior written consent of the patient with respect to whom such record is maintained, but only to such extent, under such circumstances, and for such purposes as may be allowed under regulations prescribed pursuant to subsection (g) of this section.
Whether or not the patient, with respect to whom any given record referred to in subsection (a) of this section is maintained, gives written consent, the content of such record may be disclosed as follows:
(c) Use of records in criminal proceedings Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no record referred to in subsection (a) of this section may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient. (d) Application The prohibitions of this section continue to apply to records concerning any individual who has been a patient, irrespective of whether or when such individual ceases to be a patient. (e) Nonapplicability The prohibitions of this section do not apply to any interchange of records—
The prohibitions of this section do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. (f) Penalties Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined in accordance with Title 18. (g) Regulations Except as provided in subsection (h) of this section, the Secretary shall prescribe regulations to carry out the purposes of this section. Such regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders under subsection (b)(2)(C) of this section, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith. (h) Application to Department of Veterans Affairs The Secretary of Veterans Affairs, acting through the Under Secretary for Health, shall, to the maximum feasible extent consistent with their responsibilities under Title 38, prescribe regulations making applicable the regulations prescribed by the Secretary of Health and Human Services under subsection (g) of this section to records maintained in connection with the provision of hospital care, nursing home care, domiciliary care, and medical services under such Title 38 to veterans suffering from substance abuse. In prescribing and implementing regulations pursuant to this subsection, the Secretary of Veterans Affairs shall, from time to time, consult with the Secretary of Health and Human Services in order to achieve the maximum possible coordination of the regulations, and the implementation thereof, which they each prescribe. 1995 RevisionsFederal Register, Vol. 60, No. 87, May 5, 1995 In § 2.11, the definition of Program is revised to read as follows: § 2.11 Definitions. Program means:
Section 2.12(e)(1) is amended by adding the following sentence at the end to read as follows: § 2.12 Applicability. (e) * * * (1) * * * However, these regulations would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of alcohol or drug abuse diagnosis, treatment, or referral and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services. Subpart A— Introduction[42 C.F.R. Subpart A, § 2.1B2.5, as of May 9, 1996] § 2.1 Statutory authority for confidentiality of drug abuse patient records. The restrictions of these regulations upon the disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C. 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3. The amended statutory authority is set forth below: § 290EE-3. CONFIDENTIALITY OF PATIENT RECORDS. (a) Disclosure authorization Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any drug abuse prevention function conducted, regulated, or directly or indirectly assisted by any department or agency of the United States shall, except as provided in subsection (e) of this section, be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b) of this section. (b) Purposes and circumstances of disclosure affecting consenting patient and patient regardless of consent (1) The content of any record referred to in subsection (a) of this section may be disclosed in accordance with the prior written consent of the patient with respect to whom such record is maintained, but only to such extent, under such circumstances, and for such purposes as may be allowed under regulations prescribed pursuant to subsection (g) of this section. (2) Whether or not the patient, with respect to whom any given record referred to in subsection (a) of this section is maintained, gives his written consent, the content of such record may be disclosed as follows: (A) To medical personnel to the extent necessary to meet a bona fide medical emergency. (B) To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise disclose patient identities in any manner. (C) If authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor. In assessing good cause the court shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician–patient relationship, and to the treatment services. Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure. (c) Prohibition against use of record in making criminal charges or investigation of patient Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no record referred to in subsection (a) of this section may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient. (d) Continuing prohibition against disclosure irrespective of status as patient The prohibitions of this section continue to apply to records concerning any individual who has been a patient, irrespective of whether or when he ceases to be a patient. (e) Armed Forces and Veterans' Administration; interchange of records; report of suspected child abuse and neglect to State or local authorities The prohibitions of this section do not apply to any interchange of records— (1) within the Armed Forces or within those components of the Veterans' Administration furnishing health care to veterans, or (2) between such components and the Armed Forces. The prohibitions of this section do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. (f) Penalty for first and subsequent offenses Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense. (g) Regulations; interagency consultations; definitions, safeguards, and procedures, including procedures and criteria for issuance and scope of orders Except as provided in subsection (h) of this section, the Secretary, after consultation with the Administrator of Veterans' Affairs and the heads of other Federal departments and agencies substantially affected thereby, shall prescribe regulations to carry out the purposes of this section. These regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders under subsection (b)(2)(C) of this section, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith. (Subsection (h) was superseded by section 111(c)(3) of Pub. L. 94-581. The responsibility of the Administrator of Veterans' Affairs to write regulations to provide for confidentiality of drug abuse patient records under Title 38 was moved from 21 U.S.C. 1175 to 38 U.S.C. 4134.) § 2.2 Statutory authority for confidentiality of alcohol abuse patient records. The restrictions of these regulations upon the disclosure and use of alcohol abuse patient records were initially authorized by section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C. 4582). The section as amended was transferred by Pub. L. 98-24 to section 523 of the Public Health Service Act which is codified at 42 U.S.C. 290dd-3. The amended statutory authority is set forth below: § 290DD-3.CONFIDENTIALITY OF PATIENT RECORDS. (a) Disclosure authorization Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to alcoholism or alcohol abuse education, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States shall, except as provided in subsection (e) of this section, be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b) of this section. (b) Purposes and circumstances of disclosure affecting consenting patient and patient regardless of consent (1) The content of any record referred to in subsection (a) of this section may be disclosed in accordance with the prior written consent of the patient with respect to whom such record is maintained, but only to such extent, under such circumstances, and for such purposes as may be allowed under regulations prescribed pursuant to subsection (g) of this section. (2) Whether or not the patient, with respect to whom any given record referred to in subsection (a) of this section is maintained, gives his written consent, the content of such record may be disclosed as follows: (A) To medical personnel to the extent necessary to meet a bona fide medical emergency. (B) To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise disclose patient identities in any manner. (C) If authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor. In assessing good cause the court shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician–patient relationship, and to the treatment services. Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure. (c) Prohibition against use of record in making criminal charges or investigation of patient Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no record referred to in subsection (a) of this section may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient. (d) Continuing prohibition against disclosure irrespective of status as patient The prohibitions of this section continue to apply to records concerning any individual who has been a patient, irrespective of whether or when he ceases to be a patient. (e) Armed Forces and Veterans' Administration; interchange of record of suspected child abuse and neglect to State or local authorities The prohibitions of this section do not apply to any interchange of records— (1) within the Armed Forces or within those components of the Veterans' Administration furnishing health care to veterans, or (2) between such components and the Armed Forces. The prohibitions of this section do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. (f) Penalty for first and subsequent offenses Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense. (g) Regulations of Secretary; definitions, safeguards, and procedures, including procedures and criteria for issuance and scope of orders Except as provided in subsection (h) of this section, the Secretary shall prescribe regulations to carry out the purposes of this section. These regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders under subsection(b)(2)(C) of this section, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith. (Subsection (h) was superseded by section 111(c)(4) of Pub. L. 94-581. The responsibility of the Administrator of Veterans' Affairs to write regulations to provide for confidentiality of alcohol abuse patient records under Title 38 was moved from 42 U.S.C. 4582 to 38 U.S.C. 4134.) § 2.3Purpose and effect. (a) Purpose. Under the statutory provisions quoted in § § 2.1 and 2.2, these regulations impose restrictions upon the disclosure and use of alcohol and drug abuse patient records which are maintained in connection with the performance of any federally assisted alcohol and drug abuse program. The regulations specify: (1) Definitions, applicability, and general restrictions in Subpart B (definitions applicable to § 2.34 only appear in that section); (2) Disclosures which may be made with written patient consent and the form of the written consent in Subpart C; (3) Disclosures which may be made without written patient consent or an authorizing court order in Subpart D; and (4) Disclosures and uses of patient records which may be made with an authorizing court order and the procedures and criteria for the entry and scope of those orders in Subpart E. (b) Effect. (1) These regulations prohibit the disclosure and use of patient records unless certain circumstances exist. If any circumstances exists under which disclosure is permitted, that circumstance acts to remove the prohibition on disclosure but it does not compel disclosure. Thus, the regulations do not require disclosure under any circumstances. (2) These regulations are not intended to direct the manner in which substantive functions such as research, treatment, and evaluation are carried out. They are intended to insure that an alcohol or drug abuse patient in a federally assisted alcohol or drug abuse program is not made more vulnerable by reason of the availability of his or her patient record than an individual who has an alcohol or drug problem and who does not seek treatment. (3) Because there is a criminal penalty (a fine—see 42 U.S.C. 290ee-3(f), 42 U.S.C. 290dd-3(f) and 42 C.F.R. § 2.4) for violating the regulations, they are to be construed strictly in favor of the potential violator in the same manner as a criminal statute (see M. Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)). § 2.4 Criminal penalty for violation. Under 42 U.S.C. 290ee-3(f) and 42 U.S.C. 290dd-3(f), any person who violates any provision of those statutes or these regulations shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense. § 2.5 Reports of violations. (a) The report of any violation of these regulations may be directed to the United States Attorney for the judicial district in which the violation occurs. (b) The report of any violation of these regulations by a methadone program may be directed to the Regional Offices of the Food and Drug Administration. Subpart B—General Provisions[42 C.F.R. Subpart B, § 2.11B2.67, as of May 9, 1996] § 2.11 Definitions. For purposes of these regulations: Alcohol abuse means the use of an alcoholic beverage which impairs the physical, mental, emotional, or social well-being of the user. Drug abuse means the use of a psychoactive substance for other than medicinal purposes which impairs the physical, mental, emotional, or social well-being of the user. Diagnosis means any reference to an individual's alcohol or drug abuse or to a condition which is identified as having been caused by that abuse which is made for the purpose of treatment or referral for treatment. Disclose or disclosure means a communication of patient-identifying information, the affirmative verification of another person's communication of patient-identifying information, or the communication of any information from the record of a patient who has been identified. Informant means an individual: Patient means any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an alcohol or drug abuser in order to determine that individual's eligibility to participate in a program. Patient-identifying information means the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. The term does not include a number assigned to a patient by a program, if that number does not consist of, or contain numbers (such as a social security, or driver's license number) which could be used to identify a patient with reasonable accuracy and speed from sources external to the program. Person means an individual, partnership, corporation, Federal, State or local government agency, or any other legal entity. Program means: Program director means: Qualified service organization means a person which: (1) Acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by these regulations; and (2) If necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations. Records means any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program. Third party payer means a person who pays, or agrees to pay, for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of his family or on the basis of the patient's eligibility for Federal, State, or local governmental benefits. Treatment means the management and care of a patient suffering from alcohol or drug abuse, a condition which is identified as having been caused by that abuse, or both, in order to reduce or eliminate the adverse effects upon the patient. Undercover agent means an officer of any Federal, State, or local law enforcement agency who enrolls in or becomes an employee of a program for the purpose of investigating a suspected violation of law or who pursues that purpose after enrolling or becoming employed for other purposes. [52 FR 21809, June 9, 1987, as amended at 60 FR 22297, May 5, 1995] DAILY C.F.R. (TM) Note 60 FR 22296, No. 87, May 5, 1995 SUMMARY: The Department published a notice of proposed rulemaking in the Federal Register at 59 FR 42561 (August 18, 1994) with corresponding corrections at 59 FR 45063 (August 31, 1994), which proposed a clarification to the "Confidentiality of Alcohol and Drug Abuse Patient Records" regulations codified at 42 C.F.R. part 2. Specifically, the Department proposed to clarify that, as to general medical care facilities, these regulations cover only specialized individuals or units in such facilities that hold themselves out as providing and provide alcohol or drug abuse diagnosis, treatment or referral for treatment and which are federally assisted, directly or indirectly. The Secretary has considered the comments received during the comment period, and is amending the regulations. EFFECTIVE DATE: June 5, 1995. § 2.12 Applicability. (a) General—(1) Restrictions on disclosure. The restrictions on disclosure in these regulations apply to any information, whether or not recorded, which: (i) Would identify a patient as an alcohol or drug abuser either directly, by reference to other publicly available information, or through verification of such an identification by another person; and (ii) Is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972, or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (or if obtained before the pertinent date, is maintained by a federally assisted alcohol or drug abuse program after that date as part of an ongoing treatment episode which extends past that date) for the purpose of treating alcohol or drug abuse, making a diagnosis for that treatment, or making a referral for that treatment. (2) Restriction on use. The restriction on use of information to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 290ee-3(c), 42 U.S.C. 290dd-3(c)) applies to any information, whether or not recorded which is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972, or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (or if obtained before the pertinent date, is maintained by a federally assisted alcohol or drug abuse program after that date as part of an ongoing treatment episode which extends past that date), for the purpose of treating alcohol or drug abuse, making a diagnosis for the treatment, or making a referral for the treatment. (b) Federal assistance. An alcohol abuse or drug abuse program is considered to be federally assisted if: (1) It is conducted in whole or in part, whether directly or by contract or otherwise by any department or agency of the United States (but see paragraphs (c)(1) and (c)(2) of this section relating to the Veterans' Administration and the Armed Forces); (2) It is being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including but not limited to: (i) Certification of provider status under the Medicare program; (ii) Authorization to conduct methadone maintenance treatment (see 21 C.F.R. 291.505); or (iii) Registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of alcohol or drug abuse; (3) It is supported by funds provided by any department or agency of the United States by being: (i) A recipient of Federal financial assistance in any form, including financial assistance which does not directly pay for the alcohol or drug abuse diagnosis, treatment, or referral activities; or (ii) Conducted by a State or local government unit which, through general or special revenue sharing or other forms of assistance, receives Federal funds which could be (but are not necessarily) spent for the alcohol or drug abuse program; or (4) It is assisted by the Internal Revenue Service of the Department of the Treasury through the allowance of income tax deductions for contributions to the program or through the granting of tax exempt status to the program. (c) Exceptions—(1) Veterans' Administration. These regulations do not apply to information on alcohol and drug abuse patients maintained in connection with the Veterans' Administration provisions of hospital care, nursing home care, domiciliary care, and medical services under Title 38, United States Code. Those records are governed by 38 U.S.C. 4132 and regulations issued under that authority by the Administrator of Veterans' Affairs. (2) Armed Forces. These regulations apply to any information described in paragraph (a) of this section which was obtained by any component of the Armed Forces during a period when the patient was subject to the Uniform Code of Military Justice except: (i) Any interchange of that information within the Armed Forces; and (ii) Any interchange of that information between the Armed Forces and those components of the Veterans Administration furnishing health care to veterans. (3) Communication within a program or between a program and an entity having direct administrative control over that program. The restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol or drug abuse if the communications are (i) Within a program or (ii) Between a program and an entity that has direct administrative control over the program. (4) Qualified Service Organizations. The restrictions on disclosure in these regulations do not apply to communications between a program and a qualified service organization of information needed by the organization to provide services to the program. (5) Crimes on program premises or against program personnel. The restrictions on disclosure and use in these regulations do not apply to communications from program personnel to law enforcement officers which— (i) Are directly related to a patient's commission of a crime on the premises of the program or against program personnel or to a threat to commit such a crime; and (ii) Are limited to the circumstances of the incident, including the patient status of the individual committing or threatening to commit the crime, that individual's name and address, and that individual's last known whereabouts. (6) Reports of suspected child abuse and neglect. The restrictions on disclosure and use in these regulations do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. However, the restrictions continue to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect. (d) Applicability to recipients of information—(1) Restriction on use of information. The restriction on the use of any information subject to these regulations to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient applies to any person who obtains that information from a federally assisted alcohol or drug abuse program, regardless of the status of the person obtaining the information or of whether the information was obtained in accordance with these regulations. This restriction on use bars, among other things, the introduction of that information as evidence in a criminal proceeding and any other use of the information to investigate or prosecute a patient with respect to a suspected crime. Information obtained by undercover agents or informants (see § 2.17) or through patient access (see § 2.23) is subject to the restriction on use. (2) Restrictions on disclosures—Third party payers, administrative entities, and others. The restrictions on disclosure in these regulations apply to: (i) Third party payers with regard to records disclosed to them by federally assisted alcohol or drug abuse programs; (ii) Entities having direct administrative control over programs with regard to information communicated to them by the program under § 2.12(c)(3); and (iii) Persons who receive patient records directly from a federally assisted alcohol or drug abuse program and who are notified of the restrictions on redisclosure of the records in accordance with § 2.32 of these regulations. (e) Explanation of applicability—(1) Coverage. These regulations cover any information (including information on referral and intake) about alcohol and drug abuse patients obtained by a program (as the terms "patient" and "program" are defined in § 2.11) if the program is federally assisted in any manner described in § 2.12(b). Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and provide alcohol or drug abuse diagnosis, treatment, or referral for treatment. However, these regulations would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of alcohol or drug abuse diagnosis, treatment or referral and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services. (2) Federal assistance to program required. If a patient's alcohol or drug abuse diagnosis, treatment, or referral for treatment is not provided by a program which is federally conducted, regulated or supported in a manner which constitutes Federal assistance under § 2.12(b), that patient's record is not covered by these regulations. Thus, it is possible for an individual patient to benefit from Federal support and not be covered by the confidentiality regulations because the program in which the patient is enrolled is not federally assisted as defined in § 2.12(b). For example, if a Federal court placed an individual in a private for-profit program and made a payment to the program on behalf of that individual, that patient's record would not be covered by these regulations unless the program itself received Federal assistance as defined by § 2.12(b). (3) Information to which restrictions are applicable. Whether a restriction is on use or disclosure affects the type of information which may be available. The restrictions on disclosure apply to any information which would identify a patient as an alcohol or drug abuser. The restriction on use of information to bring criminal charges against a patient for a crime applies to any information obtained by the program for the purpose of diagnosis, treatment, or referral for treatment of alcohol or drug abuse. (Note that restrictions on use and disclosure apply to recipients of information under § 2.12(d).) (4) How type of diagnosis affects coverage. These regulations cover any record of a diagnosis identifying a patient as an alcohol or drug abuser which is prepared in connection with the treatment or referral for treatment of alcohol or drug abuse. A diagnosis prepared for the purpose of treatment or referral for treatment but which is not so used is covered by these regulations. The following are not covered by these regulations: (i) Diagnosis which is made solely for the purpose of providing evidence for use by law enforcement authorities; or (ii) A diagnosis of drug overdose or alcohol intoxication which clearly shows that the individual involved is not an alcohol or drug abuser (e.g., involuntary ingestion of alcohol or drugs or reaction to a prescribed dosage of one or more drugs). [52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987, as amended at 60 FR 22297, May 5, 1995] DAILY C.F.R. (TM) Note 60 FR 22296, No. 87, May 5, 1995 SUMMARY: The Department published a notice of proposed rulemaking in the Federal Register at 59 FR 42561 (August 18, 1994) with corresponding corrections at 59 FR 45063 (August 31, 1994), which proposed a clarification to the "Confidentiality of Alcohol and Drug Abuse Patient Records" regulations codified at 42 C.F.R. part 2. Specifically, the Department proposed to clarify that, as to general medical care facilities, these regulations cover only specialized individuals or units in such facilities that hold themselves out as providing and provide alcohol or drug abuse diagnosis, treatment or referral for treatment and which are federally assisted, directly or indirectly. The Secretary has considered the comments received during the comment period, and is amending the regulations. EFFECTIVE DATE: June 5, 1995. § 2.13 Confidentiality restrictions. (a) General. The patient records to which these regulations apply may be disclosed or used only as permitted by these regulations and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any Federal, State, or local authority. Any disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure. (b) Unconditional compliance required. The restrictions on disclosure and use in these regulations apply whether the holder of the information believes that the person seeking the information already has it, has other means of obtaining it, is a law enforcement or other official, has obtained a subpoena, or asserts any other justification for a disclosure or use which is not permitted by these regulations. (c) Acknowledging the presence of patients: Responding to requests. (1) The presence of an identified patient in a facility or component of a facility which is publicly identified as a place where only alcohol or drug abuse diagnosis, treatment, or referral is provided may be acknowledged only if the patient's written consent is obtained in accordance with Subpart C of these regulations or if an authorizing court order is entered in accordance with Subpart E of these regulations. The regulations permit acknowledgement of the presence of an identified patient in a facility or part of a facility if the facility is not publicly identified as only an alcohol or drug abuse diagnosis, treatment or referral facility, and if the acknowledgement does not reveal that the patient is an alcohol or drug abuser. (2) Any answer to a request for a disclosure of patient records which is not permissible under these regulations must be made in a way that will not affirmatively reveal that an identified individual has been, or is being diagnosed or treated for alcohol or drug abuse. An inquiring party may be given a copy of these regulations and advised that they restrict the disclosure of alcohol or drug abuse patient records, but may not be told affirmatively that the regulations restrict the disclosure of the records of an identified patient. The regulations do not restrict a disclosure that an identified individual is not and never has been a patient. § 2.14 Minor patients. (a) Definition of minor. As used in these regulations the term "minor" means a person who has not attained the age of majority specified in the applicable State law, or if no age of majority is specified in the applicable State law, the age of 18 years. (b) State law not requiring parental consent to treatment. If a minor patient acting alone has the legal capacity under the applicable State law to apply for and obtain alcohol or drug abuse treatment, any written consent for disclosure authorized under Subpart C of these regulations may be given only by the minor patient. This restriction includes, but is not limited to, any disclosure of patient-identifying information to the parent or guardian of a minor patient for the purpose of obtaining financial reimbursement. These regulations do not prohibit a program from refusing to provide treatment until the minor patient consents to the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a State or local law requiring the program to furnish the service irrespective of ability to pay. (c) State law requiring parental consent to treatment. (1) Where State law requires consent of a parent, guardian, or other person for a minor to obtain alcohol or drug abuse treatment, any written consent for disclosure authorized under Subpart C of these regulations must be given by both the minor and his or her parent, guardian, or other person authorized under State law to act in the minor's behalf. (2) Where State law requires parental consent to treatment the fact of a minor's application for treatment may be communicated to the minor's parent, guardian, or other person authorized under State law to act in the minor's behalf only if: (i) The minor has given written consent to the disclosure in accordance with Subpart C of these regulations or (ii) The minor lacks the capacity to make a rational choice regarding such consent as judged by the program director under paragraph (d) of this section. (d) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a threat to the life or physical well being of the applicant or any other individual may be disclosed to the parent, guardian, or other person authorized under State law to act in the minor's behalf if the program director judges that: (1) A minor applicant for services lacks capacity because of extreme youth or mental or physical condition to make a rational decision on whether to consent to a disclosure under Subpart C of these regulations to his or her parent, guardian, or other person authorized under State law to act in the minor's behalf, and (2) The applicant's situation poses a substantial threat to the life or physical well being of the applicant or any other individual which may be reduced by communicating relevant facts to the minor's parent, guardian, or other person authorized under State law to act in the minor's behalf. § 2.15 Incompetent and deceased patients. (a) Incompetent patients other than minors—(1) Adjudication of incompetence. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to manage his or her own affairs, any consent which is required under these regulations may be given by the guardian or other person authorized under State law to act in the patient's behalf. (2) No adjudication of incompetency. For any period for which the program director determines that a patient, other than a minor or one who has been adjudicated incompetent, suffers from a medical condition that prevents knowing or effective action on his or her own behalf, the program director may exercise the right of the patient to consent to a disclosure under Subpart C of these regulations for the sole purpose of obtaining payment for services from a third party payer. (b) Deceased patients—(1) Vital statistics. These regulations do not restrict the disclosure of patient-identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death. (2) Consent by personal representative. Any other disclosure of information identifying a deceased patient as an alcohol or drug abuser is subject to these regulations. If a written consent to the disclosure is required, that consent may be given by an executor, administrator, or other personal representative appointed under applicable State law. If there is no such appointment the consent may be given by the patient's spouse or, if none, by any responsible member of the patient's family. § 2.16 Security for written records. (a) Written records which are subject to these regulations must be maintained in a secure room, locked file cabinet, safe or other similar container when not in use; and (b) Each program shall adopt in writing procedures which regulate and control access to and use of written records which are subject to these regulations. § 2.17 Undercover agents and informants. (a) Restrictions on placement. Except as specifically authorized by a court order granted under § 2.67 of these regulations, no program may knowingly employ, or enroll as a patient, any undercover agent or informant. (b) Restriction on use of information. No information obtained by an undercover agent or informant, whether or not that undercover agent or informant is placed in a program pursuant to an authorizing court order, may be used to criminally investigate or prosecute any patient. [52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] § 2.18 Restrictions on the use of identification cards. No person may require any patient to carry on his or her person while away from the program premises any card or other object which would identify the patient as an alcohol or drug abuser. This section does not prohibit a person from requiring patients to use or carry cards or other identification objects on the premises of a program. § 2.19 Disposition of records by discontinued programs. (a) General. If a program discontinues operations or is taken over or acquired by another program, it must purge patient-identifying information from its records or destroy the records unless— (1) The patient who is the subject of the records gives written consent
(meeting the requirements of § 2.31) to a transfer of the records to the
acquiring program or to any other program designated in the consent (the manner
of obtaining this consent must minimize the likelihood of a disclosure of
patient-identifying information to a third party); or (b) Procedure where retention period required by law. If paragraph (a)(2) of this section applies, the records must be: (1) Sealed in envelopes or other containers labeled as follows: "Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]"; and (2) Held under the restrictions of these regulations by a responsible person who must, as soon as practicable after the end of the retention period specified on the label, destroy the records. § 2.20 Relationship to State laws. The statutes authorizing these regulations (42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3) do not preempt the field of law which they cover to the exclusion of all State laws in that field. If a disclosure permitted under these regulations is prohibited under State law, neither these regulations nor the authorizing statutes may be construed to authorize any violation of that State law. However, no State law may either authorize or compel any disclosure prohibited by these regulations. § 2.21 Relationship to Federal statutes protecting research subjects against compulsory disclosure of their identity. (a) Research privilege description. There may be concurrent coverage of patient-identifying information by these regulations and by administrative action taken under: Section 303(a) of the Public Health Service Act (42 U.S.C. 242a(a) and the implementing regulations at 42 C.F.R. Part 2a); or section 502(c) of the Controlled Substances Act (21 U.S.C. 872(c) and the implementing regulations at 21 C.F.R. 1316.21). These "research privilege" statutes confer on the Secretary of Health and Human Services and on the Attorney General, respectively, the power to authorize researchers conducting certain types of research to withhold from all persons not connected with the research the names and other identifying information concerning individuals who are the subjects of the research. (b) Effect of concurrent coverage. These regulations restrict the disclosure and use of information about patients, while administrative action taken under the research privilege statutes and implementing regulations protects a person engaged in applicable research from being compelled to disclose any identifying characteristics of the individuals who are the subjects of that research. The issuance under Subpart E of these regulations of a court order authorizing a disclosure of information about a patient does not affect an exercise of authority under these research privilege statutes. However, the research privilege granted under 21 C.F.R. 291.505(g) to treatment programs using methadone for maintenance treatment does not protect from compulsory disclosure any information which is permitted to be disclosed under those regulations. Thus, if a court order entered in accordance with Subpart E of these regulations authorizes a methadone maintenance treatment program to disclose certain information about its patients, that program may not invoke the research privilege under 21 C.F.R. 291.505(g) as a defense to a subpoena for that information. § 2.22 Notice to patients of Federal confidentiality requirements. (a) Notice required. At the time of admission or as soon thereafter as the patient is capable of rational communication. each program shall: (1) Communicate to the patient that Federal law and regulations protect the confidentiality of alcohol and drug abuse patient records; and (2) Give to the patient a summary in writing of the Federal law and regulations. (b) Required elements of written summary. The written summary of the Federal law and regulations must include: (1) A general description of the limited circumstances under which a program may acknowledge that an individual is present at a facility or disclose outside the program information identifying a patient as an alcohol or drug abuser. (2) A statement that violation of the Federal law and regulations by a program is a crime and that suspected violations may be reported to appropriate authorities in accordance with these regulations. (3) A statement that information related to a patient's commission of a crime on the premises of the program or against personnel of the program is not protected. (4) A statement that reports of suspected child abuse and neglect made under State law to appropriate State or local authorities are not protected. (5) A citation to the Federal law and regulations. (c) Program options. The program may devise its own notice or may use the sample notice in paragraph (d) to comply with the requirement to provide the patient with a summary in writing of the Federal law and regulations. In addition, the program may include in the written summary information concerning State law and any program policy not inconsistent with State and Federal law on the subject of confidentiality of alcohol and drug abuse patient records. (d) Sample notice. CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENT RECORDS The confidentiality of alcohol and drug abuse patient records maintained by this program is protected by Federal law and regulations. Generally, the program may not say to a person outside the program that a patient attends the program, or disclose any information identifying a patient as an alcohol or drug abuser Unless: (1) The patient consents in writing: Violation of the Federal law and regulations by a program is a crime. Suspected violations may be reported to appropriate authorities in accordance with Federal regulations. Federal law and regulations do not protect any information about a crime committed by a patient either at the program or against any person who works for the program or about any threat to commit such a crime. Federal laws and regulations do not protect any information about suspected child abuse or neglect from being reported under State law to appropriate State or local authorities. (See 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3 for Federal laws and 42 C.F.R. Part 2 for Federal regulations.) (Approved by the Office of Management and Budget under Control No. 0930-0099) § 2.23 Patient access and restrictions on use. (a) Patient access not prohibited. These regulations do not prohibit a program from giving a patient access to his or her own records, including the opportunity to inspect and copy any records that the program maintains about the patient. The program is not required to obtain a patient's written consent or other authorization under these regulations in order to provide such access to the patient. (b) Restriction on use of information. Information obtained by patient access to his or her patient record is subject to the restriction on use of his information to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under § 2.12(d)(1). Subpart C—Disclosures With Patient's Consent§ 2.31 Form of written consent. (a) Required elements. A written consent to a disclosure under these regulations must include: (1) The specific name or general designation of the program or person permitted to make the disclosure. (2) The name or title of the individual or the name of the organization to which disclosure is to be made. (3) The name of the patient. (4) The purpose of the disclosure. (5) How much and what kind of information is to be disclosed. (6) The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under § 2.15 in lieu of the patient. (7) The date on which the consent is signed. (8) A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third party payer. (9) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given. (b) Sample consent form. The following form complies with paragraph (a) of this section, but other elements may be added.
(c) Expired, deficient, or false consent. A disclosure may not be made
on the basis of a consent which: (Approved by the Office of Management and Budget under control number 0930-0099) § 2.32 Prohibition on redisclosure. Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by the following written statement: This information has been disclosed to you from records protected by Federal confidentiality rules (42 C.F.R. Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient. [52 FR 21809, June 9, 1987; 52 FR 41997, Nov. 2, 1987] § 2.33 Disclosures permitted with written consent. If a patient consents to a disclosure of his or her records under § 2.31, a program may disclose those records in accordance with that consent to any individual or organization named in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of § § 2.34 and 2.35, respectively. § 2.34 Disclosures to prevent multiple enrollments in detoxification and maintenance treatment programs. (a) Definitions. For purposes of this section: Central registry means an organization which obtains from two or more member programs patient-identifying information about individuals applying for maintenance treatment or detoxification treatment for the purpose of avoiding an individual's concurrent enrollment in more than one program. Detoxification treatment means the dispensing of a narcotic drug in decreasing doses to an individual in order to reduce or eliminate adverse physiological or psychological effects incident to withdrawal from the sustained use of a narcotic drug. Maintenance treatment means the dispensing of a narcotic drug in the treatment of an individual for dependence upon heroin or other morphine-like drugs. Member program means a detoxification treatment or maintenance treatment program which reports patient-identifying information to a central registry and which is in the same State as that central registry or is not more than 125 miles from any border of the State in which the central registry is located. (b) Restrictions on disclosure. A program may disclose patient records to a central registry or to any detoxification or maintenance treatment program not more than 200 miles away for the purpose of preventing the multiple enrollment of a patient only if: (1) The disclosure is made when: (2) The disclosure is limited to: (3) The disclosure is made with the patient's written consent meeting the
requirements of § 2.31, except that: (c) Use of information limited to prevention of multiple enrollments. A central registry and any detoxification or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not redisclose or use patient-identifying information for any purpose other than the prevention of multiple enrollments unless authorized by a court order under Subpart E of these regulations. (d) Permitted disclosure by a central registry to prevent a multiple enrollment. When a member program asks a central registry if an identified patient is enrolled in another member program and the registry determines that the patient is so enrolled, the registry may disclose— (1) The name, address, and telephone number of the member program(s) in which the patient is already enrolled to the inquiring member program; and (2) The name, address, and telephone number of the inquiring member program to the member program(s) in which the patient is already enrolled. The member programs may communicate as necessary to verify that no error has been made and to prevent or eliminate any multiple enrollment. (e) Permitted disclosure by a detoxification or maintenance treatment program to prevent a multiple enrollment. A detoxification or maintenance treatment program which has received a disclosure under this section and has determined that the patient is already enrolled may communicate as necessary with the program making the disclosure to verify that no error has been made and to prevent or eliminate any multiple enrollment. § 2.35 Disclosures to elements of the criminal justice system which have referred patients. (a) A program may disclose information about a patient to those persons
within the criminal justice system which have made participation in the program
a condition of the disposition of any criminal proceedings against the patient
or of the patient's parole or other release from custody if: (2) The patient has signed a written consent meeting the requirements of §
2.31 (except paragraph (a)(8) which is inconsistent with the revocation
provisions of paragraph (c) of this section) and the requirements of paragraphs
(b) and (c) of this section. (1) The anticipated length of the treatment; (2) The type of criminal proceeding involved, the need for the information in connection with the final disposition of that proceeding, and when the final disposition will occur; and (3) Such other factors as the program, the patient, and the person(s) who
will receive the disclosure consider pertinent. Subpart D—Disclosures Without Patient Consent§ 2.51 Medical emergencies. (a) General Rule. Under the procedures required by paragraph (c) of this section, patient-identifying information may be disclosed to medical personnel who have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention. (b) Special Rule. Patient-identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers. (c) Procedures. Immediately following disclosure, the program shall document the disclosure in the patient's records, setting forth in writing: (1) The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility; (2) The name of the individual making the disclosure; (3) The date and time of the disclosure; and (4) The nature of the emergency (or error, if the report was to FDA). (Approved by the Office of Management and Budget under control number 0930-0099) § 2.52 Research activities. (a) Patient-identifying information may be disclosed for the purpose of conducting scientific research if the program director makes a determination that the recipient of the patient-identifying information: (1) Is qualified to conduct the research; (2) Has a research protocol under which the patient-identifying information:
(3) Has provided a satisfactory written statement that a group of three or
more individuals who are independent of the research project has reviewed the
protocol and determined that: (b) A person conducting research may disclose patient-identifying information obtained under paragraph (a) of this section only back to the program from which that information was obtained and may not identify any individual patient in any report of that research or otherwise disclose patient identities. [52 FR 21809, June 9, 1987, as amended at 52 FR 41997, Nov. 2, 1987] § 2.53 Audit and evaluation activities. (a) Records not copied or removed. If patient records are not copied or removed, patient-identifying information may be disclosed in the course of a review of records on program premises to any person who agrees in writing to comply with the limitations on redisclosure and use in paragraph (d) of this section and who: (1) Performs the audit or evaluation activity on behalf of: (2) Is determined by the program director to be qualified to conduct the
audit or evaluation activities. (1) Agrees in writing to: (2) Performs the audit or evaluation activity on behalf of: (c) Medicare or Medicaid audit or evaluation. (1) For purposes of Medicare or Medicaid audit or evaluation under this section, audit or evaluation includes a civil or administrative investigation of the program by any Federal, State, or local agency responsible for oversight of the Medicare or Medicaid program and includes administrative enforcement, against the program by the agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation. (2) Consistent with the definition of program in § 2.11, program includes an employee of, or provider of medical services under, the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section. (3) If a disclosure to a person is authorized under this section for a Medicare or Medicaid audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section, then a peer review organization which obtains the information under paragraph (a) or (b) may disclose the information to that person but only for purposes of Medicare or Medicaid audit or evaluation. (4) The provisions of this paragraph do not authorize the agency, the program, or any other person to disclose or use patient-identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the Medicare or Medicaid audit or evaluation activity as specified in this paragraph. (d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient-identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66 of these regulations. Subpart E—Court Orders Authorizing Disclosure and Use§ 2.61 Legal effect of order. (a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited by 42 U.S.C. 290ee-3, 42 U.S.C. 290dd-3 and these regulations. Such an order does not compel disclosure. A subpoena or a similar legal mandate must be issued in order to compel disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under these regulations. (b) Examples. (1) A person holding records subject to these regulations receives a subpoena for those records: a response to the subpoena is not permitted under the regulations unless an authorizing court order is entered. The person may not disclose the records in response to the subpoena unless a court of competent jurisdiction enters an authorizing order under these regulations. (2) An authorizing court order is entered under these regulations, but the person authorized does not want to make the disclosure. If there is no subpoena or other compulsory process or a subpoena for the records has expired or been quashed, that person may refuse to make the disclosure. Upon the entry of a valid subpoena or other compulsory process the person authorized to disclose must disclose, unless there is a valid legal defense to the process other than the confidentiality restrictions of these regulations. [52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] § 2.62 Order not applicable to records disclosed without consent to researchers, auditors and evaluators. A court order under these regulations may not authorize qualified personnel, who have received patient-identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. However, a court order under § 2.66 may authorize disclosure and use of records to investigate or prosecute qualified personnel holding the records. § 2.63 Confidential communications. (a) A court order under these regulations may authorize disclosure of confidential communications made by a patient to a program in the course of diagnosis, treatment, or referral for treatment only if: (1) The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties; (2) The disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or (3) The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications. § 2.64 Procedures and criteria for orders authorizing disclosures for noncriminal purposes. (a) Application. An order authorizing the disclosure of patient records for purposes other than criminal investigation or prosecution may be applied for by any person having a legally recognized interest in the disclosure which is sought. The application may be filed separately or as part of a pending civil action in which it appears that the patient records are needed to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient-identifying information unless the patient is the applicant or has given a written consent (meeting the requirements of these regulations) to disclosure or the court has ordered the record of the proceeding sealed from public scrutiny. (b) Notice. The patient and the person holding the records from whom disclosure is sought must be given: (1) Adequate notice in a manner which will not disclose patient-identifying information to other persons: and (2) An opportunity to file a written response to the application, or to appear in person, for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order. (c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or hearing on the application must be held in the judge's chambers or in some manner which ensures that patient-identifying information is not disclosed to anyone other than a party to the proceeding, the patient, or the person holding the record, unless the patient requests an open hearing in a manner which meets the written consent requirements of these regulations. The proceeding may include an examination by the judge of the patient records referred to in the application. (d) Criteria for entry of order. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find that: (1) Other ways of obtaining the information are not available or would not be effective; and (2) The public interest and need for the disclosure outweigh the potential injury to the patient, the physician–patient relationship and the treatment services. (e) Content of order. An order authorizing a disclosure must:
(2) Limit disclosure to those persons whose need for information is the basis for the order; and (3) Include such other measures as are necessary to limit disclosure for the protection of the patient, the physician–patient relationship and the treatment services; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered. § 2.65 Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients. (a) Application. An order authorizing the disclosure or use of patient records to criminally investigate or prosecute a patient may be applied for by the person holding the records or by any person conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws. The application may be filed separately, as part of an application for a subpoena or other compulsory process, or in a pending criminal action. An application must use a fictitious name such as John Doe, to refer to any patient and may not contain or otherwise disclose patient-identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny. (b) Notice and hearing. Unless an order under § 2.66 is sought with an order under this section, the person holding the records must be given: (1) Adequate notice (in a manner which will not disclose patient-identifying information to third parties) of an application by a person performing a law enforcement function; (2) An opportunity to appear and be heard for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order; and (3) An opportunity to be represented by counsel independent of counsel for an applicant who is a person performing a law enforcement function. (c) Review of evidence: Conduct of hearings. Any oral argument, review of evidence, or hearing on the application shall be held in the judge's chambers or in some other manner which ensures that patient-identifying information is not disclosed to anyone other than a party to the proceedings, the patient, or the person holding the records. The proceeding may include an examination by the judge of the patient records referred to in the application. (d) Criteria. A court may authorize the disclosure and use of patient records for the purpose of conducting a criminal investigation or prosecution of a patient only if the court finds that all of the following criteria are met: (1) The crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect. (2) There is a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution. (3) Other ways of obtaining the information are not available or would not be effective. (4) The potential injury to the patient, to the physician–patient relationship and to the ability of the program to provide services to other patients is outweighed by the public interest and the need for the disclosure. (5) If the applicant is a person performing a law enforcement function that:
(e) Content of order. Any order authorizing a disclosure or use of patient records under this section must: (1) Limit disclosure and use to those parts of the patient's record which are essential to fulfill the objective of the order; (2) Limit disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigation and prosecution of extremely serious crime or suspected crime specified in the application; and (3) Include such other measures as are necessary to limit disclosure and use to the fulfillment of only that public interest and need found by the court. [52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] § 2.66 Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a program or the person holding the records. (a) Application. (1) An order authorizing the disclosure or use of patient records to criminally or administratively investigate or prosecute a program or the person holding the records (or employees or agents of that program or person) may be applied for by any administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the program's or person's activities. (2) The application may be filed separately or as part of a pending civil or criminal action against a program or the person holding the records (or agents or employees of the program or person) in which it appears that the patient records are needed to provide material evidence. The application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient-identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny or the patient has given a written consent (meeting the requirements of § 2.31 of these regulations) to that disclosure. (b) Notice not required. An application under this section may, in the discretion of the court, be granted without notice. Although no express notice is required to the program, to the person holding the records, or to any patient whose records are to be disclosed, upon implementation of an order so granted any of the above persons must be afforded an opportunity to seek revocation or amendment of that order, limited to the presentation of evidence on the statutory and regulatory criteria for the issuance of the court order. (c) Requirements for order. An order under this section must be entered in accordance with, and comply with the requirements of, paragraphs (d) and (e) of § 2.64 of these regulations. (d) Limitations on disclosure and use of patient-identifying information: (1) An order entered under this section must require the deletion of patient-identifying information from any documents made available to the public. (2) No information obtained under this section may be used to conduct any investigation or prosecution of a patient, or be used as the basis for an application for an order under § 2.65 of these regulations. § 2.67 Orders authorizing the use of undercover agents and informants to criminally investigate employees or agents of a program. (a) Application. A court order authorizing the placement of an undercover agent or informant in a program as an employee or patient may be applied for by any law enforcement or prosecutorial agency which has reason to believe that employees or agents of the program are engaged in criminal misconduct. (b) Notice. The program director must be given adequate notice of the application and an opportunity to appear and be heard (for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order), unless the application asserts a belief that: (1) The program director is involved in the criminal activities to be investigated by the undercover agent or informant; or (2) The program director will intentionally or unintentionally disclose the proposed placement of an undercover agent or informant to the employees or agents who are suspected of criminal activities. (c) Criteria. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find: (1) There is reason to believe that an employee or agent of the program is engaged in criminal activity; (2) Other ways of obtaining evidence of this criminal activity are not available or would not be effective; and (3) The public interest and need for the placement of an undercover agent or informant in the program outweigh the potential injury to patients of the program, physicianBpatient relationships and the treatment services. (d) Content of order. An order authorizing the placement of an undercover agent or informant in a program must: (1) Specifically authorize the placement of an undercover agent or an informant; (2) Limit the total period of the placement to 6 months; (3) Prohibit the undercover agent or informant from disclosing any patient-identifying information obtained from the placement except as necessary to criminally investigate or prosecute employees or agents of the program; and (4) Include any other measures which are appropriate to limit any potential disruption of the program by the placement and any potential for a real or apparent breach of patient confidentiality; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered. (e) Limitation on use of information. No information obtained by an undercover agent or informant placed under this section may be used to criminally investigate or prosecute any patient or as the basis for an application for an order under § 2.65 of these regulations.
Appendix B—Managed Care and Client ConfidentialityAs managed care plans proliferate across the country, alcohol and other drug (AOD) treatment providers and single State agencies have become increasingly concerned about the impact of these plans on client confidentiality. Managed care plans vary from State to State and from program to program, yet all require some communication between a client's AOD treatment provider and his or her managed care plan. Some managed care plans require client information from treatment programs to perform "gatekeeping" functions—preapproving treatment plans and monitoring admissions and lengths of stay. Other managed care programs, such as health maintenance organizations (HMOs) that provide primary health care and AOD treatment services either directly or through network providers, require information to coordinate care as well as to perform gate-keeping functions. Depending on the purpose of the communication and the role of the managed care provider, different issues relating to confidentiality arise. This appendix addresses the ways in which AOD treatment programs, under the Federal confidentiality law and regulations, may communicate with managed care providers while still protecting clients' confidentiality rights. Also discussed are the confidentiality issues that programs have to consider as they explore ways to restructure the delivery of AOD treatment in a managed care environment. This appendix provides answers for the eight most frequently asked questions about managed care and client confidentiality.
The Federal confidentiality law and regulations prohibit Federally assisted AOD programs from disclosing any records or other information about any patient except under certain specified conditions. Programs that are covered by the regulations are those that, in whole or in part, provide AOD diagnosis, treatment, or referral for treatment. Thus, programs that are covered by the regulations cannot disclose any "patient-identifying information" (i.e., any information that would identify a client as having an AOD problem or receiving AOD services) to managed care plans unless the specific conditions laid out in the regulations are met. With the advent of managed care, many health care providers that have not traditionally fallen under the Federal confidentiality regulations now meet the definition of a program that must follow the regulations. For example, some for-profit AOD treatment programs have only accepted payment from insurance companies or patients themselves. These programs do not receive Federal assistance of any kind, either directly or indirectly, and, unless required to do so by the State where they do business, have not had to follow the Federal regulations. Increasingly, however, many of these programs have joined managed care networks, such as HMOs, that do receive some Federal funding. Consequently, these treatment programs now indirectly receive Federal funds and must follow the regulations. Similarly, many managed care organizations, such as HMOs, that have not traditionally had to follow the regulations are now providing the type of service and receiving the type of Federal assistance that bring them under the regulations. Many of these plans, typically HMOs, are beginning to provide AOD treatment directly or are performing assessments and diagnoses and referring patients for treatment. In addition, because plans that have historically accepted only privately insured patients are, in growing numbers, becoming part of Medicaid managed care and received Federally assisted Medicaid payments, they are now receiving Federal assistance. Thus, they too have to follow the regulations whenever they make a disclosure that involves patient-identifying information.
Depending on the purpose of the disclosure and the relationship between the treatment program and the managed care entity, several options, or "exceptions," under the Federal confidentiality regulations may enable programs to disclose client information to managed care providers. These options include written consent, a qualified service organization agreement (QSOA), audit or evaluation, internal communications, and medical emergency. (a) Proper consent Treatment programs may make a disclosure to a managed care provider if the client signs a valid consent form. The consent form must comply with the requirements of § 2.31 of the Federal confidentiality regulations and must be accompanied by the notice prohibiting redisclosure that is required by § 2.32. To protect their clients' rights, programs are advised to consult with their clients' managed care providers whenever possible to ascertain how they intend to use the information. Despite the prohibition on redisclosure, managed care providers frequently redisclose to third parties (e.g., insurance companies, other health care providers, government agencies) information that identifies the client as having received AOD services. If the program learns that the managed care provider will be redisclosing information, then it may decide to draft the original consent form in such a way that permits the redisclosure by the managed care agent. This helps ensure that the client is truly making an informed decision about whether to consent to the disclosure. Programs also have the option of drafting a consent form that allows for three-way communication (e.g., a situation in which the treatment program, the managed care provider, and another health care provider need to discuss and coordinate the client's care), as long as the purpose for the disclosure and the nature of the information to be disclosed are the same. (b) Qualified service organization agreement A treatment program may enter into a QSOA with a managed care provider if the managed care provider renders the type of service that qualifies it as a "service organization." Under § 2.11 of the regulations, a "qualified service organization" (QSO) is a person or agency that provides services to the program, such as legal, medical, accounting, laboratory analyses, or other professional services. To become a QSO, an organization must agree in writing to (1) follow the Federal rules in handling the information it receives from the AOD program and (2) challenge in court any unauthorized attempt to obtain that information, as a covered AOD program must also do. Once the agreement is signed, the treatment program may freely communicate information from patient records to the QSO without patient consent—but only the information that is needed by the QSO in order to provide services to the program. Thus, if a managed care program provides a service that qualifies it as a service organization, as defined in § 2.11, and if it is willing to sign a QSOA, then the treatment program may give the managed care provider the information it needs to perform its services without the client's consent. It is therefore crucial to look at the type of service being provided by a managed care entity to determine whether it is, in fact, a QSO. The following examples, depicting the most frequent managed care functions, illustrate the point:
Medical services are clearly the type of services that can qualify an organization as a QSO. In the first example, because the managed care provider is itself rendering medical services to treatment program clients, it can be considered a "service organization." Thus, a QSOA can be signed between the treatment program and the managed care provider for the provision of health care services to the treatment program's clients. The treatment program should make sure that the QSOA specifies the nature of the service to be provided by the managed care program, so it can limit how the managed care program can use client information. In the second two examples, the managed care providers do not provide primary health care services directly; instead, they contract out for those services. Because treatment providers in the second example do not need to involve the managed care provider when referring clients for health care services, they have no need for a QSOA with the managed care provider. Instead, they can sign QSOAs with the treating health care providers. Should the health care providers need to give information to the managed care provider in order to get reimbursed for services rendered, under the terms of the QSOA, they cannot not reveal any information they received from the treatment providers that would identify referred clients as having AOD problems or receiving AOD services. In the third example, the managed care provider is providing a service to the treatment program, that is, referral for primary care services for its clients. Therefore, the treatment program can sign a QSOA with the managed care provider for the provision of referral services. Should the need exist, the treatment program can also sign QSOAs with the health care providers who are actually treating its clients. However, as in the second example, neither the managed care provider nor the physicians would be allowed to share AOD patient-identifying information received from the treatment programs with each other. Instead, they would have to use one of the three methods described in the preceding paragraph. (c) Internal communications In some circumstances, HMOs and other managed care providers directly provide AOD treatment, and thus the treatment program and the managed care provider are one entity. The Federal regulations do permit AOD records to be shared between program personnel or with "an entity that has direct administrative control over the program" if the communication occurs "between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol or drug abuse" (§ 2.12(c)(3)). Disclosures between an AOD unit and other parts of a managed care program are authorized without patient consent if those disclosures are necessary to provide the AOD services. These might include communications to the managed care provider's central-billing or record-keeping departments or laboratory. (d) Medical emergency In certain circumstances, disclosures may also be made by treatment providers to their clients' managed care providers to the extent necessary to meet a bona fide "medical emergency" affecting the patient or any other person (§ 2.51). The medical emergency exception authorizes a program to disclose patient-identifying information to "medical personnel" who "have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention" (§ 2.51(a)). Thus, if a managed care program provides direct health care services, it can clearly be seen as "medical personnel" and can receive information from a treatment program when a client's condition poses an immediate threat to his or her health or that of others and requires immediate medical intervention. The same is not true, however, if the managed care provider does not directly provide health care services but rather merely pays for the emergency care. If a managed care provider allows clients to receive emergency care at an emergency room but requires notification within a specified period of time, then the managed care provider is acting as a third-party payer and not a treatment provider and cannot receive information from a treatment program under the medical emergency exception. However, medical personnel who treat the client for the emergency can contact the managed care provider for the purpose of getting reimbursed for the services rendered, even if that communication reveals that the client has an AOD problem. The restrictions on disclosures under the Federal confidentiality regulations do not apply to medical personnel who receive information from treatment programs for the purpose of treating a medical emergency (§ 2.12(d)(2)). (e)Audit and evaluation Federal, State, or local government agencies that provide financial assistance to a program and managed care providers that are third-party payers covering patients in the program may examine patient records for the purpose of performing an audit or evaluation of the program (§ 2.53). This "audit-and-evaluation" exception is a narrow one, designed only to permit financial and programmatic evaluation of a program's functions. If a managed care provider wishes to see patient records to preauthorize or pay for treatment, then it may not do so without obtaining the client's consent. Such a review is not for determining how the program is functioning financially or otherwise and thus does not fit within the audit-and-evaluation exception. Any managed care organization or agency that conducts an audit or evaluation must agree in writing that it will redisclose patient-identifying information only (1) back to the program, (2) pursuant to a court order to investigate or prosecute the program (not a patient), or (3) to a government agency that is overseeing a Medicare or Medicaid audit or evaluation (§ 2.53(c), (d)).
Managed care organizations request information for many different reasons. As noted above, managed care plans sometime require client information from treatment programs to perform "gatekeeping" functions—preapproving treatment plans and monitoring admissions and lengths of stay. At other times, managed care programs require information to coordinate care or to document that the patient's treatment is reimbursable. Managed care entities appear to be requesting ever greater amounts of information about clients both before they approve treatment and as treatment progresses. Some managed care plans ask to see clients' entire files, sometimes dating back years. Whenever information is shared with insurance carriers and managed care entities, significant dangers arise to patient privacy. Many managed care plans, especially those that are part of private insurance companies, routinely share information through vast computerized networks. For these reasons, AOD programs making disclosures to managed care entities should try to negotiate a more limited disclosure because the regulations limit even consented disclosures to only that information necessary to meet the intended purpose (§ 2.13(a)). Programs can often convince insurance companies to be satisfied with less information than they initially sought. For example, determinations of eligibility for third-party payments often can be made without extensive disclosure of the patient's clinical record. Restricting disclosure to reasonably necessary information means that the program should communicate only the minimum amount of information required to show that the patient has received treatment and that such treatment is reimbursable. If the managed care entity asks for more detail, then the treatment program should question the necessity of divulging further information and, if necessary, appeal the request for additional information within the plan or to the State insurance department. Some States now regulate the actions of managed care entities. Of course, if a managed care plan insists on additional documentation before approving admission or processing a claim, its action is in accordance with State law, and the patient consents, then the program may have little choice but to comply.
This is a complicated question. If an insurance company or a managed care plan provides coverage that includes reimbursement for AOD treatment that is "medically necessary," then its decision to reimburse should be based on whether the treatment being mandated meets that criterion and not on the referral source. If a managed care plan takes the position that any care mandated by court is not, by definition, medically necessary, then that decision most likely violates the terms and conditions of its contract with the member and should be appealed. Some managed care plans, however, will not explicitly state that they will not reimburse for mandated services but set up procedures that virtually ensure that result. For example, some managed care plans will not accept the assessment of intermediate sanctions programs or other assessors who are outside of the managed care network. Yet, at the same time, the managed care plan will not come to court or jail to perform its own assessments, creating a "Catch 22" in which offenders cannot be diverted or released unless they have a program to go to but cannot be assessed and treated unless they have been diverted or released. Practices such as these threaten to disrupt tremendously the criminal justice system and family courts because these systems increasingly rely on AOD treatment both to rehabilitate offenders and to reduce unnecessary reliance on incarceration. Barring State legislation or regulation that requires managed care plans to pay for court-mandated services, patients should be advised to appeal any denial of reimbursement for such services and, if unsuccessful, file complaints with their State health and/or insurance department.
Courts mandating individuals into treatment generally will not have any interest in directing what records should be made available to managed care providers. Courts will often, however, have an interest in receiving periodic reports from the AOD program about the progress of the individual mandated into treatment. In such a situation, the program should get the client's consent to disclose the information requested to the court. This usually includes information about the client's prognosis, attendance or lack of attendance at treatment sessions, and his or her cooperation with the treatment program. If a managed care plan is reimbursing an AOD program for services rendered to clients mandated into treatment, then that managed care plan will have the same interest in obtaining information about those mandated clients as they have in nonmandated clients. As noted above, this may involve the managed care plan asking for more information than the program believes is necessary to accomplish the disclosure's purpose. The program should then question the necessity of making such an extensive disclosure and try to negotiate a more limited disclosure with the managed care company. This may include the initial evaluation and diagnosis; a summary of the treatment plan; the patient's attendance, progress, and compliance; and the discharge plan.
If the managed care provider requires an AOD program to get preauthorization before providing treatment, the program must obtain the client's consent before contacting the managed care provider. The Federal confidentiality regulations define the term "patient" as "any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse" (§ 2.11). Thus, once the client applies to the program for services, he or she is protected by the Federal confidentiality law, and information that would identify the client as an alcohol or drug abuser cannot be divulged by the program without his or her consent. Because calling a managed care plan to ask whether John Smith has coverage for AOD treatment is a disclosure that John Smith has applied for such services, Mr. Smith's consent is required before the program can make the call.
As AOD programs explore ways to restructure the service of the services so that they can adapt to the managed care environment, many are beginning to form networks. These networks are being configured in different ways. Depending on how these networks are designed, different options under the Federal regulations will enable the components to share information. For example, some AOD programs are coming together and setting up whole new programs that offer a full range of treatment services. These programs are not maintaining their own unique identities but rather are merging and creating a new identity. The different components of this new program can discuss patient-identifying information with each other following the internal communications provisions set out in the Federal regulations and explained in question 2. Thus, if one component is responsible for the initial intake and referral to the appropriate service component, and if the different parts of the agency meet periodically to discuss a patient's progress and decide that a different approach may be warranted, and if this information is given to the billing department so that the program can get paid by the managed care plan, then all of these disclosures are permitted under the internal communications option described in the Federal regulations because the recipients in each case need the information to provide the AOD service. Other programs are forming more loosely connected networks. They are not giving up their own separate identities but rather are working together to develop the kind of comprehensive service package that is attractive to managed care entities. Because these are all separate programs, the internal communication option is not available to such a network. Nor can these programs sign QSOAs with each other, because, as noted above, two programs that are covered by the regulations cannot sign a QSOA for the purpose of providing an AOD service. Thus, the only option available to such a network is the use of consent forms. Rather than each program having to draft its own consent form before it can disclose information to the other network members, however, the regulations do allow for the signing of multiparty consent forms. The key to such a form is making sure that it authorizes each party listed on the form to disclose the information specified to all the other parties on the form. For example, a patient can sign a consent form that states "the following treatment programs are authorized to disclose to and communicate with one another" the following specified information "for the purpose of coordinating my care and providing my treatment." If the network is using a multiparty consent form, it must make sure that the same kind and amount of information will be shared, for the same common purpose, among all those authorized to receive and/or disclose that information. When and how the various types of networks can share information with the managed care entity is discussed in question 2.
Besides the confidentiality protections afforded to patients in AOD programs, some States have passed legislation regulating managed care practices and containing numerous consumer protections. Depending on the legislation, the following protections exist for patients regarding managed care:
Top of Page
Contact Us | Site Map | Privacy Policy | Accessibility Home | Documents | Information Exchange Services Special Topics | Resources | State Information | Online Resources Last Updated 11-7-02 |