Printer Friendly

Confidentiality law: time for change? Proposal seeks to address limits of current confidentiality law and create stronger legal protection for substance use treatment information.

In 1972, Congress adopted The Federal Confidentiality of Alcohol and Drug Abuse Patient Records law (now codified at 42 USC 290dd-2), reflecting its concern that individuals not be made more vulnerable as a result of seeking treatment for a substance use disorder. In the eyes of addiction treatment patients and their families, the fear and reality of stigma and discrimination remain just as real today as they were in 1972. As a result, we must continue to take exceptional care to protect the privacy of those seeking treatment.

As general counsel to a number of addiction treatment organizations, I work with front-line clinicians who manage the complexity of the confidentiality law every day in countless forms: court orders, requests from prosecuting attorneys and law enforcement, subpoenas for civil actions (divorce, child custody, employment), insurance claims, government benefit programs, families, and many more.

These treatment providers face difficult legal and ethical dilemmas in responding to these many requests. We constantly strategize about how to legally disclose, or refuse to disclose, patient information within the framework of existing law. As a result of this experience, I believe the confidentiality law and regulations could be improved to include--among a variety of other amendments--explicit, limited data-sharing exceptions with a series of patient protections that do not exist under current law.

I consider such exceptions and protections essential for treatment providers struggling to cope with the unforeseen technological advances of recent years and the new demands and opportunities offered by the historic reforms involving parity and national healthcare. The consequence of these advances will be greater coordination of health services delivered by multiple providers, accomplished in part through implementation of electronic health records (EHRs), which make it possible to electronically transmit a critical subset of a patient's vital information from one provider to another in the event the patient requires care.


It is with the future in mind, a future of "interoperable" EHRs containing patient data, that I suggest the need for limited data sharing exceptions and expanded patient protections. Here is why: The existing confidentiality law clearly allows release of substance use treatment information to healthcare providers only under two circumstances: when a patient decides what information may be disclosed and specifically authorizes this disclosure in the form of written consent (as specified by 42 CFR 2.31), or in cases of medical emergency (42 CFR 2.51).

While some privacy advocates believe this protection should be maintained, many medical experts, including physicians, contend that non-medical professionals and patients may not understand or recognize how the restriction of certain information might impact a course of testing, diagnosis, treatment, and plan of care. They assert that the restriction in current law blocks communication of relevant and essential information impacting the cost and quality of care. Potentially, it reduces patient safety and could jeopardize patients' lives because it limits the ability of healthcare providers and health plans to:

* Conduct outreach to people who may be receiving duplicative or inappropriate treatment;

* Coordinate care of persons who may be at significant risk;

* Identify medications or other treatments that may be contraindicated; and

* Diagnose and treat underlying health conditions or avoid treatments that exacerbate such conditions.

To aid treatment providers in complying with requests for relevant information, supporting coordinated care, and maintaining strict confidentiality of patient substance use treatment information, a group of diverse stakeholders have commenced discussion to address the statute's shortcomings.

Concerns about current confidentiality laws

In my 20 years' experience as a legal counsel to treatment centers nationwide and in training work involving thousands of counselors and administrators, I have observed that although many understand the intent of current confidentiality law and regulations, few appreciate their complexity and limitations. Below is a partial list of my most significant concerns.

Concern 1: Current law only protects addiction treatment information in certain settings. Confidentiality requirements for substance use disorder treatment information apply only when that information is contained in a record held by a federally assisted "program." In other words, addiction treatment information given in a general hospital, emergency room, physician office, federally qualified health center, or rural clinic generally would not be protected.

Under 42 CFR 2.11, the information is only protected under the regulations if: (a) An individual or entity (other than a general medical care facility) holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment; (b) is an identified unit within a general medical facility that holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment; or (c) is medical personnel or other staff in a general medical care facility whose primary function is the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment and who are identified as such providers. See 42 CFR 2.12(e) (1) for specific examples of applicability of the regulations.

Further, we know that NIDA and SAMHSA support the SBIRT (screening, brief intervention, and referral for treatment) model and that the ONDCP is promoting further integration between primary care and addiction treatment. At present, information provided by SBIRT physicians in primary care or general healthcare settings is not protected by 42 CFR Part 2. Why not extend confidentiality protections beyond the "program" setting?

Concern 2: Current law provides no non-discrimination prohibitions or protections. Although concern about discrimination was the driving force for the confidentiality statute, this statute differs sharply from newer laws, such as the federal Genetic Information Non-discrimination Act of 2008 (GINA) (Public Law 110-233; 42 U.S.C. 2000ff), because it provides no nondiscrimination prohibitions or protections. By contrast, GINA provides a number of protections regarding insurance discrimination, disability and life insurance discrimination, and employment discrimination. Wouldn't it be helpful for persons in recovery to have the same non-discrimination protections? Given that preventing stigma and discrimination is such an important component of encouraging persons to seek treatment, why rely on a patchwork of state anti-discrimination laws and the limitations under the Americans with Disabilities Act? Why not explicitly prohibit the real discrimination we know our patients face, especially for our patients on methadone?


Concern 3: Despite current law, stigma and discrimination continue to exist today. According to a February 2010 statement from Faces and Voices of Recovery (FAVOR), a 2001 survey of the recovery community conducted by Peter D. Hart Research Associates reported that 24 percent of people in recovery experienced employment and/or insurance discrimination. FAVOR noted that "these experiences occurred even with privacy protections in place."

If numerous case examples and real-life stories about discrimination exist despite the fact that the statute and regulations have been in place for over 35 years, is the statute really working? Does the fact of discrimination warrant a review and enhancement of the law's protections for those in recovery?

Concern 4: Using the QSO exception does not provide an adequate solution. Some opponents of confidentiality law changes contend that qualified service organization (QSO) agreements available under current law and regulations may be interpreted to permit the type of limited information sharing with medical providers that is needed to serve medical needs and protect the patient privacy. This contention holds that medical personnel can obtain the patient information they need by entering into QSO agreements with treatment centers. Should the Obama administration recommend use of a QSO mechanism to permit disclosure of information to and among healthcare providers and health plans, I recommend that treatment programs obtain that interpretation, in writing, from SAMHSA before exposing their organization to liability.

Here is why: QSO agreements were intended for use with organizations that "provide services to a program," including such things as accounting, information technology, billing, legal, medical, or other professional services. The original intent of QSO agreements was to ensure that service providers protect the confidentiality of treatment center patient information that is handled or exchanged incidental to their essential service activity.

Most programs would use this QSO exemption for hospitals or physician groups providing "services to the program" (such as furnishing the history and physicals to patients in the program, or contracting with physicians for medical director services or specialty services such as psychiatric care).

However, if a program needed to obtain information from or share information with a patient's physician related to continuity of care, not incidental to the provision of a service, I believe that the QSO exemption could be questioned. In these situations, an explicit, written patient authorization would still be required, since such communication would be for a purpose other than the provision of a service to the program. If the QSO mechanism is used for this purpose, it provides more substance use disorder treatment information, with less patient protection, than that offered in our proposal, which limits the number of data elements that can be shared with healthcare providers and, additionally, protects against discrimination.

Concern 5: Remedies provided in current confidentiality regulations are weak. Legal remedies for violations of the current confidentiality statute are limited to a $500 criminal penalty, with additional violations allowing for increases up to $5,000. I do not believe that such amounts really serve as a deterrent to improper use or resulting discrimination. How many criminal cases have been brought by the U.S. Attorneys' Office to enforce these regulations? Why not extend the broader penalties offered under the HITECH Act, which may impose fines of up to $1.5 million? Why not afford patients a private right of action, including the provision of attorneys' fees, to further ensure that their rights are protected?

Concern 6: Strong confidentiality protections are essential to prevent access and use of information by law enforcement. Information related to the disease of addiction and its related treatment is of potential interest to law enforcement, so it is essential that any proposed changes to current law maintain the strong confidentiality protections in the current statute and regulations. Our proposal does that by retaining the special due process protections of the court orders required under 42 CFR 2.61-2.66. It also strengthens the provisions that prohibit use of treatment information in criminal and civil proceedings by the government without a specific court order and includes exclusion of evidence as a remedy for illegally obtaining or wrongfully using confidential treatment information.

Concern 7: Potential for reinterpreting or revising current confidentiality regulations is uncertain. The current confidentiality statute provides broad authority to the Secretary of Health and Human Services to prescribe regulations to "carry out the purposes" of the statute (42 U.S.C. 290dd-2(g)). The "regulations may contain such definitions, and may provide for safeguards and procedure ... as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith" (42 U.S.C. 290dd-2(g)).

Some opponents have justifiably highlighted the risk of opening the existing statute, suggesting that the unpredictability of the legislative process justifies the status quo and outweighs the patient safety concerns raised by physicians and the discrimination enforcement issues raised by patient privacy advocates. In response, some have begun to explore whether additional administrative interpretations or expanded regulations could address the limitations of current law, and SAMHSA attorneys are investigating the scope of their department's authority to promulgate regulations if consensus supports further revisions.

A new vision for the confidentiality statute

Addiction treatment providers are vital to our healthcare delivery system and should not feel compelled to segregate or exclude themselves from the future exchange of EHR information because their concerns about protecting patient confidentiality and preserving patient trust remain unresolved. As an advocate for treatment centers and their patients, I support any straightforward, enforceable mechanism that effectively enhances protections for patient safety and patient privacy. I defer to the SAMHSA attorneys to determine the scope of their department's authority to promulgate these protections via regulations. However, I remain concerned about whether the expansive regulatory revisions needed could withstand judicial scrutiny and legal challenge, while supporting stronger enforcement and stiffer penalties.

The proposal, available for review at, balances a modest, but necessary, liberalization of treatment-related disclosure with several major amendments designed to strengthen the statute sanctions and remedies for breaches of confidentiality. It includes an explicit and limited exclusion allowing disclosures of substance use disorder treatment information to healthcare providers and health plans for purposes of treatment, coordination of care, recovery support, quality improvement, disease management, and payment. These disclosures are much more restricted than those allowed by the HIPAA Privacy Rule. The only items that can be disclosed without authorization for the two proposed limited exceptions are demographic information, diagnosis, medications, laboratory results, and identification of past or current treatment providers.

To deter improper use and provide the necessary patient protections not available in current law, the proposal includes robust provisions that would:

1. Prohibit discrimination on the basis of information in substance use disorder program records;

2. Limit use in criminal and civil investigations or proceedings;

3. Strengthen civil and criminal sanctions against unauthorized disclosures; and

4. Provide individuals the right to pursue civil remedies against persons who violate the statute and include attorneys' fees.

It is important for SAMHSA to hear your perspective--everyone's voice matters. To build consensus, we need to air the issues and welcome the input of all informed constituents and stakeholders--not just the Washington insiders.


Renee Popovits is a founding partner at Popovits & Robinson. She is a nationally-recognized specialist in privacy and confidentiality law, including HIPAA and 42 CFR Part 2 and serves as general counsel to several major behavioral health providers.

COPYRIGHT 2010 Vendome Group LLC
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2010 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Popovits, Renee M.
Publication:Behavioral Healthcare
Date:Apr 1, 2010
Previous Article:Rosenberg: reform is a "game changer": National Council CEO reflects on accomplishments, opportunities, and challenges.
Next Article:Ready, set, integrate! After last month's lesson in overcoming fears, staff must learn their roles in implementing peer support and physical health...

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters