Overview of Patient Privacy Regulations
CCBHCs must comply with federal Substance Abuse Confidentiality Regulations (42 CFR Part 2), which govern the confidentiality, use, and disclosure of clinical records for care and treatment related to substance use disorders. These regulations establish requirements on the disclosure of patient records, including any identifying information, for federally assisted substance use disorder treatment programs. The CCBHC certification criteria outline requirements related to protecting patient privacy.
The Substance Abuse Confidentiality Regulations were established to provide comprehensive privacy protections to promote patient confidentiality in substance use disorder treatment. They are based on the assumption that people are more likely to seek such care if they are assured their need for treatment will not be unnecessarily disclosed to others.
To Whom Do the Regulations Apply?
The Substance Abuse Confidentiality Regulations apply to federally funded providers of alcohol or drug abuse diagnosis, treatment, or referral for treatment, who hold, receive, or seek patient identifying information related to substance use disorder care. The regulations are intended to protect the individual’s identity as a participant in treatment for a substance use disorder. They apply to all current and former treatment information.
How do These Regulations Relate to State Laws?
It is permissible for state laws, for the disclosure of confidential information on substance use disorder care, to be more restrictive than these federal regulations. However, state laws may not override them. If a state law is not stricter and conflicts with federal regulations, then the state law must yield to the federal regulations.
What Constitutes Disclosure of Patient Identifying Information?
The disclosure of patient identifying information includes any communications that either directly or indirectly recognize an individual as having applied for, received, or been referred for substance use disorder care. This includes acknowledgement or confirmation of an individual’s participation in treatment, disclosure of his or her health records, testimony about any care received, or anecdotal information that could lead to inference of a patient’s identity. Consent for the sharing of information within a treatment program or facility is not required.
Consent for the Disclosure of Patient Identifying Information
The disclosure of patient identifying information is governed by an individual’s consent for the release of this information. This requires the signing of a valid consent form that includes:
- Patient name
- Purpose of the disclosure
- The program making the disclosure
- The recipient of the information
- The specific information to be released
- The process for a patient to revoke this consent
- Expiration date of the consent
Required notices of restrictions on re-disclosure must also accompany the release of consented information.
Release of Information in Medical Emergencies
Patient identifying information may be released without consent in medical emergencies if there is an immediate threat requiring immediate medical intervention. Patient identifying information may be released to medical personnel only when this information is needed to treat an individual for a medical condition.
Court-ordered Release of Information
Federal, state, and local courts may issue orders to authorize the release or disclosure of patient identifying information and records. However, individuals and programs must be given ample notice and opportunity to provide oral or written response to such an order. Therefore, a subpoena, search warrant, or arrest warrant that is signed by a judge is not necessarily sufficient to compel disclosure.
In a situation where an individual or program is being investigated or prosecuted, the patient is not necessarily entitled to prior notice. In cases of child neglect or abuse, programs and clinicians are allowed to disclose information as required to comply with related laws, but Substance Abuse Confidentiality Regulations continue to apply for records maintained by the program.
Requirements From the Criteria
The Department of Health and Human Services (HHS) has developed criteria for CCBHC certification. Access the complete CCBHC certification criteria – 2016 (PDF | 755 KB).
The criteria include the following requirements related to protecting patient privacy:
- 1.d.5. All CCBHC employees, affiliated providers, and interpreters must understand and adhere to confidentiality and privacy requirements applicable to the service provider, including but not limited to those of 42 CFR Part 2.
- 3.a.2. The CCBHC must maintain the necessary documentation to satisfy the requirements of 42 CFR Part 2.
- 3.b.4. The CCBHC will work with designated collaborating organizations (DCOs) to ensure that all steps are taken, including obtaining consumer consent, to comply with privacy and confidentiality requirements, including but not limited to those 42 CFR Part 2.
- 3.d.1. All treatment planning and care coordination activities are subject to 42 CFR Part 2.