 
|
| Home | Documents | Information Exchange Services |
Special Topics |
Resources | State Information |
Online Resources |
|
This page contains links to external Web sites. TAP 18: Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance
Checklist for Monitoring Alcohol and Other Drug Confidentiality ComplianceTechnical Assistance Publication Series18U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Rockwall II, 5600 Fisher Lane Introduction of TAP 18: Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance This publication is part of the Substance Abuse Prevention and Treatment Block Grant technical assistance program. All material appearing in this volume except quoted passages from copyrighted sources is in the public domain and may be reproduced or copied without permission from the Center for Substance Abuse Treatment (CSAT) or the authors. Citation of the source is appreciated. This publication was prepared under contract number 270-93-0004 from the Substance Abuse and Mental Health Services Administration (SAMHSA). Gayle Saunders, of CSAT, served as the Government project officer. The opinions expressed herein are the views of the authors and do not necessarily reflect the official position of CSAT or any other part of the U.S. Department of Health and Human Services (DHHS). DHHS Publication No. (SMA) 96-3083 Printed 1996 ForewordThe Center for Substance Abuse Treatment (CSAT) of the Substance Abuse and Mental Health Services Administration (SAMHSA) is pleased to present this document, Number 18 in the Technical Assistance Publication (TAP) series. Alcohol and drug treatment and prevention program staff and management, as well as State agency officials often have questions about the disclosure of information relating to alcohol and other drug (AOD) diagnosis and treatment. This TAP is designed to answer some of those questions. It provides an easy-to-use checklist that should enable both AOD programs and State and other government monitoring agencies to quickly determine whether a breach of patient confidentiality has occurred under the Federal law and regulations governing patient confidentiality. This TAP is one of several products developed by the Legal Action Center pursuant to a grant by CSAT to provide information on improving methods of collaboration between AOD treatment and prevention programs and State public health providers. Appendix B in this document is a presentation on the emerging issue of managed care and its impact on the confidentiality of AOD records. This is another area of concern to AOD programs and State government agencies. It is also an area in which these agencies are having to interact with new health care entities such as health maintenance organizations (HMOs). Nothing in this publication should be construed as authorizing or permitting any person to perform an act that is not permitted under the regulations governing confidentiality of substance abuse patient records as cited throughout these materials, or by any other Federal or State laws. David J. Mactas IntroductionThe Federal alcohol and other drug (AOD) confidentiality law requires covered programs to strictly maintain the confidentiality of AOD patient records. The law (42 U.S.C. § 290dd-2) and its accompanying regulations (42 C.F.R. Part 2, referred to in this guide as "the regulations" came about through Congress' recognition that safeguards on privacy serve the important purpose of encouraging persons to seek AOD dependence care by preventing the disclosure of information related to their AOD diagnosis and treatment, which could stigmatize them in their communities. Although remarkably effective, the laws are also complex. Questions about which disclosures are and are not permissible sometimes confuse AOD treatment programs and the State agencies responsible for funding and evaluating them. This guideline is designed to alleviate some of that confusion. It provides an easy-to-use checklist that should enable the compliance personnel of both AOD programs and State and other government monitoring agencies to quickly determine whether complaints alleging a breach of patient confidentiality are justified under the Federal confidentiality law. Two important caveats apply. First, this checklist should only be consulted to determine whether a prior disclosure complied with the law. It should not be consulted to determine whether to make a disclosure in the first instance. For such decisions, programs and State agency staff should consult more detailed analyses of the Federal regulations, such as that contained in the Legal Action Center's book, Confidentiality: A Guide to the Federal Law and Regulations. Because the checklist is written in summary form (hence its easy-to-use style), sole reliance on it could result in inadvertent breaches of the regulations. The second caveat is that when using the checklist for its intended purpose–to evaluate whether prior communications complied with the law–compliance personnel should consult more detailed analyses in order to understand the nuances of the law. In short, the checklist provides a conceptual framework and the basic principles to guide compliance personnel. In complex cases, compliance personnel should consult a more comprehensive source. The best way to use the guide is as follows. In all instances, consult Sections I and II first. Begin with Section I to determine whether the regulations even apply to the alleged confidentiality violation. For example, was the alleged breach by a "program" and about a "patient" as those terms are defined in the regulations? Second, consult Section II to determine whether a "disclosure" of patient-identifying information was made. Only after concluding that the regulations apply (Section I) and that a disclosure of patient-identifying information was made (Section II), will one need to consult Sections III-V to determine whether the disclosure was authorized under the regulations. Sections III: A–I cover nearly all of the rules (sometimes called "exceptions") that authorize AOD programs to disclose patient-identifying information. Compliance personnel first should consult those rules that most likely apply. If a rule applies, one need not go further. The communication was legal under the regulations. If a rule does not apply, consult other rules to see if they apply. Section III does not cover absolutely every rule in the regulations. For example, it omits discussion of the rules about reporting vital statistics (§ 2.15(b)) and central registries for methadone and detoxification programs (§ 2.34). Compliance personnel should consult the regulations directly for any rules not covered by this checklist. Section IV discusses search and arrest warrants, which are related to the discussion in Section IV–I. The two sections should be read in tandem. Finally, Section V discusses the regulations as they apply to persons who are not formally part of an AOD program but who nevertheless are bound by the regulations because they received patient-identifying information from an AOD program in circumstances authorized by the regulations. Within each section and its subparts, there is a checklist that the user can follow to ascertain whether the disclosure complied with the law, followed by a summary of the rule. In using the guide, bear in mind that in addition to the Federal law, many States may have laws and regulations that govern the confidentiality of AOD information. Make sure that you are familiar with such State laws; this guide does not incorporate them. Most States also have laws governing the confidentiality of HIV-related information (HIV confidentiality is determined only by State law; there is no Federal HIV confidentiality law), as well as the confidentiality of mental health and medical records. This guide does not address those State laws. Thus, even if a disclosure complies with the Federal AOD confidentiality law, compliance personnel might also choose to determine whether the disclosure violates any State confidentiality laws (e.g., those pertaining to AOD, HIV, mental health, or medical records). For instances in which a State's confidentiality law (AOD or otherwise) is more restrictive than the Federal law, a program must follow the stricter State law. For example, if a program has disclosed a patient's HIV status after the patient has signed a consent form that is proper under the Federal AOD confidentiality law, compliance personnel must also determine whether the State imposes any additional requirements for disclosing HIV-related information (e.g., a special HIV consent form). For instances in which a State's confidentiality law or any other State law is less protective of confidentiality than the Federal law, however, the Federal law controls. For example, if a State law mandates a program to notify parents about certain conduct by minor patients, but the Federal regulations absolutely prohibit such disclosure, the program cannot make the disclosure; the Federal law controls. However, there is usually a way to disclose properly under the Federal law, for example, by obtaining patient consent or a court order that meets the Federal requirements. Accordingly, there is rarely an irreconcilable conflict with State law. In addition, under 45 C.F.R. Part 96.132(e), States that receive Federal block grant funding for AOD treatment services, are required to:
Checklist for Monitoring Alcohol and Other Drug Confidentiality ComplianceI. DOES 42 C.F.R. PART 2 APPLY?
Summary of the RuleThe Federal regulations only apply to "programs" as defined under the law (§ 2.11). "programs" are organizations or individual practitioners who:
Summary of the RuleEven if the alleged disclosure was made by a "program," the regulations only apply if the person whose confidentiality allegedly was breached was a "patient." A "patient." is anyone who has applied for or received a diagnostic examination or interview, counseling, treatment, or referral for treatment for AOD abuse from a program (§ 2.11). Applicants for such AOD services are covered by the regulations even if they fail to show for an initial appointment that they arranged or, having been interviewed or diagnosed, elect not to follow up or enter treatment. The regulations protect current, former, and deceased patients. II.WAS THERE A "DISCLOSURE" OF PATIENT-IDENTIFYING INFORMATION? Issue:Did the disclosure reveal "patient-identifying information?"
Summary of the RuleThe Federal regulations generally prohibit programs from disclosing "patient-identifying information." "Patient-identifying information" means any information that identifies a patient as (i) having applied for or received AOD-related services (diagnosis, treatment, counseling, or referral for treatment), or (ii) being an AOD abuser (§ 2.11, 2.12). By prohibiting "disclosures," the regulations do not merely refer to explicit statements, such as that a specified person is a patient or is an AOD abuser. Rather, the term "disclosure" includes implicit disclosures, such as the following:
III. IF THERE WAS A DISCLOSURE, WAS THERE PROPER AUTHORIZATION?
Issue: Was the disclosure authorized by a valid consent form?
If "no," go to question 11.
Summary of the RuleGenerally, a program may disclose any information about a patient if the patient authorizes the disclosure by signing a valid consent form ('§ 2.31, 2.33). A consent form under the Federal regulations is much more detailed than a general medical release. It must contain all of the following nine elements. If the form is missing even one of these elements, it is not valid:
Issue: Was the disclosure an authorized internal communication?
Summary of the RulePatient-identifying information may be disclosed within a program, or to an entity having direct administrative control over a program, if the recipient of the disclosure needs the information in connection with his or her duties arising out of the provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment (§ 2.12(c)(3)). "Within the program" means within the organization or organizational unit that provides AOD-related services. Thus for entities that only provide AOD treatment in part, they may only share patient-identifying information within that part. For example, the staff of a detoxification unit within a hospital may share patient-identifying information with one another—and with hospital administrators with direct supervisory oversight for the program—where such sharing of information is needed to provide AOD-related services to the program's patients. The program may also share information, as necessary, with, for example, the hospital's recordkeeping or billing departments, because those administrative units are integral to the program's functioning. However, the program may not freely share patient-identifying information with other parts or units of the hospital (because they are not part of the "program" or an entity with direct administrative control over the program). Note, however, that such communications are possible with the patient's proper consent (see Section I.A). Anyone within or in direct administrative control of a program that receives patient-identifying information is bound by the confidentiality regulations and may not redisclose the information except as allowed by the regulations (§ 2.12(d)(2)(ii)).
Issue: Was the disclosure made pursuant to a qualified service organization agreement (QSOA)?
Summary of the RulePrograms may disclose patient-identifying information to a "qualified service organization" without the patient's consent (§ 2.12(c)(4)). A "qualified service organization" is a person or agency that provides services to the program, such as data processing, dosage preparation, laboratory analyses, vocational counseling, or legal, medical, accounting, or other professional services that the program does not provide for itself. The department of health can also be a "service organization" if it provides health-related services to the program. Examples of such services include offering tests for HIV, tuberculosis, and sexually transmitted diseases; providing treatment for communicable diseases; or monitoring the patient's case to ensure that he or she is receiving treatment. Managed care companies can, in limited circumstances, also be "service organizations," provided they are providing a service, such as legal, medical, accounting, or laboratory services. For example, if individuals enrolled in a managed care program can receive AOD treatment from any certified AOD program, but must receive primary health care from the managed care provider's staff physicians, the managed care provider could be considered a "service organization"; it is rendering medical services. In order to receive patient-identifying information, the "service organization" must enter into a written agreement with the program in which it acknowledges that it is bound by the Federal confidentiality regulations, promises not to redisclose patient-identifying information to which it becomes privy, and promises to resist unauthorized efforts to gain access to any patient-identifying information in its possession (§ 2.11). Once the program and the outside agency have entered into this QSOA, the program may freely communicate information from patient records to the "qualified service organization," but only that information that is specified in the QSOA and that is needed by the organization to provide services to the program. Although AOD programs may enter into QSOAs with a variety of outside organizations, they are not permitted—according to a legal opinion of the DHHS—to enter into them with one another (unless the services offered by one of the programs does not pertain to AOD-related services) or with law enforcement agencies. A program is not required to inform its patients of the QSOAs to which it is a party.
Issue: Was the disclosure made properly in a medical emergency?
Summary of the RuleEven without consent, patient-identifying information may be disclosed to medical personnel in a medical emergency (§ 2.51). A medical emergency is a situation that poses an immediate threat to the health of any individual (it need not be the patient) and requires immediate medical intervention. Typical examples of a medical emergency include a suicide threat, a drug overdose, or a patient with active and infectious tuberculosis who is not taking his or her medications. This rule permits the program to release patient-identifying information to medical personnel who need the information to treat the medical condition. The program may not use the medical emergency rule to contact family members or the police. When releasing information pursuant to a medical emergency, programs must document the disclosure in the patient's record, setting forth the name of the recipient and his or her affiliation with any health care facility, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency (§ 2.51(c)).
Issue: Was the disclosure made in response to a crime on program premises or against program personnel?
Summary of the RuleThe regulations permit a program to release patient-identifying information to the police if a patient commits or threatens to commit a crime either (i) on the premises (against anyone) or (ii) against program staff anywhere. When reporting such a crime, in addition to the particulars of the crime, the program may give the police the patient's name, address, and last known whereabouts. The program may not release to the police the names of other patients who were victims or witnesses to the crime without those patients' prior written consent. This rule does not authorize disclosure of a patient's confession to a past crime unless the crime was on the program premises or against program personnel.
Issue: Was the disclosure authorized by the child abuse reporting rule?
Summary of the RuleIn 1987, the regulations were amended to permit AOD programs to comply with State laws requiring people in certain positions or occupations to report cases of suspected child abuse or neglect. Accordingly, the regulations "do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities" (§ 2.12(c)(6)). Under this rule, program staff may make reports to local child abuse hotlines and even confirm the reports in writing. However, the program's disclosures must stop there. The regulations continue "to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect." This means that although a program may make State-mandated child abuse reports, patient files must be withheld from child protection agencies absent patient consent or a court order.
Issue: Was the disclosure authorized under the research rule?
Summary of the ruleA program may allow a researcher to have access to its patients' records under the following circumstances: First, the program director must determine (i) that the researcher is qualified, (ii) that the researcher has a protocol under which the security of patient records is assured (per § 2.16), and (iii) that patient-identifying information will not be redisclosed. In addition, the researcher must provide a written statement that three or more independent evaluators have reviewed the research protocol and determined that the rights and welfare of the patients concerned will be adequately protected and that the potential benefits of the research outweigh the risks to patient confidentiality (§ 2.52(a)). If a researcher satisfies the above standard, the researcher may proceed but is barred from redisclosing patient-identifying information except back to the program itself. No report may identify any individual patient (§ 2.52(b)).
Issue: Was the disclosure authorized under the audit and evaluation rule?
Summary of the RuleGovernment agencies that fund or regulate a program, private persons that provide financial assistance or third-party payments to a program, peer-review organizations that perform utilization or quality control review, and persons whom the program director determines are "qualified" may have access to program records for audits or evaluations of the program (§ .53). Examples of such funding or oversight agencies include Government agencies that administer the Medicaid program and that contract with AOD programs, insurance and managed care companies, and State agencies that license and regulate AOD programs. Any person or organization that conducts an audit or evaluation must agree in writing that it will redisclose patient-identifying information only (i) back to the program, or (ii) to a Government agency that is overseeing a Medicare or Medicaid audit or evaluation. Such person or organization also must agree in writing to use the information only for the audit or evaluation or pursuant to a court order to investigate or prosecute the program (not a patient) (§ 2.53(c) and (d)). The agencies listed in the first paragraph above also may copy or remove records, but only if they agree in writing to (i) safeguard the confidentiality of patient-identifying information in accordance with the security requirements of § 2.16 of the regulations (or more stringent requirements), (ii) destroy all such information on completion of the audit or evaluation, (iii) redisclose patient-identifying information back to the program or to a Government agency that is overseeing a Medicaid or Medicare audit or evaluation, and (iv) not use the information except for purposes of the audit or evaluation or to investigate or prosecute criminal or other activities as authorized by a court order entered under § 2.66 (§ 2.53(b)-(d)). Thus a State regulatory agency could not obtain patient records pursuant to an audit and then store them permanently on a computer database. Any other person or organization determined by the program director to be "qualified" and that pledges in writing to observe the restrictions on redisclosure and use that are specified two paragraphs above may also inspect patient records for audit or evaluation purpose without consent. Only the agencies listed in the first paragraph, however, may copy or remove records.
Issue: Was the disclosure made in response to a valid court order?
Summary of the RuleA Federal, State, or local court may authorize a program to make a disclosure of patient-identifying information. A court may issue such an order, however, only after following certain procedures and making certain determinations specified in the regulations (§ 2.63-2.67). A subpoena, search warrant, or arrest warrant, even when it is signed by a judge, is not sufficient, by itself, to require or even permit a program to make a disclosure (§ 2.61). For guidance on how to respond to search and arrest warrants, see Section IV. When faced with a subpoena, a program may contact the patient referenced in the subpoena and seek the patient's consent to release the subpoenaed information. Alternatively, a program may contact the party that issued the subpoena and attempt to persuade the party to seek a proper court order. If that fails, the program could move to quash the subpoena. With respect to court orders, the applicant for the court order must follow certain procedures, such as using a fictitious name, like John Doe, to refer to any patient (unless the patient has consented to the use of his or her real name). In addition, the applicant generally must give the program and the patient "adequate notice" of an opportunity to file a written response to the application or appear in person for the limited purpose of responding to the application (§ 2.64(a) and (b)). If the court order was requested in order to criminally investigate or prosecute a patient, however, the patient need not receive notice. (§ 2.65) Likewise, if the court order was requested in order to criminally prosecute or investigate the program, the program need not receive notice (§ 2.66). This checklist is limited to those requirements for which AOD programs can properly be held accountable (i.e., the program made no disclosure until and unless a court ordered it to do so under the Federal regulations, and the program only disclosed the information listed in the court order). (The AOD program and its lawyer also are responsible for properly filing a request for a court order if the program initiates the application.) AOD programs cannot be held accountable for procedural or substantive errors made by a court, prosecuting attorney, and so on. This is not to suggest, however, that the program should not take steps to ensure that a third party who seeks a court order has followed the proper procedures, such as providing proper notice and holding a hearing with respect to whether the disclosure should be made. Furthermore, the program and/or the patient concerned could file an appeal if the court issued the order improperly. IV. RESPONDING TO SEARCH AND ARREST WARRANTS Issue: Did the AOD program respond appropriately to a search or arrest warrant?
Summary of the RuleAs discussed in Section III.I, neither a search warrant nor an arrest warrant, in and of itself, constitutes the type of court order authorized under the regulations. Consequently, programs may not disclose patient-identifying information in response to such warrants. On the other hand, the regulations do not require a program to forcibly resist a law enforcement officer who insists on entry. The DHHS has ruled that when faced with an arrest or search warrant without a valid court order, programs generally should:
If all of the above fail, programs should not forcibly resist. They may permit the law enforcement officials to enter, but they should not point out the patient sought in the arrest warrant or the records sought in the search warrant. V. DISCLOSURES BY THIRD PARTIES Issue: Did a third party who received patient-identifying information from an AOD program redisclose it without authorization? Third-Party Payers
Entities With Administrative Control Over Programs
Consent
QSOAs
Research
Audit and Evaluation
Summary of the RuleAs discussed in Sections III.A, C, G, and H, third parties who receive patient-identifying information from AOD programs pursuant to consent forms, QSOAs, or the research or audit and evaluation rules are generally prohibited from redisclosing it. This section will not repeat the details regarding redisclosure under these rules (see Summary of the Rule for Sections III.A, C, G, and H). In addition, the regulations require third-party payers who receive patient-identifying information from programs to comply with the regulations, regardless of whether they received a notice prohibiting redisclosure (§ 2.12(d)(2)(i)). Likewise, entities with direct administrative control over programs, which receive information from programs pursuant to the internal communications' exception (see Section III.B), must abide by the disclosure restrictions in the regulations (§ 2.12(d)(2)(ii). Note, however, that the prohibitions against redisclosing information obtained from an AOD program apply to the information actually received from the AOD program and not from the patient. For example, if a third party receives patient-identifying information from an AOD program, and the patient self-discloses the identical information to the third party, the third party can redisclose the information. This is because the third party is not redisclosing information it received pursuant to the consent form or QSOA, but rather, information it received from the patient.
Appendix A—The Confidentiality Law (42 U.S.C. § 290dd-2)This statute, which Congress enacted in 1992, consolidates and replaces (without substantive change) the two separate but identical laws Congress originally enacted to govern the confidentiality of alcohol abuse patient records (previously codified as 42 U.S.C. § 290dd-3) and drug abuse patient records (previously codified as 42 U.S.C. § 290ee-3). (The text of those laws, now replaced by this 1992 statute, is set out in § 2.1 of the confidentiality regulations that are reprinted in the following pages.) The term "substance abuse" in the current law refers to both alcohol and drug abuse. The regulations themselves were not revised as a result of Congress' 1992 consolidation but were revised slightly in 1995. The revised regulations appear on page 30. § 290dd-2: Confidentiality of Records(a) Requirement Records of the identity, diagnosis, prognosis, or treatment of any patient that are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States shall, except as provided in subsection (e) of this section, be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b) of this section. (b) Permitted disclosure
The content of any record referred to in subsection (a) of this section may be disclosed in accordance with the prior written consent of the patient with respect to whom such record is maintained, but only to such extent, under such circumstances, and for such purposes as may be allowed under regulations prescribed pursuant to subsection (g) of this section.
Whether or not the patient, with respect to whom any given record referred to in subsection (a) of this section is maintained, gives written consent, the content of such record may be disclosed as follows:
(c) Use of records in criminal proceedings Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no record referred to in subsection (a) of this section may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient. (d) Application The prohibitions of this section continue to apply to records concerning any individual who has been a patient, irrespective of whether or when such individual ceases to be a patient. (e) Nonapplicability The prohibitions of this section do not apply to any interchange of records—
The prohibitions of this section do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. (f) Penalties Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined in accordance with Title 18. (g) Regulations Except as provided in subsection (h) of this section, the Secretary shall prescribe regulations to carry out the purposes of this section. Such regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders under subsection (b)(2)(C) of this section, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith. (h) Application to Department of Veterans Affairs The Secretary of Veterans Affairs, acting through the Under Secretary for Health, shall, to the maximum feasible extent consistent with their responsibilities under Title 38, prescribe regulations making applicable the regulations prescribed by the Secretary of Health and Human Services under subsection (g) of this section to records maintained in connection with the provision of hospital care, nursing home care, domiciliary care, and medical services under such Title 38 to veterans suffering from substance abuse. In prescribing and implementing regulations pursuant to this subsection, the Secretary of Veterans Affairs shall, from time to time, consult with the Secretary of Health and Human Services in order to achieve the maximum possible coordination of the regulations, and the implementation thereof, which they each prescribe. 1995 RevisionsFederal Register, Vol. 60, No. 87, May 5, 1995 In § 2.11, the definition of Program is revised to read as follows: § 2.11 Definitions. Program means:
Section 2.12(e)(1) is amended by adding the following sentence at the end to read as follows: § 2.12 Applicability. (e) * * * (1) * * * However, these regulations would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of alcohol or drug abuse diagnosis, treatment, or referral and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services. Subpart A— Introduction[42 C.F.R. Subpart A, § 2.1B2.5, as of May 9, 1996] § 2.1 Statutory authority for confidentiality of drug abuse patient records. The restrictions of these regulations upon the disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C. 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3. The amended statutory authority is set forth below: § 290EE-3. CONFIDENTIALITY OF PATIENT RECORDS. (a) Disclosure authorization Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any drug abuse prevention function conducted, regulated, or directly or indirectly assisted by any department or agency of the United States shall, except as provided in subsection (e) of this section, be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b) of this section. (b) Purposes and circumstances of disclosure affecting consenting patient and patient regardless of consent (1) The content of any record referred to in subsection (a) of this section may be disclosed in accordance with the prior written consent of the patient with respect to whom such record is maintained, but only to such extent, under such circumstances, and for such purposes as may be allowed under regulations prescribed pursuant to subsection (g) of this section. (2) Whether or not the patient, with respect to whom any given record referred to in subsection (a) of this section is maintained, gives his written consent, the content of such record may be disclosed as follows: (A) To medical personnel to the extent necessary to meet a bona fide medical emergency. (B) To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise disclose patient identities in any manner. (C) If authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor. In assessing good cause the court shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician–patient relationship, and to the treatment services. Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure. (c) Prohibition against use of record in making criminal charges or investigation of patient Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no record referred to in subsection (a) of this section may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient. (d) Continuing prohibition against disclosure irrespective of status as patient The prohibitions of this section continue to apply to records concerning any individual who has been a patient, irrespective of whether or when he ceases to be a patient. (e) Armed Forces and Veterans' Administration; interchange of records; report of suspected child abuse and neglect to State or local authorities The prohibitions of this section do not apply to any interchange of records— (1) within the Armed Forces or within those components of the Veterans' Administration furnishing health care to veterans, or (2) between such components and the Armed Forces. The prohibitions of this section do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. (f) Penalty for first and subsequent offenses Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense. (g) Regulations; interagency consultations; definitions, safeguards, and procedures, including procedures and criteria for issuance and scope of orders Except as provided in subsection (h) of this section, the Secretary, after consultation with the Administrator of Veterans' Affairs and the heads of other Federal departments and agencies substantially affected thereby, shall prescribe regulations to carry out the purposes of this section. These regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders under subsection (b)(2)(C) of this section, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith. (Subsection (h) was superseded by section 111(c)(3) of Pub. L. 94-581. The responsibility of the Administrator of Veterans' Affairs to write regulations to provide for confidentiality of drug abuse patient records under Title 38 was moved from 21 U.S.C. 1175 to 38 U.S.C. 4134.) § 2.2 Statutory authority for confidentiality of alcohol abuse patient records. The restrictions of these regulations upon the disclosure and use of alcohol abuse patient records were initially authorized by section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C. 4582). The section as amended was transferred by Pub. L. 98-24 to section 523 of the Public Health Service Act which is codified at 42 U.S.C. 290dd-3. The amended statutory authority is set forth below: § 290DD-3.CONFIDENTIALITY OF PATIENT RECORDS. (a) Disclosure authorization Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to alcoholism or alcohol abuse education, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States shall, except as provided in subsection (e) of this section, be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b) of this section. (b) Purposes and circumstances of disclosure affecting consenting patient and patient regardless of consent (1) The content of any record referred to in subsection (a) of this section may be disclosed in accordance with the prior written consent of the patient with respect to whom such record is maintained, but only to such extent, under such circumstances, and for such purposes as may be allowed under regulations prescribed pursuant to subsection (g) of this section. (2) Whether or not the patient, with respect to whom any given record referred to in subsection (a) of this section is maintained, gives his written consent, the content of such record may be disclosed as follows: (A) To medical personnel to the extent necessary to meet a bona fide medical emergency. (B) To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise disclose patient identities in any manner. (C) If authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor. In assessing good cause the court shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician–patient relationship, and to the treatment services. Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure. (c) Prohibition against use of record in making criminal charges or investigation of patient Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no record referred to in subsection (a) of this section may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient. (d) Continuing prohibition against disclosure irrespective of status as patient The prohibitions of this section continue to apply to records concerning any individual who has been a patient, irrespective of whether or when he ceases to be a patient. (e) Armed Forces and Veterans' Administration; interchange of record of suspected child abuse and neglect to State or local authorities The prohibitions of this section do not apply to any interchange of records— (1) within the Armed Forces or within those components of the Veterans' Administration furnishing health care to veterans, or (2) between such components and the Armed Forces. The prohibitions of this section do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. (f) Penalty for first and subsequent offenses Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense. (g) Regulations of Secretary; definitions, safeguards, and procedures, including procedures and criteria for issuance and scope of orders Except as provided in subsection (h) of this section, the Secretary shall prescribe regulations to carry out the purposes of this section. These regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders under subsection(b)(2)(C) of this section, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith. (Subsection (h) was superseded by section 111(c)(4) of Pub. L. 94-581. The responsibility of the Administrator of Veterans' Affairs to write regulations to provide for confidentiality of alcohol abuse patient records under Title 38 was moved from 42 U.S.C. 4582 to 38 U.S.C. 4134.) § 2.3Purpose and effect. (a) Purpose. Under the statutory provisions quoted in § § 2.1 and 2.2, these regulations impose restrictions upon the disclosure and use of alcohol and drug abuse patient records which are maintained in connection with the performance of any federally assisted alcohol and drug abuse program. The regulations specify: (1) Definitions, applicability, and general restrictions in Subpart B (definitions applicable to § 2.34 only appear in that section); (2) Disclosures which may be made with written patient consent and the form of the written consent in Subpart C; (3) Disclosures which may be made without written patient consent or an authorizing court order in Subpart D; and (4) Disclosures and uses of patient records which may be made with an authorizing court order and the procedures and criteria for the entry and scope of those orders in Subpart E. (b) Effect. (1) These regulations prohibit the disclosure and use of patient records unless certain circumstances exist. If any circumstances exists under which disclosure is permitted, that circumstance acts to remove the prohibition on disclosure but it does not compel disclosure. Thus, the regulations do not require disclosure under any circumstances. (2) These regulations are not intended to direct the manner in which substantive functions such as research, treatment, and evaluation are carried out. They are intended to insure that an alcohol or drug abuse patient in a federally assisted alcohol or drug abuse program is not made more vulnerable by reason of the availability of his or her patient record than an individual who has an alcohol or drug problem and who does not seek treatment. (3) Because there is a criminal penalty (a fine—see 42 U.S.C. 290ee-3(f), 42 U.S.C. 290dd-3(f) and 42 C.F.R. § 2.4) for violating the regulations, they are to be construed strictly in favor of the potential violator in the same manner as a criminal statute (see M. Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)). § 2.4 Criminal penalty for violation. Under 42 U.S.C. 290ee-3(f) and 42 U.S.C. 290dd-3(f), any person who violates any provision of those statutes or these regulations shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense. § 2.5 Reports of violations. (a) The report of any violation of these regulations may be directed to the United States Attorney for the judicial district in which the violation occurs. (b) The report of any violation of these regulations by a methadone program may be directed to the Regional Offices of the Food and Drug Administration. Subpart B—General Provisions[42 C.F.R. Subpart B, § 2.11B2.67, as of May 9, 1996] § 2.11 Definitions. For purposes of these regulations: Alcohol abuse means the use of an alcoholic beverage which impairs the physical, mental, emotional, or social well-being of the user. Drug abuse means the use of a psychoactive substance for other than medicinal purposes which impairs the physical, mental, emotional, or social well-being of the user. Diagnosis means any reference to an individual's alcohol or drug abuse or to a condition which is identified as having been caused by that abuse which is made for the purpose of treatment or referral for treatment. Disclose or disclosure means a communication of patient-identifying information, the affirmative verification of another person's communication of patient-identifying information, or the communication of any information from the record of a patient who has been identified. Informant means an individual: Patient means any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an alcohol or drug abuser in order to determine that individual's eligibility to participate in a program. Patient-identifying information means the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. The term does not include a number assigned to a patient by a program, if that number does not consist of, or contain numbers (such as a social security, or driver's license number) which could be used to identify a patient with reasonable accuracy and speed from sources external to the program. Person means an individual, partnership, corporation, Federal, State or local government agency, or any other legal entity. Program means: Program director means: Qualified service organization means a person which: (1) Acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by these regulations; and (2) If necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations. Records means any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program. Third party payer means a person who pays, or agrees to pay, for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of his family or on the basis of the patient's eligibility for Federal, State, or local governmental benefits. Treatment means the management and care of a patient suffering from alcohol or drug abuse, a condition which is identified as having been caused by that abuse, or both, in order to reduce or eliminate the adverse effects upon the patient. Undercover agent means an officer of any Federal, State, or local law enforcement agency who enrolls in or becomes an employee of a program for the purpose of investigating a suspected violation of law or who pursues that purpose after enrolling or becoming employed for other purposes. [52 FR 21809, June 9, 1987, as amended at 60 FR 22297, May 5, 1995] DAILY C.F.R. (TM) Note 60 FR 22296, No. 87, May 5, 1995 SUMMARY: The Department published a notice of proposed rulemaking in the Federal Register at 59 FR 42561 (August 18, 1994) with corresponding corrections at 59 FR 45063 (August 31, 1994), which proposed a clarification to the "Confidentiality of Alcohol and Drug Abuse Patient Records" regulations codified at 42 C.F.R. part 2. Specifically, the Department proposed to clarify that, as to general medical care facilities, these regulations cover only specialized individuals or units in such facilities that hold themselves out as providing and provide alcohol or drug abuse diagnosis, treatment or referral for treatment and which are federally assisted, directly or indirectly. The Secretary has considered the comments received during the comment period, and is amending the regulations. EFFECTIVE DATE: June 5, 1995. § 2.12 Applicability. (a) General—(1) Restrictions on disclosure. The restrictions on disclosure in these regulations apply to any information, whether or not recorded, which: (i) Would identify a patient as an alcohol or drug abuser either directly, by reference to other publicly available information, or through verification of such an identification by another person; and (ii) Is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972, or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (or if obtained before the pertinent date, is maintained by a federally assisted alcohol or drug abuse program after that date as part of an ongoing treatment episode which extends past that date) for the purpose of treating alcohol or drug abuse, making a diagnosis for that treatment, or making a referral for that treatment. (2) Restriction on use. The restriction on use of information to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 290ee-3(c), 42 U.S.C. 290dd-3(c)) applies to any information, whether or not recorded which is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972, or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (or if obtained before the pertinent date, is maintained by a federally assisted alcohol or drug abuse program after that date as part of an ongoing treatment episode which extends past that date), for the purpose of treating alcohol or drug abuse, making a diagnosis for the treatment, or making a referral for the treatment. (b) Federal assistance. An alcohol abuse or drug abuse program is considered to be federally assisted if: (1) It is conducted in whole or in part, whether directly or by contract or otherwise by any department or agency of the United States (but see paragraphs (c)(1) and (c)(2) of this section relating to the Veterans' Administration and the Armed Forces); (2) It is being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including but not limited to: (i) Certification of provider status under the Medicare program; (ii) Authorization to conduct methadone maintenance treatment (see 21 C.F.R. 291.505); or (iii) Registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of alcohol or drug abuse; (3) It is supported by funds provided by any department or agency of the United States by being: (i) A recipient of Federal financial assistance in any form, including financial assistance which does not directly pay for the alcohol or drug abuse diagnosis, treatment, or referral activities; or (ii) Conducted by a State or local government unit which, through general or special revenue sharing or other forms of assistance, receives Federal funds which could be (but are not necessarily) spent for the alcohol or drug abuse program; or (4) It is assisted by the Internal Revenue Service of the Department of the Treasury through the allowance of income tax deductions for contributions to the program or through the granting of tax exempt status to the program. (c) Exceptions—(1) Veterans' Administration. These regulations do not apply to information on alcohol and drug abuse patients maintained in connection with the Veterans' Administration provisions of hospital care, nursing home care, domiciliary care, and medical services under Title 38, United States Code. Those records are governed by 38 U.S.C. 4132 and regulations issued under that authority by the Administrator of Veterans' Affairs. (2) Armed Forces. These regulations apply to any information described in paragraph (a) of this section which was obtained by any component of the Armed Forces during a period when the patient was subject to the Uniform Code of Military Justice except: (i) Any interchange of that information within the Armed Forces; and (ii) Any interchange of that information between the Armed Forces and those components of the Veterans Administration furnishing health care to veterans. (3) Communication within a program or between a program and an entity having direct administrative control over that program. The restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol or drug abuse if the communications are (i) Within a program or (ii) Between a program and an entity that has direct administrative control over the program. (4) Qualified Service Organizations. The restrictions on disclosure in these regulations do not apply to communications between a program and a qualified service organization of information needed by the organization to provide services to the program. (5) Crimes on program premises or against program personnel. The restrictions on disclosure and use in these regulations do not apply to communications from program personnel to law enforcement officers which— (i) Are directly related to a patient's commission of a crime on the premises of the program or against program personnel or to a threat to commit such a crime; and (ii) Are limited to the circumstances of the incident, including the patient status of the individual committing or threatening to commit the crime, that individual's name and address, and that individual's last known whereabouts. (6) Reports of suspected child abuse and neglect. The restrictions on disclosure and use in these regulations do not apply to the reporting under State law of incidents of suspected child abus |