Confidentiality

As It Applies to 42 CFR Part 2

1
Introduction
The purpose of this training is to provide basic information
and overview of the complex and important area involving
drug and alcohol abuse treatment records.
The Federal Statutes 42 CFR Part 2 will be discussed with
emphasis on confidentiality and consent to disclosure
information, and sanctions and penalties for unauthorized
disclosure.
The Federal Statutes of HIPAA will also be discussed as to
the role they play in Substance Abuse Treatment Records
and how they apply to the statutes of 42 CFR Part 2.
2
Applicability
Who is covered?
Drug/alcohol treatment and prevention programs that
are Federally assisted must follow 42 Code of Federal
Regulations (CFR) Part 2.
Applies to records in the possession of “other lawful
holders of patient-identifying information” (e.g.,
individuals or entities who receive such records
pursuant to a Part 2 — compliant patient consent).​

3
Lawful Holder
• A “lawful holder” of patient-identifying Part 2
information is an individual or entity who has
received such information as the result of a Part 2
compliant patient consent (along with a notice of
prohibition on re-disclosure) or as a result of one of
Part 2’s limited exceptions to the consent
requirements.

4
First Program Definition
What is a program? Three definitions…
First definition
• Individual or entity, other than general medical
facility, that holds itself out as providing, and does
provide, drug/alcohol diagnosis, treatment, or referral
for treatment…

5
Second Program Definition
What is a program? Three definitions (continued)
Second definition
• An identified unit within a general medical facility that
holds itself out as providing, and does provide,
drug/alcohol diagnosis, treatment, or referral for
treatment…
• Further, if the provisions of such services are
identified as a primary function of medical personnel
or the general staff in the general medical facilities,
they are considered a “Program,” and are therefore
subject to the rules and regulations in Part 2.​
6
Third Program Definition
What is a program? Three definitions (continued)
Third Definition
• Medical personnel or other staff, in a general medical
care facility, whose primary function is the provision
of drug/alcohol diagnosis, treatment, or referral for
treatment, and who are identified as such.

7
SAMHSA FAQ
What does “holds itself out” mean?
• The Law does not define
• SAMHSA has established the definition of “holds
itself out” as any activity that would lead one to
reasonably conclude that the individual or entity
provides substance use disorder diagnosis,
treatment, or referral for treatment, including but not
limited to:
• Authorization by the state or federal government (e.g. licensed,
certified, registered) to provide, and provides, such services,
• Advertisements, notices, or statements relative to such services, or
• Consultation activities relative to such services​
8
Federally Assisted
When is a program federally assisted?
• Receives Federal funds in any form (even if
not used for drug/alcohol services), or
• Is authorized, licensed, certified, registered
by the Federal government, such as:
• Assisted by IRS by grant of tax-exempt status
• Has DEA registration to dispense controlled
substances to treat drug/alcohol abuse
• Is authorized to provide methadone treatment
• Is certified to receive Medicaid or Medicare
reimbursement 9
Who Is a Patient
Patient means any individual who has applied for or
been given diagnosis or treatment for alcohol or drug
abuse at a federally assisted program and includes any
individual who, after arrest on a criminal charge, is
identified as an alcohol or drug abuser in order to
determine that individual’s eligibility to participate in
program.

10
Patient Rights
Patients must be given written summary
of confidentiality provisions and notice
that federal law and regulations protect
the confidentiality of alcohol and drug
abuse patient records.

11
Patient-Identifying Information
• Patient-identifying information means the
name, address, social security number,
fingerprints, photographs, or other similar
information by which the identity of a Patient
can be determined with reasonable accuracy
and speed, either directly or by reference to
other publicly available information.
• Neither written or unrecorded Patient
information, such as verbal statements, may
be disclosed.
12
Patient Access to Records
• No consent nor authorization required to access
• Also subject to restriction on use 2.23(b)

13

42 CFR PART 2
 The General Rule Prohibiting
Disclosure
• Except under certain specified conditions, the regulations prohibit
the disclosure of records or other information concerning any Patient
in a federally assisted alcohol or drug program § § 2.13 (b), 2.20.
• This prohibition on unauthorized disclosure applies whether or not
the person seeking information already has the information, has
other means of obtaining it, enjoys official status, has obtained a
subpoena or warrant, or is authorized by state law. § § 2.13 (b),
2.20.
• If a program receives a request for a disclosure of an individuals
records that is not permitted by the regulations, it must refuse to
make the disclosure, and must be sure to do so in a way that does
not reveal that the individual has ever been diagnosed or treated for
an alcohol or drug problem.
14
Nine Exceptions to the Non-Disclosure
Rule
1. No Patient-identifying information
2. Internal Communications
3. Proper Consent
4. QSOA
5. Crime on Program Premises or against program personnel
anywhere
6. Research/Audit
7. Court Order
8. Medical Emergency
9. Reporting suspected child abuse or neglect
15
No Patient-Identifying Information

The Federal regulations permit programs to

disclose information about a Patient if the
program reveals no Patient-identifying
information. Thus, a program may disclose
information about a Patient if that information
does not identify the Patient as a substance
abuser or does not verify anyone else's
identification of the Patient as a substance
abuser.

16
Internal Communications
Program staff may share information about a Patient with other
staff when necessary to provide a treatment related service.
This information should be given to other staff members on a need-
to-know basis.
For example: A Patient informs his counselor that he has a liver
disease. The counselor can inform the supervisor, the nurse, and
the social worker but not the receptionist or janitor.
A Patient informs her counselor that she has had suicidal thoughts,
the counselor can then relate this information to the supervisor,
social worker, nurse, and even the janitor and receptionist, so that
all staff can properly monitor the Patient.

17
 Proper Format for ROIs
A proper consent form must be in writing and must contain each of the
items specified in § 2.31:
• The name or general designation of the program(s) making the disclosure;
• The name of the individual or organization that will receive the disclosure;
• The name of the Patient who is the subject of the disclosure;
• The purpose or need for the disclosure
• How much and what kind of information will be disclosed
• A statement that the Patient may revoke the consent at any time, except to
the extent that the program has already acted in reliance on it;
• The date, event or condition upon which the consent expires if not
previously revoked;
• The signature of the Patient (and/or other authorized person)
• The date on which the consent is signed.

A general medical release form, or any consent form that does not
contain all of the elements listed above, is not acceptable! 18
Recent Regulatory Changes

19
To Whom Consent Requirements
(§2.31)
The patient must include certain language in
the “To Whom” section of the consent form in
order for the general disclosure to be valid.
SAMHSA also clarified in the new rule that if a
patient uses a general designation listing “my
treating providers” without specifying whether
the designated providers are “past, current,
and/or future,” it should be presumed the
patient intended to only designate “current”
treating providers.
20
To Whom (cont.)
Further, if the program designated is part of a
general medical facility, the modifications to Part 2
permit the patient to designate the entire entity so
long as a list of information to be disclosed is
included on the consent form.
For example, a patient may provide general
disclosure to an entity that does not have a
treating provider relationship, such as a Health
Information Exchange (HIE) in order to permit
disclosure to those participants in the HIE that do
have a treating provider relationship with the
patient.​ 21
Amount and Kind Consent
Requirements (§2.31)
The Amount and Kind of information to be
disclosed and the purpose of the disclosure
was revised to require more specificity.
The revision requires the SUD information
disclosed be explicitly described.
This is so patients know exactly what they are
signing, and so patients may consent only to
the disclosure of subsets of information.

22
Amount and Kind (cont.)

These include “diagnostic information,

medications and dosages, lab tests, allergies,
substance use history summaries, trauma
history summary, elements of a medical record
such as clinical notes and discharge summary,
employment information, living situation and
social supports, and claims/encounter data.”
For example, “all of my records” is an
insufficient description, while “all of my
substance use disorder records” is sufficient.​ 23
Additional HIPAA Elements
• Be written in plain language and signed and
dated
• State what, if any, conditions are placed on the
individual in exchange for signing the
authorization
• State whether the discloser of information will
receive compensation in exchange for
disclosure
• State that individual can receive a copy of the
authorization
24
 Disclosure Tracking §2.13(d):
• Because the final rule permits patients to include a general
disclosure designation (described above), revisions require
Part 2 programs to provide to patients, upon request, a list of
entities to whom their information has been disclosed.
• The request must be in writing (paper or electronic), and is
limited to disclosures within the past two years. Entity names
designated on the request must respond within 30 days with
a brief description of each disclosure. There is no given
timeframe for compliance with this rule; however, entities
must be able to provide a list of disclosures upon request in
order to have the option of disclosing information outlined in
the general designation on a consent form.​
25
Revoking Consent
• Most disclosures are permissible if a Patient has signed
a valid consent form which has not been expired or
revoked by the Patient. §2.13* if authorized by the
Patient’s valid consent, a disclosure is permitted even if
it may not be in the Patients best interests. The
regulations set up the Patient as the final arbiter of
disclosures in most situations.
• If a Patient puts in writing or verbalizes that he or she
wants to revoke consent, you must do the following two
things:
1. Log the revocation in the progress notes of the chart;
2. Make a notation on the consent and place in the Patients
chart. 26
 Criminal Justice System (CJS)
Referrals
• As for the revocability of the consent, the regulations
provide that the consent form can state that it cannot
be revoked until a certain specified date or condition
occurs. The regulations permit the CJS consent form
to be irrevocable so that an individual who has
agreed to enter treatment in lieu of prosecution or
punishment cannot then prevent the court or
probation, parole or other agency from monitoring his
or her progress.

27
 Criminal Justice System (2)
• Note that although a CJS consent may be made
irrevocable for a specified period of time, its
irrevocability must end no later than the final
disposition of the criminal proceeding. Thereafter, the
Patient may freely revoke consent. § 2.35(c).

28
Prohibition on Re-disclosure
• SAMHSA clarifies the prohibition on re-disclosure
only applies to information that would identify, either
directly or indirectly, a person as having been
diagnosed, treated or referred for treatment for a
SUD.
• Essentially, when the patient consents to having
information released to a particular individual, the
individual receiving the information may not re-
disclose it to a third party.

29
Prohibition on Re-disclosure (2)
• For example, if a person receives substance use
treatment from a Part 2 program, and receives
treatment for another condition such as heart
murmurs, the patient’s record would include
information unrelated to SUD (i.e., heart murmurs).
Section K does not prohibit re-disclosure of the
information related to the heart murmurs so long as it
does not include information that would identify the
patient as having or having had a SUD.​

30
Prohibition on Re-disclosure (3)
This information has been disclosed to you from records protected
by federal confidentiality rules (42 CFR part 2). The federal rules
prohibit you from making any further disclosure of information in this
record that identifies a patient as having or having had a substance
use disorder either directly, by reference to publicly available
information, or through verification of such identification by another
person unless further disclosure is expressly permitted by the written
consent of the individual whose information is being disclosed or as
otherwise permitted by 42 CFR part 2. A general authorization for
the release of medical or other information is not sufficient for this
purpose (see § 2.31). The federal rules restrict any use of the
information to investigate or prosecute with regard to a crime any
patient with a substance use disorder, except as provided at §§
2.12(c)(5) and 2.65.​
31
Minimum Necessary
• Patient-identifying information may only be
used or disclosed as permitted by the
regulations and must be limited to that
information which is necessary to carry out
the purpose of the disclosure.
• In addition, disclosures made pursuant to a
court order must be limited to the criminal or
non-criminal purposes stated in the court
order and the regulations.

32
Accounting of Disclosures
• Permits the patient to obtain a list of entities that
received their information in the previous two years
under a general designation consent.
• Patient requests must be made in writing.
• The response would need to include the name of the
recipient entity, the date of the disclosure, and a brief
description of the information disclosed.
• The entity must respond in 30 or fewer days
following the receipt of the written request.

33
Qualified Service Organization Agreement

If a program routinely needs to share certain information

with an outside agency that provides services to the
program, it can enter into a QSOA.
A QSOA is a written agreement between a program and a
person providing services to the program in which that
person (1) acknowledges that in receiving, storing,
processing, or otherwise dealing with any Patient records
from the program, he or she is fully bound by [the Federal
confidentiality] regulations; and (2) promises that, if
necessary, he or she will resist in judicial proceedings any
efforts to obtain access to Patient records except as
permitted by these regulations (§§2.11, 2.12[c][4]).
34
Qualified Service Organization (2)

A Qualified Service Organization (QSO) now

includes entities that provide population health
management to a Part 2 program, meaning
relevant patient information may be shared
with third-party vendors supporting population
health initiatives without patient consent.

35
Crimes on Premises
Alcohol and drug programs may disclose Patient-identifying
information to the police or other law enforcement agencies
when a Patient commits or threatens to commit a crime on
program premises (against anyone) or against program
personnel anywhere.
The program can make this disclosure of patient-identifying
information to police or other law enforcement officers but
not to anyone else.
The police report must be limited to the:
1. Particulars of the crime
2. Patient’s name
3. Patient’s address
4. Patient’s last known whereabouts 36
Research
• Programs may disclose patient-identifying
information to qualified researchers if they follow the
protocols required by the federal regulations.
• These protocols include pledging not to re-disclose
patient-identifying information except back to the
program.
• For more information on disclosures to researchers
see § 2.52 of the regulations.

37
Subpoenas and Court Orders
A subpoena alone is not sufficient to release
information — a court order is also required
and must be issued by a judge in accordance
with specific procedures and criteria.

38
Requirements of Court Orders
The requirements under the federal regulations
for a court order are as follows:
1. Notice to Patient and program.
2. Opportunity to be heard.
3. Fictitious name.
4. Confidential proceedings.
5. Good cause.

39
 Search and Arrest Warrants
Neither a search warrant or an arrest warrant without a court order obtained
in accordance with 42 CFR Part 2 is sufficient to authorize an alcohol or drug
program to disclose any Patient-identifying information.

When a police officer or other law enforcement officer arrives at the program
with a search warrant or arrest warrant program personnel should:

• Produce a copy of the federal regulations

• Explain that the program may not cooperate without a valid court order
obtained in accordance with 42 CFR Part 2.

• If at all possible seek an attorney’s assistance in the matter.

• Contact the commanding officer and prosecuting attorney and explain the
federal regulations.

• Do not forcibly resist a police officers attempt to enter the program.

40
Medical Emergencies
• An alcohol or drug program may disclose any
necessary information:
• To medical personnel only (not family members) who need the
information in order to treat a condition which poses an
immediate threat to the health of any individual, and which
requires immediate medical intervention. No consent is
required.
• Medical personnel may re-disclose patient-identifying
information to family members and others without patient
consent.

41
Medical Emergency (2)
• Programs must document every disclosure
made in a medical emergency by recording.
• Name of individual who made the disclosure
• Name and affiliation of the recipient of the
disclosure
• Date and time of the disclosure, and
• Nature of the emergency.

42
 Medical Emergency (3)

• “Medical Emergency” definition in §2.51 now

gives providers more discretion to define the
existence of a “bona fide medical emergency.”
• Patient-identifying information may be
disclosed to medical personnel to the extent
necessary to meet a bona fide medical
emergency, in which the patient’s prior
informed consent cannot be obtained.

43
Child Abuse/Neglect Reporting

• Specific exception allows reporting of child

abuse/neglect
• Restrictions on disclosure and use continue
to apply to the original alcohol and drug
abuse patient records maintained by the
program including their disclosure or use for
criminal or civil proceedings which may arise
out of the report

44
Public Health Authorities and
Disease Reporting
• No specific exemption for reporting — need consent,
court order, or can report if done anonymously, state
law will dictate mandatory reporting.
• Can disclose to FDA if error in manufacturing e.g.,
labeling or sale of drug used in treatment - exclusive
purpose notifying Patients and their physicians of
potential dangers.

45
Enforcement, Compliance, and
Penalties

• Under 42 U.S.C. 290dd–2(f), any

person who violates any provision
of this section or any regulation
issued pursuant to this section
shall be fined in accordance with
Title 18 of the U.S. Code

46
Form of Documents (§2.16)
• 42 CFR Part 2 now applies to both paper and
electronic documentation.
• The provisions include formal policies and
procedures addressing security, including electronic
file destruction of associated media.
• A program subject to 42 CFR Part 2 must have
established formal policies and procedures for the
security of both electronic and paper records.

47
Form of Documents (2)
• Generally, the text and preamble of 42 CFR Part 2
make it clear the responsibility of explaining patients’
rights falls on the treatment program. Therefore,
programs should be advised to review and/or make
changes to the following:
• consent documents
• prohibition on re-disclosure statements
• QSO categorization
• security policies and procedures (including those regarding
permitted disclosures)
• general contractual documentation.
48
Security
• The Final Rule creates more detailed requirements
for protecting the security of records.
• Specifically, Part 2 now requires that both Part 2
programs and lawful holders have established formal
policies and procedures for the security of both paper
and electronic records.
• The new security requirements align more closely
with those of the HIPAA Security Rule.​

49
Enforcement, Compliance and
Penalties
(a) The report of any violation of the regulations in this part
may be directed to the United States Attorney for the
judicial district in which the violation occurs.
(b) The report of any violation of the regulations in this part
by an opioid treatment program may be directed to the
United States Attorney for the judicial district in which the
violation occurs as well as to the Substance Abuse and
Mental Health Services Administration (SAMHSA) office
responsible for opioid treatment program oversight​

50