A Delicate Balance: Behavioral Health, Patient Privacy, and the Need to Know C A L I FOR N I A H EALTH C ARE F OU NDATION Introduction Overview Finding the right balance among health care The Social and Legal Tradition of quality, patient safety, and health information Protecting Health Information privacy is a major policy challenge. No health issue Privacy is an article of faith for Americans. better illustrates this challenge than the use and Concern about privacy protection dates to Issue Brief disclosure of personal information about mental the nation’s founding. Privacy is a tenet of the illness and substance use disorders in electronic common law, the very bedrock of the American health information systems. legal system. Indeed, the U.S. Constitution guarantees “the right of the people to be secure Knowing about a patient’s history of mental in their persons, houses, papers and effects, illness or substance use disorders, and their past against unreasonable searches and seizures….”1 treatment, is vital to proper and safe care. Sharing Federal regulations promulgated pursuant to the information on diagnosis, treatment, and care Health Insurance Portability and Accountability plans can help promote a more comprehensive Act (HIPAA) Privacy Rule recognize this core picture of a patient’s needs and reduce the risk of constitutional right: medical error. By referring to the need for security of But disclosing or sharing personally identifiable “persons” as well as “papers and effects” the data about mental illness and substance use Fourth Amendment suggests enduring values disorders, even when done for entirely appropriate in American law that relate to privacy. The reasons, carries significant risks. Misuse or need for security of “persons” is consistent inappropriate disclosure could lead to the loss with obtaining patient consent before of a patient’s job or occupational licensing; raise performing invasive medical procedures. barriers to health, disability, or life insurance The need for security in “papers and effects” coverage; and even result in criminal prosecution. underscores the importance of protecting information about the person, contained This issue brief explores federal and state laws in sources such as personal diaries, medical governing health information privacy as they relate records, or elsewhere.2 to treatment for mental illness and substance use disorders, focusing on privacy and the sharing of There has been a longstanding debate over whether information in treatment contexts. Three scenarios certain types of health information records deserve illustrate some of the challenges of finding the greater legal protection than others. Unauthorized correct balance between privacy and disclosure. disclosure of sensitive health information about The brief concludes with three recommendations mental illness, substance use disorders, or genetic that could reduce the risks of misuse of traits can cause enormous harm, including social information or inappropriate disclosure while stigma, employment discrimination, insurance M arch promoting patient safety and health care quality. discrimination, and, for addictions, possible 2008 criminal prosecution, job termination, forfeiture of legal records with personally identifiable information about protections such as protection under the Americans with mental illness and substance use disorders must be Disabilities Act, or the right to receive disability benefits. considered in tandem with HIPAA. Fear of unauthorized disclosure of sensitive health information can create a strong disincentive for someone The Privacy Rule applies to covered health care to seek treatment. Advocates point out that punishing entities, which can include health plans, health unwarranted disclosures after they occur provides little care clearinghouses, and health care providers who relief because the damage already has occurred and the transmit any health information in electronic form for penalties are weak. administrative purposes.4 The rule protects individually identifiable health information — called “protected health Accordingly, state and federal laws generally provide a information” — held by those entities. It recognizes higher degree of protection for personal mental health that other federal and state privacy and confidentiality information— especially information relating to a laws accord greater protection to certain types of health substance use disorder — than for other personal health information and leaves those laws undisturbed. information. Unlike HIPAA, the predominant privacy law governing personal health information, these laws In general, the Privacy Rule permits the use and disclosure typically require the individual’s specific written consent of protected health information for treatment, payment, before any such information can be disclosed. and health care operations without an individual’s written permission. In recognition of professional traditions The Special Status Accorded Mental and ethical obligations, the rule permits covered entities Illness and Substance Use Disorder to obtain written permission and consent to use and Information disclose health information for these core purposes, in HIPAA and the Privacy Rule accordance with their own privacy policies.5 Thus, the The enactment of HIPAA coincided with the explosive Privacy Rule establishes a “general consent” standard that growth of electronic health information technology.3 allows health professionals who treat patients to share, Converting from paper medical records to electronic at their discretion, patient information with other such health records is a national health policy priority professionals or providers without getting specific written articulated in presidential executive orders and legal and consent. payment reforms aimed at spurring technology adoption, such as compensation incentives for physicians. Policies to Although not required to do so, professionals who promote health information technology are driven by the treat patients may ask them to share protected health belief that electronic health records will improve patient information. The Privacy Rule does not require any safety and health care quality while lowering costs. specific forms or procedures when obtaining consent; instead, the rule imposes a “minimum necessary” HIPAA is a legal framework for the handling of standard. This means that in disclosing protected health individually identifiable health information that reconciles information, covered entities must limit their disclosures the need for broad information exchange with the to the minimum amount necessary to accomplish the need for individual privacy. It provides a federal floor intended purpose of the use or disclosure.6 However, the for privacy protection while preserving more stringent “minimum necessary” rule does not apply to requests state laws. HIPAA does not displace other federal laws; for or disclosures of protected health information for separate, more protective federal privacy standards for treatment purposes, in which case providers can share 2  |  California HealthCare Foundation any protected health information in the patient’s medical HIPAA is widely viewed as a national code of conduct record. for health professionals regarding protected health information. While it leaves much discretion to In addition, the Privacy Rule allows covered entities professionals, it also holds them accountable for certain to use and disclose protected health information for a disclosures that require patient authorization. number of “permissive” purposes without an individual’s written consent. These include national priorities such HIPAA’s Relationship to State Law as health care oversight, public health, research, and law The Privacy Rule essentially establishes a road map for enforcement, and disclosure required by other laws.7 This reconciling differences between HIPAA and state law. approach allows health care professionals to continue HIPAA generally preempts state laws that are contrary to many of their existing privacy practices as long as their it — that is, when complying with both state and federal policies and practices are explained to patients in advance requirements would be impossible or when provisions of and in writing. the state law would impede compliance with the Privacy Rule.10 However, because HIPAA expressly permits Beyond treatment, payment, and health care operations, covered entities to make disclosures “as required” by other or outside of the permissive exceptions noted above, laws,11 state laws that mandate disclosures are not deemed the Privacy Rule requires that entities obtain written contrary to HIPAA and thus do not conflict with it. authorization from patients before using or disclosing protected health information. Authorizations must meet HIPAA also specifies that its standards do not supersede specific content and format requirements. a contrary provision of state law if the provision imposes substantive or procedural requirements or standards that A special authorization rule in HIPAA regulates are more stringent or more protective than HIPAA’s psychotherapy notes. In this single instance, HIPAA standards.12 State laws that accord greater privacy accords greater protection to a specific type of protections are considered more stringent than HIPAA. information than it does to other forms of personal health information, in deference to longstanding legal and policy HIPAA does not preempt state laws that govern the concerns and professional custom. reporting of various types of information, including but not limited to disease, injury, child abuse, public health HIPAA is enforced by the Office for Civil Rights in the surveillance, investigation, or intervention.13 It does not U.S. Department of Health and Human Services. The interfere with provisions of state law that require a health office ensures compliance, investigates reported violations, plan to report or to provide access to information for and imposes civil monetary penalties.8 Since 2003, it has management, financial audits, and certain other limited received approximately 32,000 complaints, investigated purposes.14 about 8,000 of them, and achieved corrective action in about 5,400 cases (68 percent).9 The office has not HIPAA’s Relationship to Other Federal Laws assessed any civil fines to date. HIPAA does not include In addition to HIPAA, several federal laws directly govern a private right of action that would enable persons to sue the disclosure of mental illness and substance use disorder covered entities to halt disclosures or to recover damages information. Table 1 (on the following page) compares for injuries arising from such. these laws, which are discussed in greater detail. A Delicate Balance: Behavioral Health, Patient Privacy, and the Need to Know  |  3 Table 1. onsent Requirements in Key Federal Laws C for Disclosure of Individually Identifiable can be determined with reasonable accuracy and speed Information either directly or by reference to other publicly available Type of Patient Authorization or Consent information.18 Criminal penalties for violations include a Privacy Law or Regulation Necessary for Use or Disclosure fine of up to $500 for the first offense and up to $5,000 HIPAA Privacy Rule No consent necessary for disclosure of information regarding treatment, for each subsequent offense.19 payment, or health care operations 42 C.F.R. Part 2 Specific consent necessary for Federal Confidentiality of Part 2 is stringent, prohibiting disclosure of any disclosure, including for treatment, Alcohol and Drug Abuse Patient Records payment, or health care operations information that could directly or indirectly identify an Family Education Specific consent necessary for individual as a drug or alcohol patient.20,21 And it broadly Rights and Privacy Act disclosure of educational records for defines “programs” and “patients.” Programs are: (FERPA) medical purposes Medicaid Law Unclear — no specific federal ruling or K Individuals, entities (other than general medical care official interpretation in the wake of facilities), or identified units within such facilities that HIPAA provide or claim to provide alcohol or drug abuse diagnosis, treatment, or referral for treatment. The Federal Confidentiality of Alcohol and Drug Abuse K Medical personnel or other staff in general medical Patient Records law, otherwise known as “Part 2,” has care facilities whose primary function is to provide the most profound impact on the sharing of personal alcohol or drug abuse diagnosis, treatment, or health information related to mental illness or substance referral for treatment, and who are identified as such use disorders. It reflects congressional concern about providers.22 the stigma associated with, and the legal implications of, seeking alcohol and drug treatment,15 creating a A patient is “any individual who has applied for or been virtual shield against the disclosure of personal health given a diagnosis or treatment for alcohol or drug abuse information pertaining to alcohol- and substance-related at a federally assisted program and includes any individual conditions and treatment. This law has important who, after arrest on a criminal charge, is identified as an implications for the electronic exchange of data that alcohol or drug abuser in order to determine eligibility to includes mental illness and substance use disorder participate in a program.”23 All permissible disclosures are information. limited to “that information which is necessary to carry out the purpose of the disclosure.”24 With certain conditions and exceptions, Part 2 strictly prohibits the disclosure and use of drug and alcohol Nearly all disclosures under Part 2 require specific patient records maintained in connection with any federally consent, and the content and format of consent must assisted alcohol and drug program.16 Disclosure in meet the federal standards. In contrast, the HIPAA this instance means “a communication of patient Privacy Rule does not require any consent to disclose identifying information, the affirmative verification of protected health information for purposes of treatment, another person’s communication of patient identifying payment, or health care operations; providers who elect information, or the communication of any information to obtain consent may do so using a general consent from the record of a patient who has been identified.”17 form. Thus, the “specific consent” content and format Patient identifying information includes names, addresses, mandated by Part 2 set a far higher bar than HIPAA does. Social Security numbers, fingerprints, photographs, or “similar information by which the identity of a patient 4  |  California HealthCare Foundation Part 2’s restrictions on disclosure allow certain Accordingly, FERPA is similar to HIPAA, requiring exceptions. Among these are communications within a written consent for certain disclosures but allowing program or between a program and an entity that has certain others to be made without consent. Of specific direct administrative control over that program, and interest in this issue brief is the requirement that parental communications between a program and a qualified or, when appropriate, student consent be obtained to service organization. Disclosures without patient consent release educational records involving medical treatment. also are acceptable in certain limited circumstances, including medical emergencies, research activities, and Records covered by FERPA are not subject to HIPAA audit or evaluation activities.25 Re-disclosures — that is, because the latter’s definition of protected health secondary disclosures stemming from an initial one — are information specifically excludes FERPA records.32 prohibited unless they are back to the program from Thus, unlike HIPAA and Part 2, HIPAA and FERPA which the information was obtained.26 do not overlap. FERPA adds an extra layer to federal law governing health information and policy protections FERPA regarding the confidentiality of records.33 The Family Educational Rights and Privacy Act of 1974 protects the privacy of student education records.27,28 Medicaid Privacy Statute FERPA: Medicaid law contains privacy provisions dating from its K Gives parents and students the right to access student enactment.34 Although the language in Medicaid’s privacy records, and protects the privacy of those records by statute closely parallels the language in HIPAA, it has preventing unauthorized third-party access.29 not been specifically interpreted since the HIPAA Privacy Rule was promulgated. K Prohibits the release of educational records without parental consent or, in the case of students age 18 In general, state Medicaid programs require specific or older or attending college, without the student’s written consent to disclose personal health information. consent.30 The U.S. Department of Health and Human Services has K Applies to all public or private educational agencies never issued a formal interpretation that would squarely that receive federal education funding.31 align Medicaid privacy standards with the HIPAA Privacy Rule. The range of information that is considered protected under FERPA is broad and can include information Federal Medicaid law requires state medical assistance related to the treatment of a specific student for substance plans to provide safeguards limiting the use and disclosure use disorders or mental illness. of specific information about applicants and recipients to purposes directly connected with administration of Although FERPA protects health records maintained the plans.35 Under Medicaid regulations, such purposes by educational agencies, such as school-based clinics, include establishing eligibility, determining the proper it permits certain disclosures regarding substance use amount of medical assistance, providing services for disorders and mental illness unless disclosure is prohibited recipients, and conducting or assisting investigations, under more stringent and protective state law. It also cites prosecutions, or legal proceedings related to plan circumstances in which disclosures without consent are administration.36,37 allowed. A Delicate Balance: Behavioral Health, Patient Privacy, and the Need to Know  |  5 Other requirements include these: information privacy related to substance use disorders.44 K Medicaid plans must have criteria that specify the With the exception of West Virginia’s, all of the laws circumstances in which information about applicants address the privileged legal status of provider/patient and recipients can be released and used.38 The plans communications involving substance abuse or mental may share information only with entities whose health information. confidentiality standards are as rigorous as the plans’ standards.39 Many states enacted laws before HIPAA. These laws often do not use the same terms and nomenclature as those in K With certain exceptions and whenever possible, the Privacy Rule. permission must be obtained from a family or individual before an agency can respond to an How Federal and State Laws Would Apply information request from an outside source.40 in Three Scenarios K Agencies must have data exchange agreements This issue brief underscores the tension between the (similar to HIPAA business associate agreements) in general consent provisions in HIPAA and the specific place to exchange data with other agencies.41 consent requirements in other federal and state laws. Because of these crucial differences, the release of Like HIPAA, the Medicaid statute provides a basic information about physical conditions for the purposes of privacy standard and formal protocols for information patient safety and health care quality might be prohibited disclosures. Unlike HIPAA, it does not appear to address in cases involving mental illness and substance use patient consent to disclose personal health information disorders. for the purposes of treatment, payment, or health care operations; rather, like FERPA and Part 2, the Medicaid How does one reconcile the different standards, given statute appears to rely on the more traditional approach the legal complexity of health information law related to of requiring specific patient consent to disclose personally treatment for mental illness and substance use disorders? identifiable information. To promote greater understanding of these issues, the authors, in consultation with experts in the field, have State Privacy Laws Governing Treatment developed several scenarios to illustrate how current law for Mental Illness and Substance Use would apply to the exchange of alcohol and substance Disorders use disorder information for the purposes of treatment, As of 2002, all states but Arkansas, and the District of payment, and health care operations. Columbia, had specific statutes related to some aspect of mental health privacy in one or more settings.42 In S ce n ario O n e Improving the Quality of Health Care for Mental and Release of Records for Medical Emergencies Substance-Use Conditions, the Institute of Medicine A woman arrives unconscious in the emergency room after categorizes state laws governing the privacy of mental a car accident. She has multiple fractures, including a pelvic health records into four types, depending on the setting in fracture, and requires surgery. The woman’s daughter explains which the records are found: records in mental hospitals, to the emergency room physician that her mother has been those in mental health programs, records of patients prescribed a long-acting opiate antagonist to treat her alcohol involuntarily committed to mental institutions, and those dependence. If this is true, the woman may not respond to of patients receiving mental health treatment of any kind the normal course of analgesics and could be undertreated in any setting.43 In addition, 36 states had laws governing for pain caused by the fractures. The physician, who needs 6  |  California HealthCare Foundation to know exactly what medication she has been taking and when time is of the essence, written documentation must how recently it was administered, calls the substance abuse be added to the patient record immediately after the treatment program, which is not a part of the health system disclosure. that houses the emergency room, to determine the dosage prescribed, other information regarding the prescribed timing Many state laws would also allow disclosures without of her medication, and her history of compliance with taking consent because of the emergency. For example, medications. California law permits disclosure of information about treatment for alcohol and substance use disorders without The patient is unconscious and in an emergency the patient’s written consent to “meet a bona fide situation. Therefore, the stakes are high and time is of emergency.”46 the essence. Under HIPAA, consent is not necessary for one physician to disclose protected health information to Compared to other situations, it may be easier to another in emergencies or, for that matter, in the normal understand and reconcile the different legal standards that course of treatment.45 Therefore, HIPAA would not bar apply in this scenario because at every step of the process, disclosure. when a life is in the balance, overall policy typically favors disclosure to prevent adverse health consequences. If the substance abuse treatment program receives some form of federal funding, which is likely, Part 2 would S ce n ario t w o apply. In medical emergencies, Part 2 allows patient Communications Relating to Quality identifying information to be disclosed without patient Assessments or Outcome Evaluations consent under certain conditions. Disclosures are The medical director of a county-operated managed care permitted under 42 C.F.R. § 2.51(a) as follows: organization wants to compare all of its network providers in terms of the outcomes of patients who have received K To medical personnel who need information about a treatment for mental illness and substance use disorders patient; and from them. He asks the providers to send copies of all such K To treat a condition that poses an immediate threat service records regarding visits that took place in the previous to an individual’s health and requires immediate two years. medical intervention. As noted earlier, HIPAA generally permits the use and In this scenario, the substance abuse treatment program disclosure of protected health information for treatment, could legally disclose patient identifying information to payment, and health care operations without the patient’s medical personnel, such as the emergency room doctor consent. Disclosure for the purpose of health care quality in this scenario, who need certain information about the assessment and utilization management may raise more patient. The information would enable treatment of a complex issues. Quality assessment and improvement condition that poses an immediate threat to the patient activities, including outcomes evaluation, are considered (the pain from multiple fractures) and requires immediate health care operations under HIPAA.47 Therefore, HIPAA medical intervention. Only information necessary to carry would allow the network providers to share their records out the purpose of the disclosure could be released. with the medical director for this purpose without having to obtain consent from each patient. The use of Part 2 imposes an additional requirement in these such information would be subject to the “minimum circumstances: In the case of an unconscious patient or necessary” requirement. But as an entity subject to Part 2, A Delicate Balance: Behavioral Health, Patient Privacy, and the Need to Know  |  7 the managed care organization would also be bound by S ce n ario three Part 2 and any applicable state laws. Sharing Information About Multiple Disorders and Diagnoses Without Patient Consent Arguably, the managed care organization has direct A patient who has alcoholism, diabetes, and depression sees control of its provider network pursuant to contractual a primary care physician in a community health center for obligations. Therefore, the Part 2 operational exception diabetes treatment. During the appointment, the patient tells would apply and so would the Part 2 audit and evaluation the doctor that she has begun attending a federally funded exception.48 Identifiable information regarding mental program for substance abuse treatment that is a wholly health services or substance abuse treatment may be separate entity from the community health center. The doctor disclosed to persons performing the audit or evaluation asks the treatment program to share the patient’s records so he on behalf of the following people and organizations: can stay informed about the course of her alcoholism treatment and use the information to help treat her diabetes. The patient K Government agencies that provide financial assistance is very concerned about the privacy of her medical data and to, or regulate, a program; does not consent to have any part of her records shared. She is K Private entities that provide financial assistance, or worried that her employer will learn about her health problems third-party premium payments, to a program; and fire her. K Quality improvement or peer review organizations HIPAA would allow the exchange of medical information that perform a utilization or quality control review; between the patient’s providers without her consent and because it would be for the purpose of treatment. While K A person the program director determines is qualified the patient has the right under HIPAA to request that to conduct an audit or evaluation.49 the providers not share information related to her mental illness and alcohol treatment, providers are not required However, if the physical and behavioral health care were to honor such requests.50 furnished through separate corporate structures, such as a managed care organization and a managed behavioral However, under Part 2, which is more stringent, health organization, the latter could not disclose data the substance abuse treatment facility may not share to the managed care organization without the specific information in the patient’s medical record with the consent of the patients under its care. In this situation, primary care physician or any other provider without the the overall management of multiple health conditions, as patient’s consent. The circumstances in this scenario do well as utilization review and quality assurance activities, not fit squarely into any of Part 2’s exceptions or instances might be significantly impaired. in which it does not require consent. Part 2 provisions governing the need for specific consent Therefore, if the patient does not consent, the substance would also prevent a primary care provider from abuse treatment facility cannot share her medical record obtaining patient-specific information from a provider information or any personally identifiable information specializing in mental illness or addiction treatment, with her other doctors. This enables the patient to control unless the latter was part of the same health care entity access to her sensitive health information and may help that furnished the primary care, such as a community alleviate her fear that her employer will obtain it. But she health center with an addiction treatment program. may not fully appreciate the fact that if various providers 8  |  California HealthCare Foundation share such information, it might lead to better care, to prosecution that could result if highly sensitive continuity of care, and holistic treatment. information is revealed — is as strong today as when these privacy protections were adopted. Furthermore, much If this scenario occurred in a state where privacy laws more is now known about the importance of having governing mental health information were more stringent access to complete and accurate information regarding than HIPAA and were drafted to be similar to Part 2, any patients’ medical conditions and history, prior treatment, information regarding mental illness or alcohol treatment and medications in order to provide safe, high-quality, could not be disclosed without the patient’s consent. and effective care. If this scenario occurred in a state with less stringent laws, the HIPAA standard would apply to mental health To help reconcile the tension between full disclosure and information, and the Part 2 standard would apply to patient privacy, the authors recommend three reforms alcohol treatment information. that would improve communication between patients and physicians, and ensure that persons with mental illness California’s law, for example, prohibits disclosure of or substance use disorders benefit from state-of-the-art any information regarding private outpatient treatment information management. by a psychotherapist; its detailed consent requirements are more stringent than those in HIPAA and Part 2.51 Use Technology to Standardize a Specific- The District of Columbia’s law allows patients who are Consent System receiving mental health services to voluntarily authorize The easy transfer of data using electronic data systems the disclosure of their records as long as a specific written increases the potential for privacy violations. But the same authorization is executed.52 technology can also improve the safety and quality of care, particularly for patients who have complex medical In this more complex scenario, federal and state laws needs, because it makes more complete information about would require the patient’s consent before caregivers a patient’s condition and course of treatment more readily could share information beneficial to her treatment. But available. if she does not fully understand the risks and benefits of disclosure, she may not be able to make a truly informed Technological tools giving mental health and substance decision regarding consent. abuse patients a means of providing specific, secure consent to disclose sensitive personal information would Discussion and Recommendations foster an appropriate balance between technological This issue brief discusses how key differences in health benefits and privacy protections. Two examples of such information privacy standards can affect the manual or tools are firewalls that could protect information that electronic sharing of personal information related to must be kept private under Part 2, and decision-support treatment for mental illness and substance use disorders. pop-ups in electronic data systems to help providers Information that the HIPAA Privacy Rule generally allows follow the necessary steps for obtaining consent. to be disclosed for treatment-related purposes is subject to far stricter specific consent standards under Part 2 and Ensure That a Patient’s Decision to Withhold other federal and state laws. Information Is Truly Informed Much of the focus in specific-consent statutes is on the The justification for this higher standard — avoidance importance of shielding information that is the subject of stigma, employment discrimination, and exposure of a specific consent. Far less attention has been paid to A Delicate Balance: Behavioral Health, Patient Privacy, and the Need to Know  |  9 ensuring that patients undergoing treatment for mental Conclusion illness or substance use disorders are truly informed when Mental health and substance use disorder treatment they decide to withhold information from other health need not be excluded from the potential benefits and professionals who treat them. transformational power of technology-enabled health care. And a specific-consent standard need not be a Fully informed consent hinges on patients’ thorough barrier to technological innovation. Through operational understanding of the risks and benefits associated design, a commitment to genuine informed consent, and with information sharing. Withholding consent when provider accountability, it may be possible to reconcile caregivers would use personal information only to the important goals of protecting the privacy of personal assure treatment safety and quality carries significant health information, and that of making such information risks. Specific-consent statutes can be overridden in more readily available for the critical purposes of medical emergencies, but an equally great concern may improving the safety and quality of care for mental illness be situations in which important health information is and substance use disorder patients. withheld from a patient’s primary health care physician or specialist — especially diagnostic information or information about a particular course of therapy related Authors to mental illness or addiction. J. Zoë Beckerman, J.D., M.P.H., associate, Feldesman Tucker Leifer Fidell LLP, Washington, D.C. A crucial part of patient empowerment is patients’ full Joy Pritts, J.D., research associate professor, Health Policy understanding of how the special privacy shield applies to Institute, Georgetown University, Washington, D.C. their mental illness or addiction information. In addition, Eric Goplerud, Ph.D., research professor, Department of Health Policy, The George Washington University School they must receive impartial and careful counseling about of Public Health and Health Services, Washington, D.C. their rights regarding the sharing of such information in Jacqueline C. Leifer, J.D., partner, Feldesman Tucker Leifer certain circumstances. Fidell LLP, Washington, D.C. Phyllis A. Borzi, J.D., research professor, Department of Strengthen Privacy Enforcement Tools Health Policy, The George Washington University School Patients may become more comfortable with information of Public Health Services, Washington, D.C. sharing if they know that penalties for violations Sara Rosenbaum, J.D., Hirsh Professor, Health Law and of privacy laws are swift and serious. Remedies for Policy, chair, Department of Health Policy, The George unauthorized use of confidential information could Washington University School of Public Health and Health include steep penalties, such as significant fines, Services, Washington, D.C. exclusion from participation in federal or state health David R. Anderson, M.G.A., senior research scientist, care programs, or suspension of licenses for health Department of Health Policy, The George Washington professionals who disclose information for any purpose University School of Public Health and Health Services, other than that covered by a disclosure consent. Washington, D.C. A c k n ow l e d g m e n t The authors would like to thank The Pew Charitable Trusts for their support of the research behind this brief and the journal article on which the brief is based. 10  |  California HealthCare Foundation About the F o u n d at i o n 1 5. Kamoie, B., and P. Borzi. “A Crosswalk Between the Final HIPAA Privacy Rule and Existing Federal Substance The California HealthCare Foundation, based in Oakland, Abuse Confidentiality Requirements.” Double Issue Brief is an independent philanthropy committed to improving #18–19, Center for Health Services Research and Policy, California’s health care delivery and financing systems. The George Washington University School of Public Formed in 1996, our goal is to ensure that all Californians Health and Health Services (2001), at 17. have access to affordable, quality health care. For more information about the foundation, visit us online at 1 6. 42 C.F.R. §§§ 2.3(a), 2.12(b), and 2.12(c). www.chcf.org. 1 7. 42 C.F.R. § 2.11. 1 8. Ibid. Endnotes 1 9. 42 C.F.R. §§ 2.3 (b)(3) and 2.4. 1. U.S. Constitution, amend. 4. 2 0. 42 C.F.R. § 2.12(d). 2. Standards for Privacy of Individually Identifiable Health 2 1. Kamoie and Borzi, supra note 44, at 17. See also 42 Information, Final Rule, 65 Fed. Reg. 82,462 and 82,464 C.F.R. § 2.11 et seq. (December 28, 2000). See also Standards for Privacy of Individually Identifiable Health Information, Proposed 2 2. 42 C.F.R. § 2.11. This means that a physician in a Rule, 64 Fed. Reg. 59,918 and 60,008 (November 3, hospital emergency room who makes a drug use diagnosis 1999). occasionally would not be considered a “program” unless substance abuse diagnosis and treatment are his primary 3. Blumenthal, D., and J.P. Glaser. “Information technology functions and he is identified specifically as that type of comes to medicine.” New England Journal of Medicine provider. 2007;356(24): 2527–2534. 2 3. 42 C.F.R. § 2.11 4. 45 C.F.R. §§ 160.102(a) and 164.500. 2 4. 42 C.F.R. § 2.13(a). 5. 45 C.F.R. §§ 164.502(b) and 164.508. 2 5. 42 C.F.R. subpart D, “Disclosures without Patient 6. Ibid. Consent.” 7. 45 C.F.R. § 164.512. 2 6. 42 C.F.R. §§ 2.52(b) and 2.53(d). 8. 42 U.S.C. § 1320d-5. Penalties are more severe for 2 7. 20 U.S.C. § 1232g. wrongful disclosure: fines of not more than $50,000, imprisonment, or both. 2 8. Disability Rights Wisconsin, Inc., v. Wisconsin Department of Public Instruction, 463 F. 3d 719, 730 (7th Cir. 2006). 9. U.S. Department of Health and Human Services. Compliance and Enforcement: Numbers at a Glance 2 9. Kestenbaum v. Michigan State University, 294 N.W. Archive (www.hhs.gov/ocr/privacy/enforcement/ 2d 228, 231 (1980); 120 Cong. Rec. 39,858 and numbersglance.html). 39,862-39863 (Dec. 13, 1974); 121 Cong. Rec. 7974 (May 13, 1975); Rios v. Read, 73 F.R.D. 589, 597 1 0. 45 C.F.R. § 160.202. (E.D.N.Y. 1977); and Daggett, L. “Bucking up Buckley 1 1. 45 C.F.R. § 164.512(a). I: Making the Federal Student Records Statute work.” Catholic Law Review 1997;46: 617–670. 1 2. P.L. 104-191 § 264(c)(2). 3 0. 20 U.S.C. § 1232g(d). 1 3. 42 U.S.C. § 1130d-7(b) and 45 C.F.R. § 160.203(c). 3 1. 34 C.F.R. § 99.1. 1 4. 42 U.S.C. § 1130d-7(c) and 45 C.F.R. § 160.203(d). A Delicate Balance: Behavioral Health, Patient Privacy, and the Need to Know  |  11 3 2. See 65 Fed. Reg. 82,462 at 82,621 (December 28, 4 4. Choy, Emmart, and others. The State of Health Privacy, 2000) for the HIPAA preamble comments regarding the 2d edition. exclusion of FERPA records from HIPAA. 4 5. See 45 C.F.R. § 164.506(b), in which consent “may” be 3 3. The most current analysis of FERPA and HIPAA is a obtained, and § 164.506(c), in which a covered entity study of the Virginia Tech shootings and the care that may use or disclose protected health information for assailant Seung-Hui Cho received, the information that treatment (without consent). was disclosed or kept confidential, and the decisions that 4 6. California Health & Safety Code § 11845.5. his university and health care providers made throughout his college tenure; Virginia Tech Review Panel. The 4 7. 45 C.F.R. § 164.501. Virginia Tech Review Panel Report, August 2007 4 8. 42 C.F.R. § 2.12(c)(3). (www.vtreviewpanel.org/report/index.html). The panel cited the reach of HIPAA and FERPA, and 4 9. 42 C.F.R. § 2.53. how perceptions of these privacy laws plus fears 5 0. 45 C.F.R. § 164.522. about noncompliance often cause entities to default to nondisclosure, even when they can legally make 5 1. California Civil Code § 56.104(d). disclosures; Ibid. at 40. The secrecy shrouding Cho’s 5 2. D.C. Code Ann. §§ 7-1202.01 and 7-1202.02. care neither helped him get proper treatment nor helped integrate him into society. 3 4. 42 U.S.C. § 1396a(a)(7). 3 5. Ibid; 42 C.F.R. § 431.205. 3 6. 42 C.F.R. §§ 431.300 – 431.307. 3 7. 42 C.F.R. § 431.302. 3 8. 42 C.F.R. § 431.306(a). 3 9. 42 C.F.R. § 431.306(b). 4 0. 42 C.F.R. § 431.306(d). 4 1. 42 C.F.R. § 431.306(f ). 4 2. Pritts, J., A. Choy, L. Emmart, and others. The State of Health Privacy, 2d edition. Health Privacy Project. 2002 (www.healthprivacy.org/info-url_nocat2304/ info-url_nocat.htm, ihcrp.georgetown.edu/privacy/pdfs/ statereport1.pdf, and ihcrp.georgetown.edu/privacy/pdfs/ statereport2.pdf ). 4 3. Jost, T.S. “Constraints on Sharing Mental Health and Substance Use Treatment Information Imposed by Federal and State Medical Record Privacy Laws,” Appendix B in Improving the Quality of Health Care for Mental and Substance Use Conditions, supra note 6. 12  |  California HealthCare Foundation