Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance

I. DOES 42 C.F.R. PART 2 APPLY?

A. WAS THE ALLEGED DISCLOSURE MADE BY A "PROGRAM"?

Issue: Is the individual or entity that made the alleged disclosure a "program" covered by 42 C.F.R. Part 2?

1. Does the individual or entity that allegedly made the disclosure receive Federal financial assistance in any one of the following ways:

• direct Federal funding; Y__ N__

• is operated by the Federal Government or by a State or local government that receives funds that could be (but are not necessarily) spent for the alcohol and other drug (AOD) program; Y__ N__

• Federal block grants or other funds channeled through State or local
  government; Y__ N__

• licensure, certification, or registration by the Federal Government, for example: Y__N__

–authorization to conduct methadone maintenance treatment;

–certification for Medicare reimbursement; or

–authorization to dispense a substance under the Controlled Substances Act for use in treating AOD abuse.

• exemption from Federal taxation? Y__ N__

If the answer to any of the questions is "yes," go to question 2.

If the answer to all of the questions is "no," the individual or entity that allegedly made the disclosure is not a "program" as defined by the regualtions. Go to question 7 to determine whether the entity is otherwise bound by the regulations.

2. Was the alleged disclosure made by a general medical care facility or a unit of a general medical care facility? Y__ N__

If "yes," go to question 3.

If "no," go to question 6.

3. Does the general medical care facility (or unit of such facility) that allegedly made the disclosure hold itself out as providing and actually provide AOD abuse diagnosis, treatment, counseling, or referral for treatment? Y__ N__

If "yes," go to question 8.

If "no," go to question 4.

4. Was the alleged disclosure made by a staff member of a general medical care facility whose primary function is the provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment? Y__ N__

If "yes," go to question 5.

If "no," the alleged disclosure was not made by a "program" as defined by the regulations. Go to question 7 to determine whether the regulations otherwise apply.

5. Is such staff member identified as having the primary function of providing AOD abuse diagnosis, counseling, treatment, or referral for treatment? Y__ N__

If "yes," go to question 8.

If "no," the individual who made the alleged disclosure is not a "program" as defined by the regulations. Go to question 7 to determine whether the individual is otherwise bound by the regulations.

6. Was the alleged disclosure made by an individual or entity that holds itself out as providing and does provide AOD abuse diagnosis, treatment, counseling, or referral for treatment? Y__N__

If "yes," go to question 8.

If "no," the individual or entity that made the alleged disclosure is not a "program" as defined by the regulations. Go to question 7 to determine whether the regulations otherwise apply.

7. Does State law, regulation, or licensing requirement bind the individual or entity to the standards of 42 C.F.R. Part 2? Y__ N__

If "yes," the individual or entity that allegedly made the disclosure should be considered a "program" bound by the regulations. Go to Section I.B.

If "no," see Section V to determine whether the individual or entity that allegedly made the disclosure is otherwise bound by the regulations because it received patient-identifying information from an AOD program.

8. Was the information that was allegedly disclosed maintained in connection with the Department of Veterans Affairs' provision of hospital care, nursing home care, domiciliary care and medical services under Title 38 of the U.S. Code? Y__ N__

If "yes," the regulations do not apply. Consult 38 U.S.C. 4132 and the regulations issued under that authority by the Secretary of Veterans Affairs.

If "no," go to question 9.

9. Was the information that was allegedly disclosed obtained by any component of the Armed Forces during a period when the patient was subject to the Uniform Code of Military Justice? Y__ N__

If "yes," go to question 10.

If "no," the individual or entity that made the alleged disclosure is a "program." Go to Section I.B.

10. Was the alleged disclosure made within the Armed Forces or between the Armed Forces and those components of the Department of Veterans Affairs furnishing health care to veterans? Y__ N__

If "yes," stop here because the individual or entity that made the alleged disclosure is not a "program" under the regulations. The regulations do not apply.

If "no," the individual or entity that made the alleged disclosure is a "program." Go to Section I.B.

Summary of the Rule

The Federal regulations only apply to "programs" as defined under the law (§ 2.11). "programs" are organizations or individual practitioners who:

1. receive Federal assistance—Such assistance exists when the program is directly funded by the Federal Government, is operated by the Federal Government or by a State or local government that receives Federal funds that could be (but are not necessarily) spent for the AOD program, is registered or certified by the Federal Government (e.g., certified for Medicare reimbursement), receives Federal block grant or other funds through a State or local government, is licensed directly by the Federal Government (e.g., to dispense methadone), or is exempted from taxes under the Federal Internal Revenue Code (i.e., is a not-for-profit tax-exempt corporation); and
2. provide and hold themselves out as providing AOD diagnosis, counseling, treatment, or referral for treatment. The regulations apply to both free-standing programs and programs that are part of larger organizations, such as a detoxification unit within a general hospital, an AOD clinic within a county mental health department, an AOD unit within an employee assistance program or student assistance program, or an AOD program within a managed care program that provides direct medical services (§ 2.12(e)(1)).

   With respect to general medical care facilities, in addition to identified AOD units, the regulations apply to medical personnel or other staff whose primary function is the provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment and who are identified as such (§ 2.11). The regulations do not apply, however, to hospital emergency room personnel unless their primary function is the provision of the AOD services listed in number 2 above and the person is identified as providing such services or the emergency room has promoted itself to the community as a provider of such services (§ 2.12).

   The regulations apply to all program employees, volunteers, student interns, former staff, and executive, administrative, clinical, and support personnel.

   The regulations do not apply to information on AOD patients maintained in connection with various Department of Veterans Affairs programs or to information maintained by the Armed Forces if the disclosures are within the Armed Forces or between the Armed Forces and the Department of Veterans Affairs (§ 2.12(c)(1)-(2)).

   Some States have enacted laws or regulations that require certain AOD facilities to adhere to the requirements of the Federal regulations even if they are not otherwise bound by them. Moreover, some third parties (entities that are not AOD programs) may become bound by the regulations if they receive patient-identifying information from an AOD program. See Section V for a discussion of such third parties.

B. DOES THE COMPLAINT PERTAIN TO A "PATIENT"?

Issue:Is the person whose confidentiality allegedly was breached a "patient." whose records are confidential under 42 C.F.R. Part 2?

1. Did the person whose confidentiality was allegedly breached ever apply for or receive from an AOD program any of the following:

• a diagnostic examination or interview?Y__N__

• treatment or counseling? or Y__N__

• referral for treatment? Y__ N__

If the answer to any of the questions is "yes," he or she is a "patient" protected by the regulations. Go to Section II.

If the answer to all of the questions is no, then he or she is not a "patient." Stop here because the regulations do not apply.

Summary of the Rule

Even if the alleged disclosure was made by a "program," the regulations only apply if the person whose confidentiality allegedly was breached was a "patient." A "patient." is anyone who has applied for or received a diagnostic examination or interview, counseling, treatment, or referral for treatment for AOD abuse from a program (§ 2.11).

Applicants for such AOD services are covered by the regulations even if they fail to show for an initial appointment that they arranged or, having been interviewed or diagnosed, elect not to follow up or enter treatment.

The regulations protect current, former, and deceased patients.

II.WAS THERE A "DISCLOSURE" OF PATIENT-IDENTIFYING INFORMATION?

Issue:Did the disclosure reveal "patient-identifying information?"

1. Did the person making the disclosure indicate that:

• he or she was from an AOD abuse program? or Y__ N__

• the person about whom the disclosure was made was an AOD abuser or had ever applied for or received diagnosis, treatment, counseling, or referral for
  treatment? Y__ N__

If the answer to both questions is "no," the program did not make a "disclosure" of patient identifying information. Stop here because there was no violation.

If the answer to either question is "yes," go to question 2.

2. Did the person making the disclosure state the name of the patient or reveal other information from which the patient could be identified? Y__ N__

If "yes," there was a "disclosure" of patient-identifying information. Go to Section III to determine whether the disclosure was authorized.

If "no," there was no "disclosure" of patient-identifying information. Stop here because there was no violation.

Summary of the Rule

The Federal regulations generally prohibit programs from disclosing "patient-identifying information." "Patient-identifying information" means any information that identifies a patient as (i) having applied for or received AOD-related services (diagnosis, treatment, counseling, or referral for treatment), or (ii) being an AOD abuser (§ 2.11, 2.12).

By prohibiting "disclosures," the regulations do not merely refer to explicit statements, such as that a specified person is a patient or is an AOD abuser. Rather, the term "disclosure" includes implicit disclosures, such as the following:

• allowing a receptionist to confirm that a particular person is a patient, even if the caller or visitor says that he or she is the patient's family member and knows the patient attends the program;

• sending a patient a letter in an envelope that suggests that the addressee may be a patient;

• faxing a letter revealing or suggesting patient status to the patient's workplace, on the program's stationary;

• faxing any patient-identifying information about a patient to the wrong fax number;

• leaving a telephone message revealing or suggesting patient status with a patient's roommate or on a patient's answering machine where another person may hear the message;

• disclosing the patient's name and the fact that the patient attended a program to a bill collection agency, attorney, or a small claims court;

• having a program counselor appear at a patient's workplace or home and revealing his or her relationship with the patient to someone else;

• disclosing descriptive or anecdotal material from which a patient's identity may be inferred (e.g., by referring to a patient as "the Mayor's daughter");

• producing and identifying a patient when the police arrive at the program with an arrest warrant, but without a valid court order; and

• permitting the police to have access to patient records, without first protesting, when the police arrive at the program with a search warrant, but without a valid court order.

The general prohibition against disclosing "patient-identifying information" does not mean that programs may never disclose their patients' names. If a program can disclose a patient's name, address, or even telephone number without indicating that the person has ever applied for or received AOD-related diagnosis, treatment or counseling, the program may do so without violating the Federal regulations. Such disclosures are possible primarily when the program is part of a larger organization, such as a general hospital, and, therefore, can use the name of the hospital when making the disclosure. Similarly, if a program has a physician who also maintains a separate office, the physician could make a disclosure about a patient without identifying the patient's participation in an AOD program. (In doing so, however, providers must be mindful not to violate State laws regarding doctor– or therapist–patient privilege.)

Another way to avoid disclosing patient-identifying information is to make a disclosure anonymously. Thus, if a patient threatened to harm his or her spouse, and a court order, consent form or other authorization under the regulations could not be feasibly used, the program could make an anonymous telephone call to the spouse or even the police. The program could disclose the patient's name but not the fact that the patient is in an AOD program. Again, the program should be careful not to violate any State laws regarding confidential communications between therapists and patients.

III. IF THERE WAS A DISCLOSURE, WAS THERE PROPER AUTHORIZATION?

A.CONSENT FORMS

Issue: Was the disclosure authorized by a valid consent form?

1. Did the consent form contain all the following nine required elements of 42 C.F.R. Part 2?

• patient's name? Y__ N__

• name of the program making the disclosure? Y__ N__

• recipient of the information? Y__ N__

• purpose of the disclosure? Y__ N__

• information to be released? Y__ N__

• revocation clause? Y__ N__

If "no," was the patient mandated into the program by the criminal justice system as a condition of the disposition of the patient's criminal proceeding? Y__ N__

If "yes," the consent can be irrevocable for the duration of the patient's criminal justice status (unless a State statute provides for an automatic expiration). Mark "O.K." in the "yes" blank next to "revocation clause," above. If "no," the consent must state that it is revocable. If it does not so state, check "no" in the blank next to "revocation clause," above.

• expiration date or condition? Y__ N__

• date the consent form is signed? Y__ N__

• signature of the actual patient (as opposed to the patient's parent or legal representative)?

If "yes" (meaning that you marked "yes" or "O.K." next to all of the nine elements), go to question 1-a.

If "no," (meaning that at least one "no," was checked next to the nine elements, without a corresponding "O.K."), go to question 2.

1. Is the patient a minor? Y__ N__

If "yes," go to question 8.

If "no," go to question 11.

2. Was any element missing from the consent form aside from the patient's signature? Y__ N__

If "yes," the consent form is not valid. Stop here or determine whether the disclosure was otherwise authorized.

If "no," go to question 3.

3. Has the patient been adjudicated incompetent? Y__ N__

If "yes," go to question 3-a.

If "no," go to question 4.

1. Is the form signed by the patient's guardian or other person authorized under state law to act on the patient's behalf? Y__ N__

If "yes," go to question 11.

If "no," the consent form is not valid. Stop here or determine whether the disclosure was otherwise authorized.

4. Is the patient deceased? Y__ N__

If "yes," go to question 4-a.

If "no," go to question 5.

1. Is the form signed by the executor or administrator of the patient's estate or other personal representative appointed under State law or, if none, then the patient's spouse or, if none, then by any responsible member of the patient's family? Y__ N__

If "yes," go to question 11.

If "no," the consent form is not valid. Stop here or determine whether the disclosure was otherwise authorized.

5. Is the patient is a minor? Y__ N__

If "yes," go to question 6.

If "no," the consent form is not valid. Stop here or determine whether the disclosure was otherwise authorized.

6. Was the disclosure made to the minor's parent, guardian, or other person authorized under State law to act on the minor's behalf? Y__ N__

If "yes," go to question 7.

If "no," the disclosure was not authorized under the consent rule. Stop here or determine whether the disclosure was otherwise authorized.

7. Is the patient a minor who was applying for services (as opposed to receiving services), and the program director determined that the minor applicant:

(a) lacked capacity to make rational decision on whether to consent to the disclosure and

(b)that the applicant's situation posed a substantial threat to the life or physical well-being of the applicant or any other individual that could be reduced by communicating relevant facts to the minor's parent, guardian, or other person authorized under State law to act on the minor's behalf? Y__ N__

If "yes," the disclosure was authorized by the regulations because the minor's consent was not necessary.

If "no," the disclosure was not authorized under the consent rule because other than the narrow exception covered in this question, minors must always sign consent forms. Stop here or determine whether the disclosure was otherwise authorized.

8. Does the State require parental consent for treatment? Y__ N__

If "yes," go to question 9.

If "no," the consent form need only be signed by the minor. The disclosure was authorized under the consent rule.

9. Was the disclosure made to the minor's parent, guardian, or other person authorized under State law to act on the minor's behalf? Y__ N__

If "yes," the disclosure was authorized under the consent rule.

If "no," go to question 10.

10. Did the consent form also contain the signature of the parent, guardian, or other person authorized under State law to act on the minor's behalf? Y__ N__

If "yes," go to question 11.

If "no," the disclosure was not authorized under the consent rule. Stop here or determine whether the disclosure was otherwise authorized.

11. Does the person whose confidentiality was allegedly breached (or other signatories on the consent form) claim to have revoked his or her consent, either through an oral or written revocation? Y__ N__

If "yes," go to question 12.

If "no," go to question 15.

12. Was the patient mandated into treatment by the criminal justice system as a condition of the disposition of the patient's criminal proceeding? Y__ N__

If "yes," go to question 13.

If "no," go to question 14.

13. Does the consent form state that it is irrevocable for a specified period of time? Y__ N__

If "yes," any purported revocation was not valid. Go to question 15.

If "no," go to question 14.

14. Is there any written evidence of such revocation, for example, a notation to that effect on the consent form or elsewhere in the patient's record, or a letter written by the patient? Y__ N__

If "yes," and yet the disclosure was made, the disclosure did not fall under the "consent" rule. Stop here or determine whether the disclosure was otherwise authorized.

If "no," there should be further investigation to determine whether the patient in fact revoked his or her consent. If the investigation reveals that such revocation did occur, then the disclosure did not fall under the "consent" rule. Stop here or determine whether the disclosure was otherwise authorized. If the investigation reveals that there was no revocation, go to question 15.

15. Was any information on the consent form added or altered after the patient
    signed it? Y__ N__

If "yes," go to question 16.

If "no," go to question 17.

16. Did the patient initial or otherwise give written authorization for the additions or
    changes? Y__ N__

If "yes," go to question 17.

If "no," the consent form is not valid. Stop here or determine whether the disclosure was otherwise authorized.

17. Was the disclosure within the scope of the consent form? Y__ N__

If "yes," go to question 18.

If "no," the disclosure was not authorized by the consent rule. Stop here or determine whether the disclosure was otherwise authorized.

18. Was the disclosure followed by a notice prohibiting redisclosure? Y__ N__

If "yes," the disclosure was authorized by the consent rule.

If "no," the disclosure was not authorized by the consent rule. Stop here or determine whether the disclosure was otherwise authorized.

Summary of the Rule

Generally, a program may disclose any information about a patient if the patient authorizes the disclosure by signing a valid consent form ('§ 2.31, 2.33). A consent form under the Federal regulations is much more detailed than a general medical release. It must contain all of the following nine elements. If the form is missing even one of these elements, it is not valid:

• the name of the patient;

• the name or general designation of the program making the disclosure;

• the recipient of the information;
  
  
  • Although the recipient should not be as general as an entire agency or department, it need not be as specific as the name of an individual. Instead, the consent form may describe the recipient's job title and/or job functions.
  
  
  • It is permissible to list more than one recipient on a single consent form and to authorize disclosures between and among all the parties listed. When doing such multiple-party consents, however, it is important that the "information" and "purpose" and all other elements of the form (see below) be the same for all of the authorized disclosures.

• the purpose of the disclosure;

The purpose should be narrowly described and should correspond with the information to be released. The purpose should never be as broad as "for all client care."

• the information to be released;

The information should be described as exactly and narrowly as possible in light of the purpose of the release. Releases for "any and all pertinent information" are not valid;

• that the patient understands that he or she may revoke the consent at any time—orally or in writing—except to the extent that action has been taken in reliance on it;
  
  
  • A consent for a patient referred by the criminal justice system, however, may be made irrevocable for a period of time (§ 2.35). (But note that some State statutes and regulations provide for the automatic expiration of such consents after 60 or 90 days.)
    
    
  • When a patient revokes a consent form, the program is advised to note the date of the revocation clearly on the consent form and to draw an X through the form.

• the date or condition upon which the consent expires, if it has not been revoked earlier;
  
  • Although the Federal regulations do not provide for any time limit on the validity of a consent form, some State laws provide for the automatic expiration of consents after a certain period of time.

• the date the consent form is signed; and

• the signature of the patient.
  
  
  • If the patient has died, the executor or administrator of the estate, or if there is none, the spouse or, if none, then any responsible member of the patient's family may sign (§ 2.15(b)(2)).
    
    
  • No consent is needed to disclose information relating to the cause of death to such agencies as are empowered to collect vital statistics or inquire into causes of death (§ 2.15(b)(1)).
    
    
  • If the patient is an adjudicated incompetent, a guardian or other person authorized by State law to act on the patient's behalf may sign (§ 2.15(a)(1)).
    
    
  • If the patient is a minor, the patient generally must sign the consent form—even if the disclosure is to the minor's parent.

    For example, if State law requires a program to obtain a parent's consent in order to treat a minor, the minor must sign a consent form authorizing the disclosure to the parent (§ 2.14(b)-(c)). The only exception is for minors who are applying for AOD services and yet lack the capacity to make a rational decision about whether to sign a consent form authorizing a disclosure that the program director determines is necessary to reduce a threat to the life or physical well-being of the applicant or anyone else (§ 2.14(d)).

    In addition to the minor's signature, the parent's or other legal guardian's signature is only required if State law requires parental authorization for treating a minor. If the State permits the minor to be treated without the legal guardian's authorization, the minor's signature alone may authorize a disclosure (§ 2.14(b)-(c)).

  • A client should never sign or be requested to sign a consent form before all of the blanks have been filled in.
    
    
  • If any changes are made to a consent form after a client signs it, the client should initial the changes when they are made to indicate that the patient understands and agrees to the changes.

    Whenever a disclosure is made pursuant to a consent, it must be accompanied by a written notice prohibiting redisclosure (§ 2.32). The written statement, which can be in the form of a separate sheet of paper or a rubber stamp on the disclosed document, warns the recipient that the information disclosed is protected by Federal law and may not be redisclosed except with the patient's consent or under other authorization. The language in the warning must be identical to that set forth in § 2.32 of the regulations. The prohibition on redisclosure notice must be sent to the recipient even if the disclosure was made orally.

    Copies of all consent forms should be kept in the patient's file.

B. INTERNAL COMMUNICATIONS

Issue: Was the disclosure an authorized internal communication?

1. Was the disclosure made to someone:

• within the program? or Y__ N__
  
  

• in an entity having direct administrative control over a program? Y__ N__

If the answer to either question is "yes," go to question 2.

If the answer to both questions is "no," the disclosure did not fall within the internal communications rule. Stop here or determine whether the disclosure was otherwise authorized.

2. Did the recipient need the information in connection with his or her duties arising out of the provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment? Y__ N__

If "yes," the disclosure was authorized by the internal communications rule. (If the disclosure was made to an entity having direct administrative control over a program, see Section V to determine whether the administrative entity complied with the law.)

If "no," the disclosure did not fall within the internal communications rule. Stop here or determine whether the disclosure was otherwise authorized.

Summary of the Rule

Patient-identifying information may be disclosed within a program, or to an entity having direct administrative control over a program, if the recipient of the disclosure needs the information in connection with his or her duties arising out of the provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment (§ 2.12(c)(3)).

"Within the program" means within the organization or organizational unit that provides AOD-related services. Thus for entities that only provide AOD treatment in part, they may only share patient-identifying information within that part. For example, the staff of a detoxification unit within a hospital may share patient-identifying information with one another—and with hospital administrators with direct supervisory oversight for the program—where such sharing of information is needed to provide AOD-related services to the program's patients. The program may also share information, as necessary, with, for example, the hospital's recordkeeping or billing departments, because those administrative units are integral to the program's functioning. However, the program may not freely share patient-identifying information with other parts or units of the hospital (because they are not part of the "program" or an entity with direct administrative control over the program). Note, however, that such communications are possible with the patient's proper consent (see Section I.A).

Anyone within or in direct administrative control of a program that receives patient-identifying information is bound by the confidentiality regulations and may not redisclose the information except as allowed by the regulations (§ 2.12(d)(2)(ii)).

C. QUALIFIED SERVICE ORGANIZATION AGREEMENTS

Issue: Was the disclosure made pursuant to a qualified service organization agreement (QSOA)?

1. Was the alleged disclosure made to an entity (individual or agency) that provides services to the program (a "service organization")? Y__ N__

If "yes," go to question 2.

If "no," the disclosure did not fall within the QSOA rule. Stop here or determine whether the disclosure was otherwise authorized.

2. Did the outside service organization have a written agreement with the program (a "QSOA")? Y__ N__

If "yes," go to question 3.

If "no," the disclosure did not fall under the QSOA rule. Stop here or determine whether the disclosure was otherwise authorized.

3. Did the QSOA state that in receiving patient-identifying information, the qualified service organization:

• became bound by the Federal confidentiality regulations? and Y__ N__

• agreed to resist in judicial proceedings, if necessary, any unauthorized efforts to obtain access to patient records? Y__ N__

If the answer to both questions is "yes," go to question 4.

If the answer to either question is "no," the QSOA was not valid. Stop here or determine whether the disclosure was otherwise authorized.

4. Was the service organization that received the information also an AOD program? Y__ N__

If "yes," go to question 5.

If "no," the program's disclosure was authorized by the QSOA rule. (See Section V to determine whether the qualified service organization redisclosed the information in violation of the regulations.)

5. Did the service organization that is also an AOD program need the information to perform an AOD-related service? Y__ N__

If "yes," the QSOA was not proper, according to a legal opinion issued by the Department of Health and Human Services (DHHS). Stop here or determine whether the disclosure was otherwise authorized.

If "no," the program's disclosure was authorized by the QSOA rule. (See Section V to determine whether the qualified service organization redisclosed the information in violation of the regulations.)

Summary of the Rule

Programs may disclose patient-identifying information to a "qualified service organization" without the patient's consent (§ 2.12(c)(4)). A "qualified service organization" is a person or agency that provides services to the program, such as data processing, dosage preparation, laboratory analyses, vocational counseling, or legal, medical, accounting, or other professional services that the program does not provide for itself.

The department of health can also be a "service organization" if it provides health-related services to the program. Examples of such services include offering tests for HIV, tuberculosis, and sexually transmitted diseases; providing treatment for communicable diseases; or monitoring the patient's case to ensure that he or she is receiving treatment. Managed care companies can, in limited circumstances, also be "service organizations," provided they are providing a service, such as legal, medical, accounting, or laboratory services. For example, if individuals enrolled in a managed care program can receive AOD treatment from any certified AOD program, but must receive primary health care from the managed care provider's staff physicians, the managed care provider could be considered a "service organization"; it is rendering medical services.

In order to receive patient-identifying information, the "service organization" must enter into a written agreement with the program in which it acknowledges that it is bound by the Federal confidentiality regulations, promises not to redisclose patient-identifying information to which it becomes privy, and promises to resist unauthorized efforts to gain access to any patient-identifying information in its possession (§ 2.11).

Once the program and the outside agency have entered into this QSOA, the program may freely communicate information from patient records to the "qualified service organization," but only that information that is specified in the QSOA and that is needed by the organization to provide services to the program.

Although AOD programs may enter into QSOAs with a variety of outside organizations, they are not permitted—according to a legal opinion of the DHHS—to enter into them with one another (unless the services offered by one of the programs does not pertain to AOD-related services) or with law enforcement agencies.

A program is not required to inform its patients of the QSOAs to which it is a party.

D.MEDICAL EMERGENCIES

Issue: Was the disclosure made properly in a medical emergency?

1. Was the alleged disclosure made:

• in response to an immediate threat to the health of any individual? Y__ N__

• because of the need for immediate medical intervention?Y__N__

• to medical personnel? and Y__N__

• to someone who needed the patient-identifying information to treat the medical emergency?Y__N__

If the answer to all of these questions is "yes," go to question 2.

If the answer to any of these questions is "no," the disclosure did not fall under the medical emergency rule. Stop here or determine whether the disclosure was otherwise authorized.

2. After making the disclosure, did the program document in the patient's record the name of the recipient and his or her affiliation with any health care facility, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency? Y__ N__

If "yes," the disclosure was proper under the medical emergency rule.

If "no," the disclosure did not fall under the medical emergency rule. Stop here or determine whether the disclosure was otherwise authorized.

Summary of the Rule

Even without consent, patient-identifying information may be disclosed to medical personnel in a medical emergency (§ 2.51).

A medical emergency is a situation that poses an immediate threat to the health of any individual (it need not be the patient) and requires immediate medical intervention. Typical examples of a medical emergency include a suicide threat, a drug overdose, or a patient with active and infectious tuberculosis who is not taking his or her medications.

This rule permits the program to release patient-identifying information to medical personnel who need the information to treat the medical condition. The program may not use the medical emergency rule to contact family members or the police. When releasing information pursuant to a medical emergency, programs must document the disclosure in the patient's record, setting forth the name of the recipient and his or her affiliation with any health care facility, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency (§ 2.51(c)).

E.CRIMES ON PROGRAM PREMISES OR AGAINST PROGRAM PERSONNEL

Issue: Was the disclosure made in response to a crime on program premises or against program personnel?

1. Was the disclosure made in response to a crime or threatened crime:

• on the program premises (against anyone)? Y__ N__

• against program personnel (anywhere)? Y__ N__

If the answer to either question is "yes," go to question 2.

If the answer to both questions is "no," the disclosure did not fall under the crime on program premises or against program personnel rule. Stop here or determine whether the disclosure was otherwise authorized.

2. Was the disclosure limited to the circumstances of the incident, including the patient's name, address, last known whereabouts, and patient status? Y__ N__

If "yes," the disclosure was authorized by the rule.

If "no," the disclosure did not fall within the rule. Stop here or determine whether the disclosure was otherwise authorized.

Summary of the Rule

The regulations permit a program to release patient-identifying information to the police if a patient commits or threatens to commit a crime either (i) on the premises (against anyone) or (ii) against program staff anywhere.

When reporting such a crime, in addition to the particulars of the crime, the program may give the police the patient's name, address, and last known whereabouts. The program may not release to the police the names of other patients who were victims or witnesses to the crime without those patients' prior written consent.

This rule does not authorize disclosure of a patient's confession to a past crime unless the crime was on the program premises or against program personnel.

F. MANDATED REPORTS OF CHILD ABUSE OR NEGLECT

Issue: Was the disclosure authorized by the child abuse reporting rule?

1. Was the disclosure required under the state's child abuse and neglect reporting law? Y__ N__

If "yes," go to question 2.

If "no," the disclosure did not fall under the child abuse reporting rule. Stop here or determine whether the disclosure was otherwise authorized.

2. Did the disclosure include only the initial report and/or a confirmation of that report? Y__ N__

If "yes," the disclosure was authorized by the child abuse reporting rule.

If "no," the disclosure was broader than that permitted under the child abuse reporting rule and, therefore, not permitted. Stop here or determine whether the disclosure was otherwise authorized.

Summary of the Rule

In 1987, the regulations were amended to permit AOD programs to comply with State laws requiring people in certain positions or occupations to report cases of suspected child abuse or neglect. Accordingly, the regulations "do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities" (§ 2.12(c)(6)).

Under this rule, program staff may make reports to local child abuse hotlines and even confirm the reports in writing. However, the program's disclosures must stop there. The regulations continue "to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect." This means that although a program may make State-mandated child abuse reports, patient files must be withheld from child protection agencies absent patient consent or a court order.

G. RESEARCH

Issue: Was the disclosure authorized under the research rule?

1. Was the disclosure made to someone doing research? Y__ N__

If "yes," go to question 2.

If "no," the disclosure did not fall within the research rule. Stop here or determine whether the disclosure was otherwise authorized.

2. Before the program made the disclosure, did the director determine:

• that the researcher was qualified? Y__ N__

• that the researcher had a protocol under which the security of patient records was assured (per § 2.16)? and Y__ N__

• that patient-identifying information would not be redisclosed? Y__ N__

If the answer to all of the above questions is "yes," go to question 3.

If the answer to any of the above questions is "no," the disclosure did not fall within the research rule. Stop here or determine whether the disclosure was otherwise authorized.

3. Did the researcher provide a written statement that three or more independent evaluators had reviewed the research protocol and determined that:

• the rights and welfare of the patients concerned would be adequately protected? and Y__ N__

• the potential benefits of the research outweighed the risks to patient confidentiality? Y__ N__

If the answer to both of the above questions is "yes," the program's disclosure was authorized by the research rule. (See Section V to determine whether the researcher also complied with the law.)

If the answer to either of the above questions is "no," the disclosure did not fall within the research rule. Stop here or determine whether the disclosure was otherwise authorized.

Summary of the rule

A program may allow a researcher to have access to its patients' records under the following circumstances:

First, the program director must determine (i) that the researcher is qualified, (ii) that the researcher has a protocol under which the security of patient records is assured (per § 2.16), and (iii) that patient-identifying information will not be redisclosed.

In addition, the researcher must provide a written statement that three or more independent evaluators have reviewed the research protocol and determined that the rights and welfare of the patients concerned will be adequately protected and that the potential benefits of the research outweigh the risks to patient confidentiality (§ 2.52(a)).

If a researcher satisfies the above standard, the researcher may proceed but is barred from redisclosing patient-identifying information except back to the program itself. No report may identify any individual patient (§ 2.52(b)).

H. AUDIT AND EVALUATION

Issue: Was the disclosure authorized under the audit and evaluation rule?

1. Was the disclosure made to any of the following: a Government agency that funds or regulates the program? Y__ N__

• a private person or agency that provides financial assistance or third-party payments to the program? Y__ N__

• a peer-review organization that performs utilization or quality control
  review? or Y__ N__

• a person that the program director determined to be "qualified" to conduct the audit or evaluation? Y__ N__

If the answer to any of the questions is "yes," go to question 2.

If the answer to all of the questions is "no," the disclosure did not fall within the audit and evaluation rule. Stop here or determine whether the disclosure was otherwise authorized.

2. Was the purpose of the disclosure to enable the oversight entity to conduct the audit or evaluation of the program? Y__ N__

If "yes," go to question 3.

If "no," the disclosure did not fall within the audit and evaluation rule. Stop here or determine whether the disclosure was otherwise authorized.

3. Did the auditor or evaluator agree in writing that it would redisclose patient-identifying information only:

• back to the program? or Y__ N__

• to a Government agency that is overseeing a Medicare or Medicaid audit or evaluation? Y__ N__

If the answer to both questions is "yes," go to question 4.

If the answer to either question is "no," the disclosure did not fall within the audit and evaluation rule. Stop here or determine whether the disclosure was otherwise authorized.

4. Did the auditor or evaluator agree in writing to use the information only:

• for the audit or evaluation? or Y__ N__

• pursuant to a court order to investigate or prosecute the program (not a
  patient)? Y__ N__

If the answer to both questions is "yes," go to question 5.

If the answer to either question is "no," the disclosure did not fall within the audit and evaluation rule. Stop here or determine whether the disclosure was otherwise authorized.

5. Did the program copy for or give the auditor or evaluator any records containing patient-identifying information for the auditor or evaluator to remove from the program premises? Y__ N__

If "yes," go to question 6.

If "no," stop here because the program's disclosure to the auditor or evaluator was authorized by the audit and evaluation rule.

6. Was the auditor or evaluator a:

• Government agency that funds or regulates the program? Y__ N__

• private person or agency that provides financial assistance or third-party payments to the program? or Y__ N__

• peer-review organization that performs utilization or quality control review? Y__ N__

If the answer to any of the above questions is "yes," go to question 7.

If the answer to all of the above questions is "no" (i.e., the auditor or evaluator was merely someone whom the director determined was "qualified" to conduct an audit or evaluation), the program was not authorized, under the audit and evaluation exception, to permit the auditor or evaluator to copy or remove records. Stop here or determine whether the disclosure was otherwise authorized.

7. Prior to copying or removing patient records, did the auditor or evaluator agree in writing to:

• maintain the patient-identifying information in accordance with the security requirements provided in § 2.16 of the regulations (or more stringent requirements)? Y__ N__

• destroy all patient-identifying information upon completion of the audit or evaluation? and Y__ N__

• comply with the limitations on disclosure and use specified in § 2.53(d)? (Section 2.53(d) provides that any person or organization that conducts an audit or evaluation must agree in writing that it will redisclose patient-identifying information only (i) back to the program or (ii) to a Government agency that is overseeing a Medicare or Medicaid audit or evaluation. Such person or organization must also agree in writing to use the information only for the audit or evaluation or pursuant to a court order to investigate or prosecute the program (not a patient).) Y__ N__

If the answer to all of the above questions is "yes," the program was authorized, under the audit and evaluation rule to permit the copying or removal of records. (See Section V to determine whether the auditor or evaluator complied with the regulations.)

If the answer to any of the above questions is "no," the program was not authorized under the audit and evaluation rule to permit the copying or removal of records. You may determine whether the disclosure was authorized under another rule. In addition, see Section V to determine whether the auditor or evaluator complied with the regulations.

Summary of the Rule

Government agencies that fund or regulate a program, private persons that provide financial assistance or third-party payments to a program, peer-review organizations that perform utilization or quality control review, and persons whom the program director determines are "qualified" may have access to program records for audits or evaluations of the program (§ .53). Examples of such funding or oversight agencies include Government agencies that administer the Medicaid program and that contract with AOD programs, insurance and managed care companies, and State agencies that license and regulate AOD programs.

Any person or organization that conducts an audit or evaluation must agree in writing that it will redisclose patient-identifying information only (i) back to the program, or (ii) to a Government agency that is overseeing a Medicare or Medicaid audit or evaluation. Such person or organization also must agree in writing to use the information only for the audit or evaluation or pursuant to a court order to investigate or prosecute the program (not a patient) (§ 2.53(c) and (d)).

The agencies listed in the first paragraph above also may copy or remove records, but only if they agree in writing to (i) safeguard the confidentiality of patient-identifying information in accordance with the security requirements of § 2.16 of the regulations (or more stringent requirements), (ii) destroy all such information on completion of the audit or evaluation, (iii) redisclose patient-identifying information back to the program or to a Government agency that is overseeing a Medicaid or Medicare audit or evaluation, and (iv) not use the information except for purposes of the audit or evaluation or to investigate or prosecute criminal or other activities as authorized by a court order entered under § 2.66 (§ 2.53(b)-(d)). Thus a State regulatory agency could not obtain patient records pursuant to an audit and then store them permanently on a computer database.

Any other person or organization determined by the program director to be "qualified" and that pledges in writing to observe the restrictions on redisclosure and use that are specified two paragraphs above may also inspect patient records for audit or evaluation purpose without consent. Only the agencies listed in the first paragraph, however, may copy or remove records.

I. COURT ORDERS

Issue: Was the disclosure made in response to a valid court order?

1. Did the program make the disclosure in response to an order that states it was issued under the Federal confidentiality regulations (42 C.F.R. Part 2) and was signed or issued by a court? Y__ N__

If "yes," go to question 2.

If "no," the disclosure did not fall under the court order rule. (Recall that a subpoena, search warrant, or arrest warrant, in and of itself, is not a court order that meets the requirements of 42 C.F.R. Part 2. For arrest or search warrants, proceed to Section IV to determine whether the program's response was proper.) Stop here or determine whether the disclosure was otherwise authorized.

2. Did the program itself apply for the court order (as opposed to a third party who wanted the information from the program)? Y__ N__

If "yes," go to question 3.

If "no," go to question 7.

3. Did the program's application use a fictitious name for the patient? Y__ N__

If "yes," go to question 5.

If "no," go to question 4.

4. Did the patient sign a valid consent authorizing the use of his or her name in the application? Y__ N__

If "yes," go to question 5.

If "no," the application for the court order was not authorized by the court order rule. Stop here or determine whether it was otherwise authorized by the regulations.

5. Did the program give the patient adequate notice of the application for the court order as well as an opportunity to make a written response or to appear in person for the limited purpose of responding to the application? Y__ N__

If "yes," go to question 7.

If "no," go to question 6.

6. Was the disclosure sought for the purpose of investigating or prosecuting the patient for a crime? Y__ N__

If "yes," the program did not need to give the patient notice. Go to question 7.

If "no," stop here because the failure to provide the notice renders the program's application improper under the regulations, or determine whether the disclosure was otherwise authorized.

7. Did the program disclose only that information described in the court order? Y__ N__

If "yes," the disclosure was authorized by the court order rule.

If "no," the program's disclosure was broader than that allowed under the "court order" rule and, therefore, not permitted. Stop here or determine whether the disclosure was otherwise authorized.

Summary of the Rule

A Federal, State, or local court may authorize a program to make a disclosure of patient-identifying information. A court may issue such an order, however, only after following certain procedures and making certain determinations specified in the regulations (§ 2.63-2.67). A subpoena, search warrant, or arrest warrant, even when it is signed by a judge, is not sufficient, by itself, to require or even permit a program to make a disclosure (§ 2.61).

For guidance on how to respond to search and arrest warrants, see Section IV. When faced with a subpoena, a program may contact the patient referenced in the subpoena and seek the patient's consent to release the subpoenaed information. Alternatively, a program may contact the party that issued the subpoena and attempt to persuade the party to seek a proper court order. If that fails, the program could move to quash the subpoena.

With respect to court orders, the applicant for the court order must follow certain procedures, such as using a fictitious name, like John Doe, to refer to any patient (unless the patient has consented to the use of his or her real name). In addition, the applicant generally must give the program and the patient "adequate notice" of an opportunity to file a written response to the application or appear in person for the limited purpose of responding to the application (§ 2.64(a) and (b)). If the court order was requested in order to criminally investigate or prosecute a patient, however, the patient need not receive notice. (§ 2.65) Likewise, if the court order was requested in order to criminally prosecute or investigate the program, the program need not receive notice (§ 2.66).

This checklist is limited to those requirements for which AOD programs can properly be held accountable (i.e., the program made no disclosure until and unless a court ordered it to do so under the Federal regulations, and the program only disclosed the information listed in the court order). (The AOD program and its lawyer also are responsible for properly filing a request for a court order if the program initiates the application.) AOD programs cannot be held accountable for procedural or substantive errors made by a court, prosecuting attorney, and so on. This is not to suggest, however, that the program should not take steps to ensure that a third party who seeks a court order has followed the proper procedures, such as providing proper notice and holding a hearing with respect to whether the disclosure should be made. Furthermore, the program and/or the patient concerned could file an appeal if the court issued the order improperly.

IV. RESPONDING TO SEARCH AND ARREST WARRANTS

Issue: Did the AOD program respond appropriately to a search or arrest warrant?

1. When law enforcement officials contacted the program, did the program attempt to persuade the officials to obtain a court order (as discussed in Section III.I)? Y__ N__

If "yes," go question 2.

If "no," there may have been a violation of the regulations if the program provided patient-identifying information.

2. If the law enforcement officials insisted on entry, did the program either:

• point out the patient sought in the arrest warrant? or Y__ N__

• provide the records sought in the search warrant? Y__ N__

If the answer to either question is "yes," there may have been a violation of the regulations.

If the answer to both questions is "no," there likely was no violation of the regulations.

Summary of the Rule

As discussed in Section III.I, neither a search warrant nor an arrest warrant, in and of itself, constitutes the type of court order authorized under the regulations. Consequently, programs may not disclose patient-identifying information in response to such warrants.

On the other hand, the regulations do not require a program to forcibly resist a law enforcement officer who insists on entry. The DHHS has ruled that when faced with an arrest or search warrant without a valid court order, programs generally should:

• produce a copy of the regulations and explain that they cannot cooperate with law enforcement unless they obtain a court order;

• try to get time to notify a lawyer;

• ask to contact the prosecuting attorney or commanding officer so that the program can repeat its arguments; and

• try other appeals to reason.

If all of the above fail, programs should not forcibly resist. They may permit the law enforcement officials to enter, but they should not point out the patient sought in the arrest warrant or the records sought in the search warrant.

V. DISCLOSURES BY THIRD PARTIES

Issue: Did a third party who received patient-identifying information from an AOD program redisclose it without authorization?

Third-Party Payers

1. Did a third-party payer (e.g., insurance company) redisclose patient-identifying information it received from a program?¹ Y__ N__

If "yes," go to question 2.

If "no," go to question 4.

2. Did the third-party payer receive the patient-identifying information pursuant to the audit and evaluation rule? Y__ N__

If "yes," go to question 11.

If "no," go to question 3.

3. Was the redisclosure authorized by one of the rules discussed in Section III? Y__ N__

If "yes," the redisclosure was authorized by the regulations.

If "no," stop here because the redisclosure was not authorized by the regulations.

Entities With Administrative Control Over Programs

4. Did an entity with administrative control over a program redisclose patient-identifying information it received from the program (pursuant to the internal communications rule discussed in Section III.B)? Y__ N__

If "yes," go to question 5.

If "no," go to question 6.

5. Was the redisclosure authorized by one of the rules discussed in Section III? Y__ N__

If "yes," the redisclosure was authorized by the regulations.

If "no," stop here because the redisclosure was not authorized by the regulations.

Consent

6. Did a third party redisclose patient-identifying information that it received from an AOD program pursuant to a valid consent form (discussed in Section III.A)? Y__ N__

If "yes," go to question 7.

If "no," go to question 8.

7. Did the third party receive a "notice prohibiting redisclosure" from the AOD program? Y__ N__

If "yes," the third party's redisclosure was not authorized by the consent rule. Stop here or consult the other parts of Section III to determine whether the disclosure was otherwise authorized.

If "no," the redisclosure was authorized and the third party was not bound by the regulations unless the third party was also bound by a QSOA or the research or audit and evaluation rules. Go to question 8 to determine whether any of those rules apply.

QSOAs

8. Did a third party redisclose patient-identifying information that it received from an AOD program pursuant to a QSOA (discussed in Section III.C)? Y__ N__

If "yes," the redisclosure was not authorized by the QSOA rule. Stop here or consult the other parts of Section III to determine whether the disclosure was otherwise authorized.

If "no," go to question 9.

Research

9. Did a third party redisclose patient-identifying information that it received from an AOD program under the "research" rule (discussed in Section III.G)? Y__ N__

If "yes," go to question 10.

If "no," go to question 11.

10. Did the third-party researcher:

• redisclose patient-identifying information to someone other than back to the program itself? Y__ N__

• issue a report that identified any individual patient? Y__ N__

If the answer to either question is "yes," the third party's redisclosure was not authorized by the research rule (see Section III.G). Stop here or consult the other parts of Section III to determine whether the disclosure was otherwise authorized.

If the answer to both questions is "no," stop here because the third-party researcher did not violate the regulations.

Audit and Evaluation

11. Did a third party redisclose patient-identifying information that it received from an AOD program pursuant to the audit and evaluation rule (discussed in Section III.H)? Y__ N__

If "yes," go to question 12.

If "no," stop here because the regulations do not apply.

12. Did the third-party auditor or evaluator comply with the written agreement (see Summary of the Rule for Section III.H to:

• redisclose patient-identifying information only (i) back to the program or (ii) to a Government agency overseeing a Medicare or Medicaid audit or evaluation? and Y__ N__

• use the information only for the audit or evaluation or pursuant to a court order to investigate or prosecute the program? Y__ N__

If the answer to both questions is "yes," go to question 13.

If the answer to either question is "no," the auditor or evaluator violated the regulations.

13. Did the auditor or evaluator copy or remove patient records from the program? Y__ N__

If "yes," go to question 14.

If "no," stop here because the auditor or evaluator complied with the regulations.

14. Did the auditor or evaluator comply with the written agreement (see Summary of the Rule for Section III.4) to:

• maintain the patient-identifying information in accordance with the security requirements provided in § 2.16 of the regulations (or more stringent requirements)? Y__ N__

• destroy all patient-identifying information on completion of the audit or evaluation? and Y__ N__

• comply with the limitations on disclosure and use specified in § 2.53(d)? Y__ N__

If the answer to all of the questions is "yes," the auditor's or evaluator's copying or removal of records was authorized by the audit and evaluation rule.

If the answer to any of the questions is "no," the auditor's or evaluator's copying or removal of records was not authorized by the audit and evaluation rule. Stop here or consult the other parts of Section III to determine whether the copying or removal of records was otherwise authorized.

Summary of the Rule

As discussed in Sections III.A, C, G, and H, third parties who receive patient-identifying information from AOD programs pursuant to consent forms, QSOAs, or the research or audit and evaluation rules are generally prohibited from redisclosing it. This section will not repeat the details regarding redisclosure under these rules (see Summary of the Rule for Sections III.A, C, G, and H).

In addition, the regulations require third-party payers who receive patient-identifying information from programs to comply with the regulations, regardless of whether they received a notice prohibiting redisclosure (§ 2.12(d)(2)(i)).

Likewise, entities with direct administrative control over programs, which receive information from programs pursuant to the internal communications' exception (see Section III.B), must abide by the disclosure restrictions in the regulations (§ 2.12(d)(2)(ii).

Note, however, that the prohibitions against redisclosing information obtained from an AOD program apply to the information actually received from the AOD program and not from the patient. For example, if a third party receives patient-identifying information from an AOD program, and the patient self-discloses the identical information to the third party, the third party can redisclose the information. This is because the third party is not redisclosing information it received pursuant to the consent form or QSOA, but rather, information it received from the patient.

Back to Top