Rehab & Drug Abuse Confidentiality (HIPAA & Privacy of Records)
HIPAA, Medical Records, and Laws
HIPAA, or Health Insurance Portability and Accountability Act of 1996, is a federal law that protects sensitive patient health information from being shared without a patient’s consent or knowledge.1 This was initially created and enacted to help “improve the use and accountability of health insurance coverage” for employees between jobs and those with pre-existing conditions. HIPAA evolved to include privacy and security rules around Protected Health Information (PHI) in personal medical records in 2002. A person’s demographics, health status, where they received care, and how they paid for their care are all examples of PHI that can identify an individual.2
To make HIPAA stronger, the US Department of Health and Human Services (HHS) developed HIPAA’s national standards with a Privacy Rule for all healthcare providers to follow as well as other “covered entities” (e.g., health plans, claims processing centers, billing departments).1
In an age of computerized records and the flow of electronic health information back and forth between healthcare providers, HIPAA stands to protect your personal medical information. The Privacy Rule allows personal medical information to be processed in a standard format while protecting your privacy.1 If you wish to share your health information beyond the “covered entities” you have the right to give special permission.
Is Rehab Confidential?
People who are being treated for a substance use disorder (SUD) have additional protections in place with the Code of Federal Regulations (CFR) Title 42 Part 2. This regulation protects “the records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research…” Basically, these confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for a SUD.3
Early in 2024, the U.S. Department of Health and Human Services issued a Final Rule to revise the Confidentiality of Substance Use Disorder Patient Records regulations. Among those revisions:4
- Allow Part 2 programs to disclose Part 2 records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations
- Allow the re-disclosure of Part 2 records as permitted by the HIPAA Privacy Rule
- Expand the prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings
- Create additional patients’ rights under Part 2, including: 1. right to an accounting of disclosures and 2. right to request restrictions on disclosures for treatment, payment, and health care
- Require disclosures to the Secretary for enforcement
- Apply HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act civil and criminal penalties for violations of Part 2
- Require Part 2 programs to establish a process for receiving complaints of Part 2 violations
- Prohibit Part 2 programs from taking adverse actions against patients who file complaints
- Prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility of services
The confidentiality of patient records maintained by us is protected by federal law and regulations. Generally, we may not say to a person outside the treatment center that you are a patient of the treatment center or disclose any information identifying you, your diagnosis, your prognosis, or your treatment unless:
- You consent in writing;
- The disclosure is allowed by a court order; or
- The disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation.
Violation of the federal law and regulations by the treatment center is a crime. Suspected violations may be reported to appropriate authorities in accordance with federal regulations.
When you enroll in a rehab program, the intake specialist or admissions navigator typically provides you with the required information and paperwork that confirms you were given the information and that you understand your rights related to HIPAA.
Consent Forms
Rehab centers also provide you information on consent forms. Consent forms give staff permission to share your health information with others besides your clinical team.4 It may be important to you that your family be free to talk to your counselor or doctor about your care during your rehab stay. If you sign a consent for a family member, they can call and receive updates.
Consent forms are very specific as to “who” the rehab staff can disclose your health information to and for what purpose. Consent forms also clearly state the amount and kind of health information that can be shared.4 For instance, a patient may want their spouse to be updated on their progress during treatment. The consent form identifies their spouse by first and last name along with what PHI related to your care you’ve authorized them to share.
If a patient does not give the rehab team consent to disclose SUD health information, then no one, including parents, spouse, partner, friends, or family members, will be given any information. The added protection under 42 CFR Part 2 even removes staff from being able to verify your presence in the rehab program altogether should someone inquire. Unless an individual is specifically named on a release of information (consent) form with your expressed approval, information will not be shared.
Consent forms can be revoked at any time either in part or in whole. When consent is revoked for Part 2 programs, the revocation should be immediately communicated to the rehab center team. Revoking a consent can be given orally or in writing, and documented in the patient’s record.4
Healthcare providers that work in addiction treatment centers are specially trained in HIPAA and 42 CFR Part 2 regulations to ensure your privacy is upheld to the fullest extent of the law.
Insurance may cover substance use treatment fully or partially. Fill out the form below and an admissions navigator will contact you to explain your behavioral health benefits.
Reasons People Want to Keep Rehab Confidential
There are a variety of reasons why someone might want to keep rehab confidential. Some reasons may include:
- The stigma of addiction and shame.
- Employment prospects.
- Fear of a record.
Despite the reason, there are laws in place to protect you or your loved one’s privacy.
Doctor-Patient Confidentiality and Drug Use
Doctor-patient confidentiality (doctor-patient privilege) is very important and occurs when you communicate with your doctor regarding your concerns, your health, and other personal information exchanged during a doctor’s visit. The information shared is protected.5 If you tell your doctor that you have been using illicit drugs or drinking alcohol in risky ways (e.g., while driving) the doctor cannot have you arrested. HIPAA protects you from the provider sharing (disclosing) your information to non-treatment entities.3
Your health and the care you need are of the utmost importance to your doctor. Being honest about your history helps inform your practitioner’s advise regarding your care.
Doctors do have the authority to send patients to an acute care hospital for an evaluation if a medical or psychiatric emergency presents itself. Those that are a risk to themselves or others meet this criterion and are treated for a specific condition, stabilized, and then medically cleared before being admitted to a rehab program.
Records and Background Checks
Prior drug and alcohol treatment does not show up on your record. While there is no shame in seeking treatment, some people may still wish to conceal the fact that they’re getting help and attending rehab due to the stigma that exists around drug and alcohol misuse issues. HIPAA and 42 CFR Part 2 are in place to keep your information secure.
Under What Circumstances Could Information Protected by HIPAA be Disclosed?
Electronic health information exchange allows doctors, nurses, pharmacists, other healthcare professionals, and patients to appropriately and securely share health information. This is permitted in the following ways:6
Directed exchange: A directed exchange enables healthcare providers to securely send and receive patient information—such as lab results, patient referrals, or discharge summaries—to and from a known and trusted recipient. To meet the requirements of Part 2, the patient needs to complete a consent form specifying the sharing of certain information.
Query-based exchange: Health care providers can also search clinical data sources to get information about a patient. This typically involves an intermediary, often known as a health information exchange (HIE). In order for patient-identifying information to be passed to the HIE under Part 2 requirements, patient consent must be obtained or a Qualified Service Organization Agreement (QSOA) needs to be executed with the HIE. A qualified service organization provides services to the Part 2 program—such as accounting, billing, laboratory, pharmacy.
Penalties for Disclosing Information
Penalties can be handed down to doctors, health organizations, and other covered entities through the Enforcement Final Rule of 2006 law who, knowingly or unknowingly, disclose Protected Health Information without a person’s consent.6
The Department of Health Services’ Office for Civil Rights (OCR) and the state attorney general can issue the violation. The violation can result in either a financial fine or a corrective action plan or both.7 Financial penalties can be substantial and are in place to prevent breaches of HIPAA laws “holding covered entities accountable for their actions” in safeguarding the privacy of patients and the confidentiality of health information.7