Summary of HIPAA and Federal Drug and Alcohol Confidentiality Law

By Michelle L. Riske-Morris, PhD, JD | Special to the Center for Innovative Practices

The following is a brief summary of my research on the Federal Drug and Alcohol Confidentiality Law (42 CFR Part 2) and (HIPAA) which I thought would be useful before our meeting. I also included a brief summary of the Federal Education Reporting Privacy Act (FERPA).  This ohippa-logoverview is cursory and only meant to provide a brief overview.  The nuances and intricacies of these laws can be quite confusing.  The issue researched was how these two laws affect information shared during a case management conference.  Specifically what information can be shared by therapists and practitioners during these types of meetings and whether there were any restrictions or constraints which may impede open discourse?  Understanding these laws will help to avoid inappropriate use of information and minimize potential negative collateral consequences of information sharing. While information sharing is optimal during a case management conference to ensure coordinated case plans for the youth and families who are served by multiple agencies to improve outcomes for these individuals, nevertheless there are restrictions in how and what confidential information can be disclosed. If there is improper disclosure, the individual and/or organization could face fines and penalties ranging from $500 to $50,000 for the first offense.  Unauthorized disclosure violates the individual’s due process rights. This summary assumes that the client is a youth; therefore, additional considerations are discussed involving the role and influence of parents and guardians.

michelle riske morrisWhile these laws have many similarities in terms of confidentiality restrictions there are some differences, especially in terms of what information can be disclosed to the parents. Both regulations establish standards for maintenance, use and disclosure of health information, including what must be done before a disclosure of confidential information can be made, the manner in which the information may be disclosed, and to whom it may be disclosed (Legal Action Center, 2012).   As a general rule of law, personally identifiable information should only be disclosed, shared or used in a manner that is consistent with federal, state and local laws.  As a rule of thumb information should not be shared unless informed voluntary authorization is provided by the youth and/or parents/guardians.  These restrictions on disclosure do not pertain to mandated child abuse reporting laws and other laws that require disclosure for public safety reasons. There are also a few other exceptions where disclosure be may be permitted without informed consent but these instances are usually rare.

According to the US Department of Health and Human Services, these two laws do not conflict and in most instances both can be given effect (65 Federal Register 82480-93 – December 28, 2000).  However in those instances where these two federal laws conflict, usually the most recently enacted law will prevail, except when an earlier law has a narrow, precise or specific subject matter and the later enacted law treats the subject more generally (Legal Action Center, 2012).  For example, many HIPAA provisions permit, but do not mandate disclosure of health information, while 42 CFR Part 2 prohibits all disclosures except those specifically allowed by the regulations. Since 42 CFR Part 2 is more restrictive this law will prevail over HIPAA.

Federal Drug & Alcohol Confidentiality Law (42 CFR Part 2)

For those individuals who are at risk for or who seek or have been in treatment for alcohol or drug problems there is a compelling need to protect their privacy.  Arguably the confidentiality restrictions encompassed by 42 CFR Part 2 will be more germane to case management conferences than HIPAA since HIPAA only applies to the transmission of health information by a health care covered entity.   However, 42 CFR Part 2 applies only to drug and alcohol programs, including drug and alcohol education programs that admit students on the basis of involvement or suspected involved in, or being at risk for alcohol or drug use. 

42 CFR Part 2 applies when a provider meets the definition of a program and receives federal assistance.   Program includes any person or organization that holds itself out as providing alcohol or drug abuse diagnosis, treatment, referral for treatment or prevention. Although receiving federal assistance appears on its face self-explanatory, the definition includes those organizations assisted by the IRS through a grant of tax exempt status, licensed by the federal government to conduct business, or when the program is operated by the federal government.

If any disclosure is made, which is protected by 42CFR Part 2, there must be a written statement accompanying the disclosure which states that the recipients of the disclosure may not make any further disclosures unless permitted by the regulations.  This would include any disclosures which are made verbally. Another restriction to be cognizant of is that even if the youth was referred to the program from an organization such as the Juvenile Court or Child Welfare Agency, the program is prohibited from providing information back to said organization unless appropriate written consent was received from the client, who in this case is the youth, except in those instances where the youth was court ordered to the program and the court order includes a requirement to report on the youth’s progress. In general parents will not be permitted to access the client’s records unless the client provides written consent.

Health Insurance Portability and Accountability Act (HIPAA)

Although HIPAA covers health care plans and health care clearinghouses, for purposes of this memo we will focus on health care providers.  Health care providers include doctors, clinics, psychologists, etc. if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard for the entity.  Health care includes preventative, diagnostic, therapeutic, counseling and assessment services with respect to the physical or mental condition of an individual.  If the provider meets these requirements, it will be considered a “covered entity.”

Once a program meets the definition of a covered entity, all patient identifying information transmitted or maintained by the program in any medium is protected by HIPAA.  If a covered entity engages in functions that are both covered by HIPAA and those that are not covered by HIPAA, the HIPAA privacy rule would only apply to the covered provisions.

Patient identifying information would include demographics that relates to (1) the individual’s past, present or future physical or mental health condition; (2) the provision of health care to the individual; or (3) the past, present, or future payment for the provision of health care to the individual ((Legal Action Center, 2012).

This information can only be disclosed except as permitted by HIPAA or with proper consent in writing by the client.  A covered entity can disclose protected health information for its own treatment, payment, and health care operations without client consent.  However, only the minimum amount of information that is necessary to accomplish the intended purpose can be shared.

In most cases parents are the personal representatives for minor children and can therefore exercise individual rights such as access to the youth’s medical records.  In some cases, however, the parent is not considered the youth’s personal representative.  In those cases, HIPAA defers to state and other law to determine the rights of parents to access or control the protected health information.  If the law is silent, the covered entity has the discretion to provide or deny a parent access.

Federal Education Reporting Privacy Act (FERPA)

Education records includes those files, documents and other materials that contain information directly related to a student that are maintained by the school. However, certain information should not be maintained in the student’s education record, which therefore protects against improper disclosure, including notes made by the school counselor or psychologist and law enforcement information.

Education records cannot be disclosed to a third party outside of the school system, without prior written consent of the student’s parents, except in limited circumstances such as a court order.  If an exception exists, schools are still under an obligation to notify the parents before releasing the record.

Comparison of 42 CFR Part 2 and HIPAA

Protected Information

Both 42 CFR Part 2 and HIPAA protect patient identifying information, 42 CRF Part 2 only protects information that identifies an individual as being a patient in a drug or alcohol program or has having a drug or alcohol problem whereas HIPAA protects any health information that identifies an individual. Under 42 CFR Part 2, memories and impressions of program staff regarding a patient even if never recorded in any form are also protected.

Protected Individuals  

            42 CFR Part 2 protects patients who have applied for, participated in or received an interview, counseling or any other service, including those who have been evaluated for treatment but never received treatment and whether or not they are admitted to the program. It would not include a person who does not show up for an appointment that was arranged by a third party.  HIPAA on the other hand does not make distinctions between patients, applicants and no-shows.   Both regulations protect former and deceased patients.

Uses and Disclosures

            Within both HIPAA and 42 CFR Part 22 there are permitted disclosures of protected information.  However, for purposes of this memo, only those circumstances which would apply to a case management conference are discussed. Disclosure should only be that which is necessary in light of the purpose of the communication; i.e., the less is better standard should apply. All disclosures should be documented and 42 CFR Part 2 requires any disclosure made by patient consent be accompanied by a statement that the information disclosed is protected by federal law and the recipient cannot make any further disclosures unless permitted by the regulations.

Clients under both regulations have the right to request that the program restrict certain users or disclosures of the client’s protected health information. Although a program is not required to agree to the restriction on disclosures to a qualified service organization or business associate or in response to an audit or evaluation, if the program does agree then it is bound by the agreement and may not disclose the restricted information.

  1. Written Consent

Disclosure is permitted when written informed consent has been provided by the client.  Consent is called an authorization in HIPAA.  Written informed consent is valid until it has been revoked.  HIPAA requires the revocation to be in writing but 42 CFR Part 2 has honored verbal revocations.

42 CFR Part 2 permits that consent cannot be revoked until a certain specified date or condition occurs when a client is mandated into treatment as a condition of a criminal proceeding. If the client voluntarily sought treatment, he/she can revoke consent at any time. Keep in mind, though, that if the client did not sign a consent form during the criminal proceeding, and the client leaves before providing consent, the program is prohibited from disclosing to the referring criminal justice system agency unless authorized in the court order. HIPAA, on the other hand, allows disclosure in response to orders of a court or administrative tribunal.

42 CFR Part 2 allows a program to condition treatment, payment enrollment, or eligibility of benefits on the patient agreeing to sign consent; however, HIPAA prohibits conditioning treatment, payment enrollment in a health plan or eligibility for benefits on the patient providing consent, but can provide the consequences upon failure to consent, such as being denied services if refusing to consent to disclosure for purposes of treatment, payment of health care operations or if permitted by state law.

Both HIPAA and 42 CFR Part 2 leave the issue of who is a minor and whether a minor can obtain health care or alcohol or drug treatment without parental consent to state law. 42 CFR Part 2 requires that the program always obtain minor’s consent for disclosure and parent’s consent for disclosure to a 3rd party only if state law requires parental permission to provide treatment to the minor.  Therefore if parental consent is not required for treatment, parental consent is not required for disclosure. 42 CFR Part 2 requires minor’s written consent even when the disclosure is to the minor’s parents.  42 CFR Part 2 would also not allow disclosure to a GAL unless minor consented or court ordered.

HIPAA provides that if parental or guardian consent is not needed for a minor to obtain treatment, said person is not considered the personal representative of the minor and minor can act on his own. However, if parental or guardian consent is required for a minor to obtain treatment, the parent or guardian is considered the personal representative and would have access to the minor’s record with or without consent of the minor.

HIPAA and 42 CFR Part 2 both allow consent to be provided by a legal guardian if the person has been found incompetent by a court. Consent is also required to disclosure information to client’s attorney.

Two way or multiple party consent forms are permissible that authorize communications back and forth between the parties as long as spelled out in the consent form. The client can revoke consent to one or more of the parties and if so the rest of the consent still remains in effect.

  1. Medical Emergency

Disclosure without consent may be permitted if there is a medical emergency. 42 CFR Part 2 requires that the situation pose an immediate threat to health which requires immediate medical intervention (narrower). HIPAA is broader in that it permits disclosure without consent for treatment or health care operations.

HIPAA permits health care providers to notify and inform family members and others involved in the individual’s care of the individual’s location and condition without consent in emergency situations if determined to be in the best interests of the individual.  Unlike 42 CFR Part 2 which only permits disclosure to medical personnel unless authorized by consent. Once disclosed in a medical emergency, the information loses its 42 CFR Part 2 protection and can be re-disclosed as permitted by HIPAA.

  1. Court Order

A state or federal court may issue an order that authorizes a program to make a disclosure that would otherwise be prohibited.  HIPAA does not have any specific requirements. 42 CFR Part 2 requires the client be given notice that a party is requesting the order and opportunity to make an oral or written statement to the court against disclosure.

With respect to 42 CFR Part 2, the court must find that there is “good cause” for the disclosure. Disclosure must be limited to information essential to fulfill purpose of order and restricted to those who need it. A court cannot disclose confidential communications by a patient unless necessary to protect against a threat to life or serious bodily injury; necessary to investigate or prosecute an extremely serious crime; or in connection with a proceeding in which that client has already presented evidence concerning confidential communications.

HIPAA allows disclosure to law enforcement agencies in response to a warrant, subpoena or other investigative demand (permissive).  Under 24 CFR Part 2, even if there is a subpoena or warrant, disclosure is only permitted if the client consented or pursuant to a court order.  Again the program and client must be given an opportunity to be heard before the court prior to disclosure and disclosure should only be permitted for good cause.

  1. Crime at program/against program personnel


When a client commits or threatens to commit a crime on program premises, both regulations allow the program to report the crime to law enforcement.

Relationship to State Law

Both HIPAA and 42 CFR Part 2 preempt state law. However, for states which require greater confidentiality 42 CFR Part 2 would permit more restrictive state provisions. Under HIPAA if a program would find it impossible to comply with both state and federal requirements, or if state law stands as an obstacle then state law is preempted by HIPAA, unless the law is necessary to prevent fraud or abuse or the state law relates to privacy and is more stringent.

Where Do We Go From Here

Understanding and complying with these confidentiality provisions is an essential part of case management practices.  It is important to ensure that self-incriminating statements shared during a conference are not later used as evidence against a youth in delinquency adjudications or criminal trials.  It is also important to avoid a net widening effect as the client becomes involved in multiple systems.  Difficulties against unlawful disclosure are compounded as more agencies are involved.

The bottom line is that it is best to secure written consent from youth and parents, which include written statements that describe the purpose of case management, public policy needs, agencies’ ability to receive and disclose information on an as needed basis, how agencies will use data obtained from disclosures and expected outcomes.

In order to ensure understanding of these confidentiality provisions, the following should be undertaken:

  • Training on the legal requirements;
  • Development of guidance material such as standard consent forms and flow charts documenting how and when disclosure is permitted; and
  • Development of monitoring practices to ensure compliance.

Monitoring practices is an important aspect not to overlook.  Just because you train staff it doesn’t necessarily mean they will fully understand what can and cannot be disclosed.  The practical application of enforcing confidentiality laws is as difficult as implementing evidence based programs with fidelity.  Principles and guidance embedded within implementation science are also applicable to ensuring compliance with confidentiality provisions.