Have you ever submitted a subpoena to an alcohol and drug counselor, a licensed professional counselor, or a psychiatric facility and received a form letter denying you the records you requested? Or perhaps you’ve obtained what you thought was a properly executed consent for the release of medical records only to receive a similar denial? When we think of the confidentiality of medical records, our analysis often begins and ends with the Health Insurance Portability Act (HIPAA). HIPAA has become synonymous with the term “confidentiality” when discussing the privacy of medical records, but many people do not realize that other federal or state laws have been adopted that add to and sometimes conflict with HIPAA. While HIPAA is a good place to start for the disclosure of behavioral health and substance use disorder information, we also need to delve into 42 C.F.R. Part 2 and applicable state law.
Let’s first take a quick history lesson about the origins of the two primary sets of federal regulations. The regulation known as 42 C.F.R. Part 2 (referred collectively as “Part 2”) refers to 42 U.S.C. §290dd and its implementing regulations. HIPAA is contained in 45 C.F.R. Parts 160, 162, and 164. HIPAA’s Privacy Rule and Part 2 are two separate, distinct, and sometimes conflicting bodies of law. Part 2 protects the privacy of substance use disorder records and applies to any individual or program that is federally assisted and holds itself out as providing alcohol or drug abuse diagnosis, treatment, or referral for treatment. Part 2 originated in the 1970s in an effort to encourage individuals to enter and stay in substance use disorder treatment. When HIPAA (also referred to as “Privacy Rule”) began forming in 1996, the Privacy Rule covered all medical records. HIPAA came about as an effort to protect health insurance coverage for individuals when they changed jobs. A primary objective of HIPAA was to streamline health care transactions between providers and insurance companies, and therefore, privacy rules were necessary to protect patient health records. When the Privacy Rule was first issued, the Department of Health and Human Services (HHS) determined that HIPAA and Part 2 do not conflict in most situations. As medical records became digitized in the form of electronic medical records (EMRs), the Health Information Technology (HITECH) Act was enacted in 2009. The HITECH Act promoted the growth of EMRs and set standards for how medical records are shared and increased penalties for breaches. It did not change the Privacy Rule as it applies to the circumstances of when and under what circumstances disclosure is allowed, such as consent, disclosures during medical emergencies, and disclosures for abuse reporting.
One common area where these two bodies of law conflict is whether a subpoena is sufficient to disclose records that would otherwise be protected. Being denied access to records after sending a subpoena can be incredibly frustrating. As frustrating as this may be, the added protection is necessary to maintain the sensitive nature of behavioral health and substance use disorder records. The release of substance use disorder records pursuant to Part 2 is more stringent than HIPAA when considering if records can be disclosed pursuant to a subpoena. While HIPAA allows the disclosure of medical records pursuant to a subpoena, Part 2 provides greater protection to substance use disorder records, and finds that a subpoena is not sufficient to compel substance use disorder records under Part 2. If we have only considered HIPAA in our analysis of when disclosure is permitted, our legal opinion will be incorrect if the records contain information relating to a substance use disorder. If the records in question contain substance use disorder and/or behavioral health information, both HIPAA and Part 2 will need to be examined.
Federal regulations are not set in stone, and change is in process. In response to the opioid epidemic and the COVID-19 pandemic, Part 2 is undergoing fundamental changes. Proponents for changing 42 C.F.R. Part 2 believe that making these records easier to share would enhance the coordination of patients’ care across settings. Thus, the name of the House version was “The Overdose Prevention and Patient Safety Act.” Substance use disorder records will remain heavily protected; however, there will be shared prescribing information among providers and prescription monitoring programs. COVID-19 has significantly changed the way behavioral health and substance use disorder services are rendered. To effectively treat Americans without disruption in services, Congress included some of this previously proposed language to bring Part 2 more in line with HIPAA. This legislation also incorporates parts of HIPAA with Part 2 such as breach notification, civil and criminal penalties, notice of privacy practices, and accounting of disclosures.
A third twist that may further complicate your pursuit of behavioral health or substance use disorder records is that several states have specific laws governing behavioral health practitioners. In such situations, our legal analysis of HIPAA and Part 2 alone may be insufficient. HIPAA has expressly stated that if state confidentiality laws are considered more restrictive or protective than HIPAA, those state laws prevail over HIPAA. Oklahoma, Utah (Utah Code 58-60-114.), Massachusetts (G.L. C. 112, §135), and Colorado are a handful of examples where states have imposed greater confidentiality requirements for behavioral health records. This practice is common, and many states have provided their citizens with regulatory confidentiality requirements as well as evidentiary privileges for behavioral health records.
This presents the question, “If HIPAA is federal law, why do states follow a different rule?” HIPAA is the federal “floor” for privacy protections and allows states to have laws that are contrary to the Privacy Rule in certain circumstances. The regulations at 45 C.F.R. Part 160, Subpart B contains the requirements for state law preemption, and provide four ways state law can preempt the HIPAA Privacy Rule. For our discussion here, 45 C.F.R. §106.203(b) is the applicable authority for state law preemption.
160.203 General rule and exceptions. A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:
(b) The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.
Now that we are aware that state law can differ from the federal Privacy Rule in HIPAA, let us briefly discuss why behavioral health records differ from other medical records, and why they need greater protection. Hypertension may not affect your employment, your right to own a firearm, or your visitation with your children; however, a diagnosis and treatment of bipolar disorder will likely affect all of these areas of your life. One in five Americans do not receive the mental health treatment they need in large part due to stigma. When a person receives treatment, documentation of the illness is increased, which not only deters initial diagnosis but also continued treatment compliance. To see how that stigma perpetuates, you only need to look at one of the most popular holidays in America: Halloween. Images of haunted asylums and terms like “psycho” are prevalent during this season. These images aren’t just limited to Halloween. I recently attended a highly competitive band competition. One school’s performance was titled “Insanity,” where the students wore straight jackets, mimicked being physically restrained, and rolled their heads around. This is the image of behavioral health that is portrayed widely across American society.
If this is the image of those who seek help, no wonder mental health is in a state of crisis. Unfortunately, our profession leads the need for de-stigmatization. Lawyers are 3.6 times as likely to be depressed as those in other professions. We struggle to reach out for help, perceiving we will be ostracized, judged, and condemned because we can’t pull it together by ourselves. It is professionally acceptable and encouraged to consult and collaborate with lawyers on complex legal issues and consult our physician for care of a variety of medical concerns. Why, then, do we compartmentalize our mental health as being an untouchable and forbidden issue? I have seen colleagues pushed over the edge and lose their lives to suicide. These were lawyers I collaborated with and tried cases against, lawyers I lunched with, and lawyers who zealously and professionally represented their clients. However, there is hope, and hope begins with possessing the knowledge that those who seek help are protected by an increased level of confidentiality. Knowing how and when these records can be released will help our clients, their support systems, and ourselves.
About the Author
Robin Moore is assistant general counsel with the Oklahoma Department of Mental Health and Substance Abuse Services.