Privacy 101: What Substance Abuse and Opioid Treatment Providers Need to Know
Health Law Alert 10/04/16 Kerry L. Moskol, Leah M. McNeely
Most substance abuse and opioid treatment providers know that they are subject to state confidentiality laws and the substance abuse confidentiality regulations outlined in 42 CFR Part 2, which governs federally assisted alcohol and drug abuse treatment programs. However, it's important to remember that certain health care providers (including substance abuse and opioid treatment providers that, in simple terms, communicate electronically with health plans) need to remember they are also subject to HIPAA! And, as outlined below, HIPAA requires health care providers to implement specific policies and procedures, and to take a series of other steps to ensure compliance. The following provides a quick overview and summary of what your entity needs to do to ensure that you are complying. If you are missing any of these requirements, now is the time to get moving!
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect the privacy and security of patient information. The statute and its implementing regulations address issues including the use and disclosure of patient information, security safeguards that must be implemented to protect electronic patient information, and steps that must be taken when the privacy of patient information is breached.
Use and Disclosure of PHI
The general rule under HIPAA is that a provider cannot use or disclose protected health information (PHI) without a written patient authorization. There are, however, various exceptions where PHI may be used or disclosed without an authorization. For example, PHI may be used or disclosed for treatment, payment, and health care operations of the provider (e.g., quality assessment and improvement, business planning) without obtaining a patient authorization. Under HIPAA, PHI can also be used or disclosed, without a patient authorization, when required by law.
Generally, even where providers are permitted to use or disclose PHI, providers are required to limit the use or disclosure to the minimum necessary to accomplish the purpose of the use or disclosure. There are, however, certain exceptions to the minimum necessary rule. For example, the minimum necessary rule does not apply when using or disclosing PHI for treatment purposes or pursuant to an authorization.
But be careful! As noted in more detail below, state laws and 42 CFR Part 2 often impose additional restrictions, and HIPAA needs to be analyzed together with those restrictions to determine whether a use or disclosure is permissible.
HIPAA outlines certain rights that patients have with respect to their medical information, including the right to access their PHI, the right to request amendment of PHI, the right to request restrictions on the uses and disclosures of PHI, and the right to request an accounting of certain disclosures of their PHI, among others.
Health care providers subject to HIPAA are also required to provide patients with a Notice of Privacy Practices, which outlines how PHI about the patient will be used or disclosed. HIPAA outlines, in detail, the information that must be contained in the Notice and how this Notice must be distributed to patients. In addition to distributing directly to patients, HIPAA also requires the Notice to be posted on the provider's website—check to make sure you have your Notice posted!
Substance abuse and opioid treatment providers may contract with vendors that provide services for—or on behalf of—the provider. If a vendor creates, receives, maintains, or transmits PHI for or on behalf of the provider when providing these services, the vendor is considered a "business associate" under HIPAA. (Common business associates of substance abuse and opioid treatment providers can include, for example, electronic health record providers, document shredding companies, and—everyone's favorite business associate—attorneys!). Substance abuse and opioid treatment providers are required to enter into business associate agreements with business associates, and HIPAA outlines certain information that must be contained in the business associate agreement. Importantly, these business associates are also directly regulated by HIPAA. Providers need to make sure they keep track of their business associate agreements and update them whenever there are relevant regulatory changes.
Under HIPAA, a breach occurs (subject to certain exceptions) when there is a use or disclosure in violation of the HIPAA Privacy Rule that compromises the security or privacy of the PHI. In the event of a breach of unsecured PHI that creates more than a low probability of compromise to the PHI, HIPAA requires that the provider notify affected patients, the federal government, and, in certain cases, the media. Breaches can be stressful events, and having a policy and procedure that outlines the steps you are required to take, who needs to be involved, what the required timeframes are for notifying, and how the breach investigation should be documented is critical!
Tips for HIPAA Compliance
Substance abuse and opioid treatment providers should make sure they are complying with HIPAA. Here is a quick compliance checklist to help make sure you are on track:
- Identify a privacy officer and a security officer.
- Create HIPAA privacy and security policies and procedures.
- Post your Notice of Privacy Practices on your website, at your practice locations, and distribute the Notice of Privacy Practices to patients. Make a good faith effort to obtain written acknowledgment of receipt of the Notice from patients, and document your good faith efforts to obtain the acknowledgment if it cannot be obtained.
- Train workforce members on privacy and security (and document training).
- Implement a system to comply with the patient rights requirements.
- Enter into HIPAA-compliant business associate agreements with vendors.
- Conduct a detailed HIPAA security risk analysis on a periodic basis.
- Report breaches as required by HIPAA.
Other Laws to Consider
Substance abuse and opioid treatment providers can be subject to a wide range of privacy laws. As mentioned above, most substance abuse and opioid treatment providers know that they are subject to 42 CFR Part 2, which imposes restrictions above and beyond HIPAA. Importantly, certain of the disclosures permitted by HIPAA, such as for non-emergent treatment, payment, and health care operations, are generally not permitted by 42 CFR Part 2 without patient authorization.
There are also state privacy laws that apply to substance abuse and opioid treatment providers. State laws can include, for example, general medical record confidentiality laws, confidentiality laws applicable to mental health and alcohol and other drug abuse (AODA) records, and state laws applicable to the disclosure of HIV test results and other communicable diseases. Generally, if state and federal law conflict, HIPAA requires that the provider comply with the more "stringent" law. This means that the provider must follow the law that is more restrictive on uses and disclosures of PHI, or the law that provides greater rights to the patient with regard to the patient's PHI. In the event of a breach of patient information, most states also have data breach notification laws that may impose requirements in addition to HIPAA's breach notification requirements.
Given the number of laws that a substance abuse or opioid treatment provider may be subject to, it is important to put in place policies and procedures and train your workforce on those policies and procedures. This will help better ensure compliance in this highly regulated environment.