The federal government has established several laws and regulations intended to protect the privacy of health care information. The best-known are the privacy regulations, mentioned earlier and established by the Secretary of Health and Human Services in 2000 pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA; PL 104-191). Except when a patient signs an authorization for a non-routine disclosure of patient health information, the regulations require that “covered entities must…limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made,” (§ 164.514(d)(4)), although what constitutes minimum necessary information is not further clarified.
There are also special federal protections for substance abuse records. Specifically, medical records of patients in Federally assisted substance abuse treatment programs are subject to a Federal law restricting their use and disclosure (Public Health Service Act §543, 42 U.S.C. 290dd-2; regulation at 42 CFR part 2). Information may only be disclosed to third party payers if the patient signs an authorization. The regulation requires certain elements to be included in the authorization, including:
1. The specific name or the general description of the program or person permitted to make the disclosure;
2. The name or title of the individual or the name of the organization to which the disclosure is to be made;
3. The name of the patient;
4. The purpose of the disclosure;
5. How much and what kind of information is to be disclosed;
6. The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent…or, when required for a person who is incompetent or deceased, the signature of a person authorized to sign…in lieu of the patient;
7. The date on which the consent is signed;
8. A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it; and
9. The date, event or condition upon which the consent will expire if not revoked before…(§ 2.31).
Despite the additional confidentiality requirements for substance abuse records, the substance abuse provisions do not restrict information shared with payers for purposes of payment, assuming an authorization has been signed. However, a study by the National Mental Health Association (NMHA 1999) of MCO confidentiality practices found that only a minority of MCOs studied described these requirements in their internal policies and offered guidance on executing them.
State privacy laws vary considerably, with some states offering significantly greater protections than what is required by federal law. A review of state privacy laws was beyond the scope of our project, but many respondents pointed us to the laws of the state of New Jersey and the District of Columbia, which have the most stringent laws protecting the confidentiality of mental health and substance abuse information. According to these laws, information that can be disclosed to third parties is limited to administrative and diagnostic information, patient status (such as voluntary or involuntary), the reason for admission or continuing treatment, and the estimated duration of treatment. In the event of a dispute between a provider and payer over the course of treatment, the third-party payer in the District of Columbia may request that another mental health professional review the record and make a determination as to the appropriate level of care (§6-2017; District of Columbia 1978). In New Jersey, the insurer may request the review from an independent review committee (§45:14B-32; New Jersey 1985). However, in 1991, the New Jersey courts ruled that ERISA-exempt firms (which self-insure) are also exempt from these requirements. Since the majority of employers in New Jersey self-insure, this law does not cover most individuals with employer-sponsored insurance, and the appeals process has not been used in years.
Other states also have laws that affect what information can be shared with third-party payers. Maryland passed a law, effective October 2000, which states that payers can request only the behavioral health information contained in a standard form developed by the State Department of Health and Mental Hygiene in consultation with key stakeholders. Payers cannot to request additional information, although patients may choose to release information during appeals. As in New Jersey, firms that self-insure are also exempt from these requirements. However, according to a representative of the Maryland Psychological Association, most firms with ERISA-exempt plans use the Maryland form for simplicity. In addition to the laws in Maryland, New Jersey, and the District of Columbia, which specifically protect mental health and substance abuse treatment information, laws in many other states have implications for the privacy of mental health and substance abuse records, including “anti-discrimination laws, adoption, foster care, mental health treatment, reproductive health, parental involvement, partner notification, and abuse and neglect” (Koyanagi 1999).
"MHPrivacy.pdf" (pdf, 768.25Kb)
"appen-b.pdf" (pdf, 224.4Kb)