Several federal laws and regulations have been established in order to help protect the privacy of health care information. The best-known are the privacy regulations established by the Secretary of Health and Human Services in 2000 in response to a requirement in HIPAA legislation (PL 104-191) that Congress must develop a federal law to protect the privacy of health care information by August 1999 or the Secretary must issue regulations within six months. The regulations state that "a covered health care provider must obtain the individual's consent …prior to using or disclosing protected health information to carry out treatment, payment or health care operations" (45 CFR 164.506(a)(1)). The regulations require that the PHI shared between the provider and the insurer must be the "minimum necessary" to accomplish the objectives, without further clarification of what constitutes the minimum necessary information.
A second federal law Gramm-Leach-Bliley Act (Pub. L. no. 106-102(1999), 15 U.S.C. § 6801 et. seq.) was enacted to project the privacy of financial information, but applies to health plans as well as (Hirsh 2001). The Act requires that health plans distribute a notice to enrollees detailing the types of information disclosed to third parties and the types of third parties who might receive this information. The notice must give clients the opportunity to opt out of information disclosures by informing the company in writing. Health plans were required to implement these practices by July 2001.
There are also special federal protections for substance abuse records. Specifically, medical records of patients in Federally assisted substance abuse treatment programs are subject to a Federal law restricting their use and disclosure (Public Health Service Act §543, 42 U.S.C. 290dd-2; regulation at 42 CFR part 2). Information may only be disclosed to third party payers if the patient signs an authorization. The regulation requires certain elements to be included in the authorization, including:
- The specific name or the general description of the program or person permitted to make the disclosure;
- The name or title of the individual or the name of the organization to which the disclosure is to be made;
- The name of the patient;
- The purpose of the disclosure;
- How much and what kind of information is to be disclosed;
- The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent…or, when required for a person who is incompetent or deceased, the signature of a person authorized to sign…in lieu of the patient;
- The date on which the consent is signed;
- A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it; and
- The date, event or condition upon which the consent will expire if not revoked before…(§ 2.31).
Despite the additional confidentiality requirements for substance abuse records, the substance abuse provisions do not restrict information shared with payers for purposes of payment, assuming an authorization has been signed. However, a study by the National Mental Health Association (NMHA 1999) of MCO confidentiality practices found that only a minority of MCOs studied described these requirements in their internal policies and offered guidance on executing them.
State laws can vary considerably, with some states offering significantly greater protections than what is required by federal law. A review of state privacy laws was beyond the scope of our project, but many respondents we interviewed pointed us to the laws of the state of New Jersey and the District of Columbia as containing the most stringent privacy protections. Both have laws which state that information that can be disclosed to third parties is limited to administrative and diagnostic information, the status of the patient, the reason for admission or continuing treatment and the estimated time that treatment might continue. In the event of a dispute between a provider and payer over the course of treatment, the third party payer in the District of Columbia may request that another mental health professional review the record and make a determination as to the appropriate level of care (DC 1978). In New Jersey, the insurer may request the review from an independent review committee (NJ 1985).
"MHPrivacy.pdf" (pdf, 768.25Kb)
"appen-b.pdf" (pdf, 224.4Kb)