Nurse Reporter Spring 2009 - Wyoming State Board of Nursing

An Overview of Permissive Disclosures
Under HIPAA and 42 CFR Part 2
Travis J. Kirchhefer, J.D.
Protecting the confidentiality of patient communications
is not a new concept. For instance,
in Wyoming physician-patient communications
were protected by statute against disclosure in a
court of law since 1886 (1886 Wyo. Sess. Laws
171). This makes federal regulations over health
care information, passed in the 1970s and 1990s,
incredibly recent. However, the two federal laws
that address responsibility when handling the
individually identifiable information of persons
receiving health care services, are much more
expansive. The first of these laws, [42 Code of
Federal Regulations (CFR) Part 2], covers substance
abuse information specifically; the second,
HIPAA, covers individually identifiable health
information broadly. To better make sense of
these regulations, this article will briefly explore
the authority behind them, and review the types
of disclosures permitted by each of these laws in
hopes of creating a better understanding of how
these laws both protect and serve health care consumers
in the United States.
These regulations represent a commitment by
the federal government to establish not only the
responsible use of individual health information,
but also to provide security for persons seeking
treatment. The United States government’s regulation
of the use of alcohol and drug abuse treatment
information dates back to the early 1970s
(Legal Action Center, 2006). The most recent
incarnation of these laws is found at 42 United
States Code (USC) § 290dd-2 (2006). This law
establishes safeguards for substance abuse information
in hopes of encouraging the use of substance
abuse treatment and prevention programs (Legal
Action Center, 2006). In 1996, the United States
Congress passed the Health Information Portability
and Accountability Act of 1996, Public Law
104-191. This time, Congress hoped to create incentives
to using electronically portable health information
by establishing protections for that information
and establishing uniform standards for
portability through electronic mediums (Health
Information Portability and Accountability Act of
1996, Pub. L. 104-191, § 261, 110 Stat. 931, 1938
(1996)). The laws themselves are very general in
nature and require the Secretary of the United
States Department of Health and Human Services
to establish federally enforceable rules that
explicitly implement their provisions [42 USC §
1320d-1 through 3 (2006), and 42 USC §290dd-
2(g) (2006)]. These rules can be found at 42 CFR
Part 2 and 45 CFR Parts 160, 162 and 164 (2008).
These standards are known, respectively, as “Part
2” and “HIPAA” by today’s health care providers
and consumers.
HIPAA covers any individually identifiable information
collected from or about an individual by
a health care provider, health plan, or health care
clearinghouse that “relates to the past, present ,or
future physical or mental health or condition of an
individual; the provision of health care to an individual,
or the past, present, or future payment for
the provision of health care to an individual” (45
CFR § 160.103, 2008) Information is individually
identifiable if it specifically identifies the individual
or can reasonably be used to identify the individual
(45 CFR § 160.103, 2008). The standards
adopted under 42 CFR Part 2 are substantially
similar; however, they relate specifically to information
that establishes the “identity, diagnosis,
prognosis, or treatment of any patient which are
maintained in connection with the performance
of any drug abuse prevention function conducted,
regulated or directly or indirectly assisted by any
department or agency of the United States” [42
CFR § 2.1(a), 2008)].
It is important to note that while HIPAA does
establish standards for the privacy (45 CFR Part
164, Subpart E, 2008) and security (45 CFR Part
164, Subpart C, 2008) of individually identifiable
health information, this accountability is only one
purpose of the legislation and implementing rule.
HIPAA also allows for information to be responsibly
made portable. For instance, it is important
to remember that when an individual properly
authorizes the use or disclosure of their information,
HIPAA sets forth no roadblock to that use or
disclosure [45 CFR § 164.508(b),2008]. Covered
entities are also allowed to use protected health
information for their own treatment, payment and
operations and may disclose relevant information
to other covered entities that need the information
for these purposes [45 CFR § 164.506(c),
2008]. HIPAA also establishes standards that enable
information to be deidentified, effectively removing
the need for further compliance (45 CFR §
164.514, 2008). Finally, HIPAA sets forth limited
instances when covered entities can choose to use
or disclose protected health information without
an authorization. A full list of these exceptions
is found at 45 CFR § 164.512 and includes disclosures
required by law [45 CFR § 164.512(a), 2008];
to report abuse or neglect [45 CFR § 164.512(c),
2008]; under court order [45 CFR §164.512(e),
2008]; for law enforcement purposes [45 CFR 164
§164.512(f), 2008]; and for research [45 CFR 164
§164.512(i), 2008].
While HIPAA applies to most of the nation’s
health care providers, health plans and health
care clearinghouses, Part 2 applies to substance
abuse education, prevention, training, treatment,
rehabilitation and research programs that are assisted
by a department or agency of the United
States [42 CFR § 2.1(a),2008]. Indeed, there is a
great deal of overlap where HIPAA covered entities
also fall under the provisions of Part 2. Part 2
providers should therefore be aware that to comply
with both laws, the more stringent Part 2 will
often control.
Therefore, only disclosures allowed by both
Part 2 and HIPAA can be made from Part 2 covered
programs. A partial list of permitted disclosures
is located at 42 CFR § 2.12(c). These include
disclosures within the program [42 CFR §
2.12(c)(3), 2008], and the reporting of child abuse
[42 CFR § 2.12(c)(6), 2008]. Additionally, Part 2
allows disclosures with a valid consent [42 CFR §
2.33, 2008], for research [42 CFR § 2.52, 2008], in
a medical emergency [42 CFR § 2.51, 2008], for
audit and evaluation [42 CFR § 2.53, 2008], and
by court order [42 CFR § 2.61, 2008]. Disclosures
by court order are limited to specific circumstances
that must be set forth in the court’s order [42 CFR
§§ 2.63 through 2.67, 2008].
This article establishes only a basic overview of
the permissive disclosures established by HIPAA
and Part 2. It is important to know that both of
these regulations can be preempted by more stringent
state law(s) [42 CFR § 2.20, and 45 CFR §
160.203, 2008]. Because of the many intricacies
of these laws themselves and the potential state
overlay, covered entities are encouraged to have a
strong working relationship with their privacy experts
and legal counsel to ensure full compliance.
Travis Kirchhefer is an Assistant Attorney
General for the State of Wyoming.
REFERENCES
42 USC § 290dd-2 (2006)
42 USC § 1320(d) (2006)
42 CFR Part 2 (2008)
45 CFR Part 160 (2008)
45 CFR Part 164 (2008)
Legal Action Center (2006). Confidentiality and
Communication: A Guide to the Federal Drug and
Alcohol Confidentiality Law and HIPAA (6th ed.).
New York, NY: Legal Action Center of the City of
New York, Inc.
The Health Information Portability and Accountability
Act of 1996, Pub L. No. 104-191 (codified
at 42 USC § 1320(d), 42USC § 1395cc(a)(1), 42
USC § 242k(k) (2006)).
20 Wy o m i n g Nu r s e Re p o r t e r