A. Federal Privacy Law

The two key federal privacy regulations that relate to health information are 42 CFR, Part 2 and the Health Insurance Portability and Accountability Act (HIPAA).  These two sets of rules apply nationally and set the floor for privacy protection for health information. In addition to understanding federal laws, you will need to consult state and local laws governing the health, mental health, and substance use information in the jurisdiction where you are working, as these laws apply if they are more stringent than the federal regulations.

42 CFR, Part 2 

What is the purpose of 42 CFR Part 2? 

42 CFR, Part 2 (commonly referred to as “Part 2”) is part of the implementing regulations of The Federal Confidentiality of Alcohol and Drug Abuse Patient Records Law. Part 2 protects the confidentiality of people who seek or obtain treatment for substance use, requiring individual consent to share health records related to drug or alcohol treatment in most cases. The purpose of Part 2 is to assure consumers that any information that could identify them as someone seeking or receiving treatment for substance use will be kept private. This confidentiality is necessary to promote a level of trust between treatment providers and their clients, to ensure that patients feel secure in seeking treatment, and to shield them from negative consequences that can occur if substance use status is disclosed.

You need to be sure that any disclosure of information about a person’s substance use treatment needs complies with the requirements of Part 2 and is consistent with the regulation’s core values.

Core Valuez.2

THE BASICS OF 42 CFR, PART 2

  •  Requires specific consent: With certain conditions and exceptions, Part 2 prohibits the disclosure and use of substance use treatment records without a person’s specific consent. It is stricter than HIPAA in that it does not have an explicit treatment exception that allows care providers to share information without consent when the purpose is to coordinate treatment.
  • Applies to most providers: Part 2 applies to substance use treatment programs that receive any form of federal assistance (for instance, grant funding, Medicaid).
  • Applies to identifiable information: These regulations apply broadly to any information that can be used to identify an individual as someone seeking or receiving care for substance use.
  •  Has limited exceptions to consent requirement: Part 2 defines limited circumstances where disclosures can be made without consent, including medical emergencies, research, and audits or evaluations.
  •  Sets a floor: Similar to HIPAA, Part 2 sets a federal privacy floor, meaning it preempts state laws that are less protective of substance use information privacy but preserves provisions of state law that are more stringent. For a more detailed summary of the requirements of 42 CFR, Part 2 and how it applies to the criminal justice system click here.

The Health Insurance Portability and Accountability Act (HIPAA)

What is the purpose of HIPAA?

HIPAA aims to improve the delivery of healthcare by setting standards for the transmission of personal health information. The regulations strike a balance between individual privacy and the need for medical professionals, treatment providers, and others to exchange information on the treatment needs of their patients and clients.

Misconceptions about HIPAA

HIPAA is not an insurmountable barrier to justice-health information sharing. However, a general lack of understanding of the requirements of HIPAA and fear of violating privacy regulations can act as obstacles to effective interagency collaboration. The following two resources debunk many of the misconceptions about HIPAA that prevent agencies from sharing information and working together.

  1. Dispelling Myths About Information Sharing Between the Mental Health and Criminal Justice Systems, By John Petrila
  2. Confidentiality and Privacy in HHS: Myth v. Reality, By Amy Lipton.

The Basics of HIPAA

HIPAA has two main components. The Privacy Rule governs all health information regardless of how it is stored or transmitted. It is the most relevant to answering such questions as when consent is required before sharing information. The Security Rule only applies to electronic health information, describing a series of standards and policies designed to ensure information security.

 Click here for a summary of the Privacy Rule relevant to criminal justice agencies.


The Privacy Rule

  • Protects all individually identifiable, personal health information: The Privacy Rule sets national standards for the privacy and security of personal health information (PHI) that is created, maintained, or used by a covered entity or its business associates.
  • Often requires authorization prior to release of health information: HIPAA’s Privacy Rule defines when covered entities or business associates must obtain informed consent (“authorization”) before they can release health information.
  • Defines exceptions to authorization requirements: The Privacy Rule allows covered entities to share health information without an individual’s consent in a number of situations, including: to coordinate treatment or payment for treatment, to conduct public health activities, to comply with a judicial order, to assist a limited set of law enforcement investigations, and to prevent a serious threat to health or safety.
  • Psychotherapy notes: To protect the patient-clinician relationship, HIPPA’s exception that allows sharing information to coordinate treatment does not apply to psychotherapy notes.
  • Creates a privacy floor: This means that state law will apply where it is more stringent than HIPAA.For a more detailed explanation of the Privacy Ruleclick here.


The Security Rule

  • Applies to electronically shared information: Establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form “electronic protected health information” (e-PHI). If your information exchange involves electronic transmission of health information then you will need to also consult the Security Rule.
  • Safeguarding electronic health information: The Security Rule requires covered entities to put in place various administrative, physical, and technical safeguards when transmitting e-PHI. For example, it requires them to perform a risk analysis to assess risks of disclosure and document the process in place for securing this information. It also requires them to implement technical policies and procedures that ensure only authorized persons have access electronic protected health information (e-PHI).
  • Creates a privacy floor: This means that state law will apply where it is more stringent than HIPAA. For a more detailed summary of the Security Rule, click here.  

Additional Resources:

  1.  Health Information Privacy in the Correctional Environment
  2. The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and  Substance Abuse Programs
  3. Information Sharing in Criminal Justice-Mental Health Collaborations: Working with HIPAA and Other Privacy Laws
  4. FAQ – Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE)
  5. Constraints on Sharing Mental Health and Substance-Use Treatment Information Imposed by Federal and State Medical Records Privacy Laws