Laws Rethink Mental/Behavioral Health and Substance Use Confidentiality
Understand regulations, so providers can structure services and share information with other providers without fear of violating laws.
By Steve Wong, JD, RHIA, CHC, CPCO, CCA, and Julia Weisner, JD
Healthcare providers are heavily regulated by federal and individual state laws governing the confidentiality of patients’ mental/behavioral health (MBH) and substance use disorder (SUD) information. The initial intent for these privacy-based regulations was to protect patients from maltreatment and stigma in healthcare and other areas based on their MBH and SUD diagnoses and treatments.
Over the past decade, there has been a growing counter sentiment that authorization requirements harm patients by perpetuating stigma and limiting opportunities for care coordination between treating providers. The federal government has passed separate legislation through the healthcare law, which promotes care coordination and data sharing to improve access, quality, and lower costs in the healthcare industry. The federal government has also encouraged the use of a National Practitioner Data Bank (NPDB) to track prescribing of controlled substances to protect patients from overdosing and to monitor providers who overprescribe.
Many states followed suit and similarly promote data sharing for care coordination and patient safety. The recent policy and cultural changes in healthcare have not resulted in formal changes to federal and state laws, however, and the contradiction has confused providers who are trained to redact any mention of MBH and SUD information. This lack of clarity limits system and provider-based efforts to improve care coordination due to fear of breaking these laws.
California, through its Medi-Cal program, has made strides in sharing data to provide a stronger safety net and track quality outcomes. The legislature has followed federal guidance in promoting the NPDB by creating a Controlled Substance Utilization Review and Evaluation System, which tracks prescribing of controlled substances.
Let’s look at the unique regulatory situation of healthcare privacy in California and discuss recent updates from industry experts sponsored by the state to help clarify areas of confusion affecting care. (Other states may have similar requirements: Consult with your healthcare counsel for specific advice.)
Federal Privacy Laws Impact
MBH and SUD Information Sharing
The principal federal laws governing MBH and SUD information sharing are HIPAA and 42 CFR Part 2 (Part 2). HIPAA created regulations mandating standards for privacy and security of protected health information (PHI) of patients. The law contains broad exceptions for sharing PHI for treatment, payment, or healthcare operations.
HIPAA does not distinguish between or create varying authorization requirements for different types of PHI, and is treated as a “floor” regulation, which permits individual states to promulgate more stringent requirements governing data sharing. One distinction addressed in HIPAA is for “psychotherapy notes.” Psychotherapy notes do not apply to data sharing as it only applies to personal notes made by a therapist maintained separately from the patient’s medical record and are never required to be shared with the patient.
Part 2 regulates sharing SUD information and, unlike HIPAA, does not contain the broad treatment, payment, or healthcare operations exceptions. Part 2, however, applies only to federally-assisted SUD treatment programs, defined as (42 CFR § 2.11):
… an individual, entity, or identified unit within a general medical facility that holds itself out to provide, and in fact provides, SUD diagnosis, treatment, or referral for treatment; or medical personnel or other staff in a general medical care facility whose primary function is the provision of SUD diagnosis, treatment, or referral for treatment and are identified as such providers.
Except under limited exceptions (such as in the event of a medical emergency, sharing with providers employed within the program, or with a statutorily defined Qualified Service Organization), the law prevents disclosure of substance use-related medical information to another provider where the patient has not given prior written authorization. There is no general exception for treatment purposes.
For the first time in 30 years, the U.S. Department of Health and Human Services (HHS) updated Part 2 to encourage information sharing while still promoting the privacy rights of patients. The Substance Abuse and Mental Health Administration (SAMHSA) jointly issued guidance stating:
… hospitals, trauma centers, or federally qualified health centers would generally not be subject to Part 2 limitations, unless a provider (1) works in an identified unit within such general medical care facility that holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment, or 2) the primary function of the provider is alcohol or drug abuse diagnosis, treatment or referral for treatment and they are identified as providers of such services.
With this guidance, providers can structure services that provide basic screening, treatment, and counseling and share this information with other providers at the facility without fear of violating the law. This clarification helps to facilitate needed integration of SUD treatment and prevention services into primary care settings, which improves coordination of care efforts among the care team and broadens access to services for patients.
California Laws Impact
MBH and SUD Information Sharing
The Lanterman-Petris Short (LPS) Act and the Confidentiality of Medical Information Act (CMIA) regulate sharing MBH information in California. CMIA protects the privacy of medical information by limiting healthcare provider, plan, and contractor disclosures, while the LPS limits information sharing with other entities to protect the privacy of patients involuntarily committed to certain facilities.
The LPS, enacted in 1972, was passed with the intention of ending inappropriate, indefinite, and involuntary commitment of patients with mental health disorders, development disabilities, and chronic alcoholism. The LPS also created privacy regulations that require patient authorization prior to disclosure of patient medical information to an individual outside of the facility without a medical or psychological responsibility for the patient’s care.
Note: There is great similarity between the authorization requirements for health information of the LPS and sharing mental health and substance use information under the CMIA. In both cases, the information cannot be shared outside the facility without prior patient authorization. The limitation only applies to those external to the facility, who do not have responsibility for the patient’s care, implying that information may be shared between treating providers within the same facility without individual patient authorization.
The CMIA reiterates similar protections for medical records as those created by HIPAA, allowing MBH information sharing by a mental and/or behavioral health provider to a physical health provider if the provider is not subject to LPS. Providers who are subject to LPS must have some medical or psychological responsibility for the patient to receive the MBH information without patient authorization.
The CMIA also created similar requirements for California-based providers regarding the exchange of SUD information as can be found in Part 2. Under these regulations:
… records maintained in connection with the performance of any alcohol and other drug treatment or prevention effort or function … may only be disclosed with prior written consent of the client and only disclosed for the purposes as clearly stated in the release of information.
The CMIA and Part 2 both also have similar exceptions which permit the sharing of SUD information to providers employed within the same organization without patient authorization. (Refer to 42 CFR § 2.12(c)(3)(i) and Cal Health & Safety Code § 11845.5(c)(1)) The similarity in these statutes could lead you to believe California intended to mirror the requirements of Part 2 within the state; however, the CMIA is not clear as to which entities it applies to, making it difficult for providers to comfortably handle SUD information. The language of Part 2 and recent guidance has clarified that the restrictions of Part 2 only apply to federally-assisted programs with SUD treatment services as defined within the law. The CMIA states, however, that it applies to entities which are regulated, or directly or indirectly assisted, by the California Department of Public Health. This definition includes any entity which is licensed by the department, including all primary care providers and other programs which do not provide SUD services as their primary service, and was likely not intended by the legislature (“Fine Print: Rules for Exchanging Behavioral Health Information in California,” page 7). This lack of clarity is confusing for providers coordinating care for patients with other specialty providers.
California Guidance on Sharing
MBH and SUD Information
Based on feedback from providers in the healthcare community, California officials and the California Health Care Foundation sponsored the California Office of Health Information Integrity (CalOHII) to examine state authorization requirements. This initiative was a targeted partnership with many stakeholders across the industry and was reviewed by lawyers and policy experts specializing in this area. The initiative resulted in a July 13, 2017 release of the State Health Information Guidance (SHIG) report.
SHIG states, “To provide effective treatment and coordinated care, a physical healthcare provider (and behavioral healthcare provider) need patient health information, such as substance use disorder treatment information or mental health information.” It clarifies that providers who are not limited by Part 2 and LPS may share records containing MBH and SUD information with a treating mental health or physical health provider outside of the healthcare organization for treating and diagnosing without the patient’s authorization. The SHIG even takes the strong stance that “intentionally not sharing behavioral health information that can be legally and ethically shared to benefit the patient is strongly discouraged.” This statement shows value in patient care coordination over more conservative patient privacy concerns. The CalOHII relies on policy reasons when rendering this guidance, such as:
- Coordinating care;
- Preventing information blocking;
- Improving patient access to care; and
- The patient’s right to be informed.
Moving in the Right Direction
Guidance from federal regulators regarding Part 2 and from CalOHII recognizes the need for sharing MBH and SUD information to improve care coordination and overall care quality for patients. The process of amending a longstanding regulation, which typically includes many unrelated provisions, may prove to be too burdensome, such that they remain in place regardless of their applicability to current industry trends and policy. Guidance from these entities serves the same purpose and often more directly addresses specific, confusing areas for practitioners who must carry out the rules. The guidance moves the process in the right direction for permitting data sharing such that patients benefit and providers have additional confidence.
Data security and information privacy standards remain through HIPAA and state regulations, such as the CMIA, which require information to be shared only for specified reasons and that patients are informed on how, when, and why their information is shared. Regulators have now and will likely continue to shift their focus in developing new data security laws in response to cyber-security threats, such as phishing and ransomware attacks, aimed at obtaining patient data.
Disclaimer: The content herein presented is for informational purposes only and is not intended to convey, nor should it be taken as, legal advice.
42 CFR Part 2, 1 to 49, §2.3(b)(2).
“Outdated Privacy Law Limits Effective Substance Use Disorder Treatment: The Case Against 42 CFR Part 2,” Wakeman, S. and Friedmann, P.; Health Affairs Blog, March 1, 2017.
Patient Protection and Affordable Care Act, 42 U.S.C. § 18001 (2010).
42 U.S.C. Sec. 1101.
45 CFR. Parts 160 and 164 (HIPAA Privacy and Security Rules).
45 CFR 164.506.
45 CFR § 164.501.
42 CFR § 2.11.
California HealthCare Foundation, “Fine Print: Rules for Exchanging Behavioral Health Information in California,” July 2015, page 5: www.chcf.org/~/media/MEDIA%20LIBRARY%20Files/PDF/PDF%20F/PDF%20FinePrintExchangingBehavioral.pdf.
HHS, SAMHSA, Applying the Substance Abuse Confidentiality Regulations, Frequently Asked Questions (FAQs), Question 10, August 9, 2016: www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs.
Ca. Civ. Code §§ 56-56.16.
WIC § 5001(a).
Cal. Wel. & Institutions Code § 5328(a).
Cal Health & Safety Code § 11845(a), (b) & (c).
SHIG, CalOHII, Guidance to Help Promote Sharing of Patient Health Information at:
Steve Wong, JD, RHIA, CHC, CPCO, CCA, is a compliance officer at the Community Health Center Network in San Leandro, Calif., in charge of privacy and regulatory compliance. He is a member of the California bar and has over 20 years’ experience as an attorney in government, corporate, and private practice. Wong is a member of the Orange, Calif., local chapter.
Julia Weisner, JD, received her Juris Doctorate from UC Hastings, College of the Law, with a concentration in Law and Health Sciences, and is a member of the California Bar. She specializes in healthcare regulatory compliance, privacy law, Medicare and Medicaid reimbursement, and organization risk management. Weisner works at LifeLong Medical Care, a federally qualified health center in Northern California, as health center counsel and compliance director.