The history of protecting patient’s medical records and confidentiality
In 1975 Congress became concerned about the confidentiality of patient records concerning alcohol and drug abuse and instituted regulatory safeguards. Congress’s initial legislation, the Public Health Service Act, attempted to ensure that a patient receiving treatment for a substance use disorder is not made more vulnerable than an individual with a substance use disorder who does not seek treatment; by separating substance abuse records from our health records; and requiring a separate written consent from the patient to access them. While the regulation has been amended over time (most extensively in 1987) to enhance confidentiality, the use of electronic medical records, the increasing use of performance metrics and the pressing need for coordinated care made the current safeguards a barrier in providing care for patients and guiding policy.
H.R. 3545, the Overdose Prevention and Patient Safety Act amends these regulations and is being considered by the House Energy and Commerce Subcommittee on Health. The changes proposed clarify the definitions used in the current protections, alter the written consent process and further extend the protection of patient confidentiality in criminal proceedings. [1]
So what is new?
Language Clarification
The clarification of language involves the definitions of ‘treatment,’ ‘payment,’ ‘health care operations’ and ‘protected health information’ to be consistent with the most current legal meaning of these terms.
Consent for information disclosure and re-disclosure
Patients always have the right to share their health information; substance abuse is a subset of ‘protected health information,’ the legal term for our health records. The current regulations require a written consent be signed by the patient for each individual or institution that is allowed to share a substance abuse health record. This makes care coordination difficult when multiple individuals (e.g., physicians and social workers) or institutions (e.g., a health system and rehabilitation facility) are involved which is often the case. This process is made more difficult because re-disclosure, say the physician sharing the information with the social worker who has not been authorized to see the data is explicitly prohibited.
The current legislation changes the consent process so that one consent is sufficient for “all treating providers.” It also modifies the “amount and kind of information” that can be shared, permitting a default of “all substance abuse disorder records” rather requiring an itemized list. Both measures reduce the paperwork burdens to coordinating care and can be readily documented in electronic health records. The new regulations attempt to preserve patient autonomy by providing the patient the option of not applying the default all providers and all information. Instead, they may choose to see a list of “all treating providers” and make changes and to choose which specific information to share rather than the entire record.
Re-disclosure, the sharing of information by one authorized “provider” to an unauthorized provider is more explicitly delineated, these regulations apply only to information that would lead to the identification of a patient’s substance abuse information. Health information, like diabetes and hypertension, can be shared under the already applicable HIPAA rules. Cirrhosis, which may be a result of alcoholism, cannot be re-disclosed.
One additional distinction is that disclosure of substance abuse records may be revoked verbally and do not require an additionally written revocation needed for HIPAA records. Information where there is a “duty to warn” e.g., child abuse/neglect or crimes or threats to “program property or staff” are exempt from both HIPAA and the current and new substance abuse records legislation.
Exceptions to the disclosure process
The current regulations identify three exceptions when the information can be accessed without written patient consent
- To medical personnel to the extent necessary to meet a bona fide medical emergency
- To qualified individuals for research, program evaluation and management and financial audits. These types of reports deal with aggregates, and individual patient information may not be disclosed.
- If authorized by appropriate court order for good cause, that “shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician-patient relationship, and to the treatment services.” The court will further determine what is disclosed and protect from unauthorized disclosure.
Most importantly, except for that appropriate court order, these records cannot be used to “initiate or substantiate any criminal charges” or investigations of the patient.
The Overdose Prevention and Patient Safety Act extend, or more appropriately explicitly clarifies this protection against criminal charges and investigations. First, it prohibits medical and qualified personnel from disclosing individual patient information to initiate or substantiate criminal charges without an appropriate court order. Second any use of these records in an unauthorized way will in their exclusion in criminal proceedings and result in automatic dismissal of those proceedings.
Breach Notification
HIPAA defines a breach of an individual’s personal health information (PHI) as “unauthorized acquisition, access, use or disclosure of PHI” and requires that it be reported, and the patient(s) notified. The regulations regarding substance abuse records have no requirement to report or inform.
The Pros
- “Separation of a patient’s addiction record from the rest of that person’s medical record creates several problems and hinders patients from receiving safe, effective, high quality substance use treatment and coordinated care.” [2]
- Aligns regulatory language with Health Insurance Portability and Accountability Act (HIPAA) that regulates the sharing of the rest of our health records.
The Cons
- The current regulations, which require separate consents and explicit delineation of the information to be shared “…upholds the autonomy and dignity of the patient by allowing the person with the substance use condition to decide who gets to get their information. We cannot integrate care by excluding the patient from the ability to make choices about what happens to their information. This is paternalistic and misguided.” [3]
- The ruling on re-disclosure of information is clinically vague. To use the earlier example, cirrhosis is a disease that should be disclosed, just like diabetes or high blood pressure, that it comes about because of drinking or from a viral infection does not change its value in making appropriate medical decisions.
- There is an ability to compromise the integrity of electronic medical records, an absence of regulation regarding reporting of these breaches and notification to patients is inconsistent with patient autonomy, transparency and the rules applicable to the rest of the health record.
The bottom line
My experience in obtaining consents is that the real informed consent occurs in the conversation, that patients rarely read the forms. Ask yourself, when was the last time you read the Terms of Use for an app or the Warranty on a purchase? I think the proposed changes are an improvement in the care of patients. I would like there to be more safeguards concerning notification and reporting. I think, given the current concerns about Facebook and data privacy, that many would agree with the need for explicit, delineated responsibility. [4] That said, it is an improvement that will facilitate and improve care while still maintaining patient autonomy and confidentiality.
[1] Criminal proceedings are only a portion of the concerns, unauthorized re-disclosure could impact a patient’s employment, child custody, and housing.
[2] Letter from a coalition of healthcare stakeholders in support of the amendment.
[3] Faces and Voices of Recovery a patient advocacy group
[4] Current HIPAA data breach penalties
Category/Tier |
Description of Violation |
Financial Penalty |
Criminal Penalty |
1 |
A violation that the covered entity was unaware of and could not have realistically avoided |
Minimum fine of $100 per violation up to $50,000 |
|
2 |
A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care |
Minimum fine of $1,000 per violation up to $50,000 |
|
3 |
|
Minimum fine of $10,000 per violation up to $50,000 |
|
4 |
|
Minimum fine of $50,000 per violation |
|
1 |
Reasonable cause or no knowledge of violation |
Up to 1 year in jail |
Up to 1 year in jail |
2 |
Obtaining PHI under false pretenses |
Up to 5 years in jail |
Up to 5 years in jail |
3 |
Obtaining PHI for personal gain or with malicious intent |
Up to 10 years in jail
|
Up to 10 years in jail
|