Category: Behavioral Health/Substance Abuse

Overlapping Regulations for Confidentiality Regarding Substance Abuse Treatment

Our starting point is that privacy and confidentiality are important in any type of treatment but in connection with substance abuse and addiction treatment, there is a need for some enhanced protections. The United States Court of Appeals for the First Circuit has stated that “[t]he express purpose” of federal initiatives in this area was “to encourage patients to seek treatment for substance abuse without fear that by so doing their privacy will be compromised.” United States v. Cresta, 825 F.2d 538, 551-52 (1st Cir. 1987).  The collateral stigmas for an individual and the family are of such great concern that they can be obstacles to even seeking treatment. Reputations are at risk for having the disease and jobs or work opportunities may be jeopardized. Family members will be embarrassed. Federal regulations involving the HIPAA Privacy Rule and special provisions for substance abuse treatment programs recognize these concerns. While there have been efforts to align these two regulatory systems, it is important to recognize that these regulations intersect, overlap, and sometime supersede each other. In addition, state licensing or regulatory provisions may have stricter requirements or may, as in New Jersey (N.J.A.C. 10:161B-3.6(b)(5)), incorporate the Federal standards.

HIPAA is the first body of regulations concerning medical privacy that comes to mind for most persons. But historically speaking, it is not. The Health Insurance Portability and Accountability Act (HIPAA), 42 USC §1320d, enacted in 1996 directed the Secretary of Health and Human Services and the Attorney General to develop guidelines that “appropriately protect the confidentiality of the information and the privacy of individuals receiving health care services.”  This eventually led to the release of the Privacy Rule in 2002 with an April 13, 2003 effective date and codification at 45 CFR Parts 160 and 164. In contrast, the restrictions on disclosures concerning substance abuse treatment have their origins in the 1970 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act and the 1972 Drug Abuse and Prevention, Treatment and Rehabilitation Act with implementing regulations issued by the then Department of Health, Education and Welfare in 1975 with various revisions and supplements. The pertinent statute is 42 USC §290dd-2 with regulations now codified at 42 CFR Part 2.

As with the HIPAA regulations, there have been some recent amendments to the 42 CFR Part 2 regulations. 82 Fed.Reg. 6052 (Jan. 18, 2017). The most recent update was to go into effect as of February 17, 2017 but was delayed to March 21, 2017 by virtue of the 60-day regulatory freeze issued by the Trump Administration on January 20. The amendments were intended to make the Part 2 regulations more consistent with HIPAA. Differences persist with the potential for resulting confusion.

Here is one starkly clear reality: violation of the substance abuse treatment restrictions is a federal crime with a fine to be imposed pursuant to Title 18 of the United States Code.  42 USC §290dd-2(f). While both sets of regulations cover similar material, there are points of difference. But a reasonably valid heuristic in choosing between HIPAA and Part 2, with a slight refinement, is: Whichever standard is stricter — usually 42 CFR Part 2 — and provides the greater privacy protection should be applied.

Here is the refinement to that problem-solving heuristic. While HIPAA covers the health care industry broadly, the provisions of 42 CFR Part 2 only apply to “federally assisted” drug and alcohol “programs.” These are defined terms in 42 CFR 2.11. Thus, the records of a primary care physician who is not held out as providing alcohol or drug abuse treatment is not covered. The special confidentiality provisions would not apply to a hospital except to an identified unit that has a “primary function” of providing substance abuse diagnosis, treatment or referral. Similarly, the rules would not apply to an emergency room. See generally Center for Legal Advocacy v. Earnest, 320 F.3d 1107 (10th Cir. 2003); United States v. Zamora, 408 F.Supp.2d 295 (S.D. Tex. 2006). The applicability of Part 2 requires not only a “program” as defined in the regulation but also that the program be “federally assisted.” Federal funding is, of course, endemic in health care and the definition in 42 CFR 2.12(b) is consistent with that reality but being “federally assisted” must be confirmed.

The basic HIPAA rule of thumb is that except in connection with disclosures to the individual whose health information is at issue or to HHS or its Office of Civil Rights enforcement arm, a covered entity should not make any use or disclosure without a patient’s authorization unless permitted by the Privacy Rule. However, in addition to the broad approval for use or disclosure for treatment, payment or operations (TPO) without patient authorization, there are quite a few permissive disclosures without patient authorization set forth in 45 CFR 164.512 including such circumstances as public health activities and oversight, judicial and administrative proceedings, law enforcement purposes, and reporting crimes. The Part 2 regulations on the other hand are much stricter and more limited than what is allowed under HIPAA. Disclosures without a patient’s consent are allowed in the following circumstances:

  • Communications among program personnel
  • Communications between a program and a Qualified Service Organization
  • Crimes on program premises or against program personnel but without an exception for the duty to warn others unless the threatened violence is against program personnel.
  • Reports of suspected child abuse and neglect limited to making the initial report with any disclosure for subsequent investigation not permitted in the absence of a court order or signed authorization.
  • Medical emergencies involving an immediate threat to the health of the patient requiring immediate medical intervention.
  • Scientific research
  • Audits and evaluation activities
  • Court order, which must comply with special requirements set forth in the regulations.

Moreover, in the absence of consent or the special court order, the regulations in 42 CFR  2.13(c) prohibit a substance abuse treatment facility from even acknowledging that a particular individual is a patient.

Another instance of a stricter standard in Part 2 can be found in connection with a consented-to disclosure. 42 CFR 2.31 requires written voluntary consent. A verbal consent is inadequate. The consent document must contain ten elements specified in the regulation. Furthermore, under the provisions of the HIPAA Privacy Rule found at 45 CFR 164.508(c)(2) information that is disclosed pursuant to an authorization has the potential for being re-disclosed and no longer subject to HIPAA privacy protection. In contrast, an authorized disclosure under Part 2 must be accompanied by an explicit statement that further disclosure of information that identifies a patient as having or being treated for a substance use disorder is prohibited. 42 CFR 2.32(a).

HIPAA covers “protected health information” (PHI) and “individually identifiable health information” (IIHI). The Part 2 regulations speak in terms of “records” which term is defined in 42 CFR 2.11 as “any information” whether recorded or not, created by, received, or acquired by a Part 2 program relating to a patient whether involving diagnosis, treatment, referral for treatment, billing, emails, voice mails, and texts. For the purpose of the regulations “records” include both paper and electronic records.

Both HIPAA and Part 2 address disclosures in connection with judicial proceedings and various law enforcement activities. Although there are few judicial decisions concerning 42 CFR Part 2, there is a lucid and helpful discussion by the Connecticut Superior Court in Briggs v. Winter, 2014 Conn. Super. LEXIS 1292, 2014 WL 2922643, of these “two discrete but complementary federal statutory schemes” in the civil context. The HIPAA approaches of “satisfactory assurances” concerning civil subpoenas and the effectiveness of grand jury subpoenas without a court order are inadequate for substance abuse records. The statutory standard found in 42 USC §290dd-2 requires a showing of “good cause.” The Part 2 regulations more specifically set forth separate requirements for what constitutes “good cause” as to the court orders to be issued in connection with disclosures for noncriminal purposes such as civil law suits and those for criminal investigations and prosecutions of patients as well as for investigations or prosecutions of Part 2 programs or employees including the use of undercover agents. Under 42 CFR 2.64, the criteria for entry of an order authorizing disclosure for a noncriminal matter require a finding of “good cause” with determinations (1) that other ways of obtaining the information are not available or would not be effective and (2) that the public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services. In connection with disclosures for criminal matters, the criteria in 42 CFR 2.65 are more extensive and “all” must be met. The threshold is that the crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect. Next, there must be a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution along with a demonstration that other ways of obtaining the information are not available or would not be effective. As part of the evaluation, the court must determine that the potential injury to the patient, to the physician-patient relationship and to the ability of the Part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure. Lastly, if the applicant is a law enforcement agency or official, the person holding the records has been afforded the opportunity to be represented by independent counsel; and any person holding the records which is an entity within federal, state, or local government has in fact been represented by counsel independent of the applicant.

In connection with any contemplated disclosure, there are several questions to be posed which include at least the following. Can or should patient authorization be obtained? Is there an exception for disclosure without patient authorization? Is the recipient to whom the disclosure is to be made pursuant to an exception authorized under the regulations to receive the information?

American society has long placed significant value on a private sphere protected from intrusion. In addition, bioethical principles of nonmalefience — the doing of no harm — and respect for persons call for safeguarding personal privacy and placing importance on individual autonomy. In follow-up at another time or in another place, musings on whether or not privacy and confidentiality really exist in this era might be appropriate.

New Jersey Bill Limits Exchange of Information between Insurers and Behavioral Health Providers

On November 21, 2016, Senator, Robert M. Gordon, proposed Senate Bill No. 2805 which is intended to limit the scope of information which can be exchanged between behavioral health providers and insurance carriers. Following recent testimony earlier this month on the bill, it passed the Senate Subcommittee on Commerce and appears primed to makes it way before the full Senate and Assembly in the near future.

The bill specifically prohibits a behavioral health provider from providing, and insurance carriers from requesting, any information regarding a behavioral health patient except the following:

  1. the patient’s name, age, sex, address, educational status, identifying number with in the insurance program, date of onset of difficulty, date of initial consultation, dates of sessions, whether the sessions are individual or group sessions and fees;
  2. diagnostic information defined as therapeutic characterizations of the type found in the current version of the Diagnostic and Statistical Manual of Mental Disorders or in another professionally recognized diagnostic manual;
  3. status of the patient as voluntary or involuntary and inpatient or outpatient;
  4. the reason for continuing behavioral health care services, limited to an assessment of the patient’s current level of functioning and level of stress, to be describes only as “none,” “mild,” “moderate,” “severe,” or “extreme;” and
  5. prognosis, limited to an estimate of the minimal time during which treatment might continue.

In the statement proposing the Bill, Senator Gordon stated that “in certain circumstances health insurance carriers have requested, as part of utilization management, information from mental health care providers that the providers are prohibited from disclosing pursuant to the rules and regulations of the providers professional licensure.” The statement did not identify the specific information that has been requested but went on to explain that the Bill is intended to reconcile that conflict by clearly limiting the information that is permitted to be shared between those parties.

On June 1, 2017, the New Jersey Senate Subcommittee on Commerce took testimony from several individuals in favor of the Bill.  Several other individuals had submitted statements in favor of the Bill with only one individual submitting opposition to the proposed Bill.   The individual opposing the Bill did not testify before the subcommittee.

The subcommittee unanimously voted in favor of the Bill.  The only concern was raised by Senator Cardinale who indicated the Bill did not provide any penalty for insurers who request information beyond the scope of that permitted by the Bill.  He suggested that he would speak to Senator Gordon about adding a provision related to same.

It appears this Bill has a great deal of momentum behind it.  Absent additional revisions to the Bill based on Senator Cardinale’s concerns, it will likely go before the full Senate and Assembly in the near future and eventually be presented to the Governor.

Governor Christie Signs Bill Aimed at Combating Opioid Abuse

On February 15, 2017 Governor Christie signed into law P.L. 2017, c. 28, Senate No. 3 designed to curb the ongoing opioid abuse epidemic facing the State of New Jersey.  The scope of the overwhelming opioid epidemic facing the State was demonstrated by the bipartisan support the bill received.  Indeed, the bill passed with virtually no opposition, passing with a Senate vote of 33-0 and an Assembly vote of 64-1 with 5 abstentions.

The bill takes a multipronged approach to combating the ongoing opioid crisis by: (1) requiring insurance companies to provide coverage for both inpatient and outpatient substance abuse treatment; (2) limiting the amounts of opioid medications practitioners can prescribe; and (3) imposing additional continuing education requirements on the medical community.

In regard to insurance coverage, the bill requires insurers to provide 180 days per plan year of inpatient and outpatient treatment of substance abuse disorders when determined to be medically necessary by the patient’s physician, psychologist or psychiatrist without the need for any prior authorization.  The bill further prohibits any retrospective or concurrent review of medical necessity for the first 28 days of inpatient or intensive outpatient substance abuse treatment.

Thereafter, inpatient treatment may be subject to concurrent review which cannot be initiated more frequently than two week intervals.  However, the law provides the patient with both internal and external review processes on an expedited basis if the insurer’s review determines treatment is no longer medically necessary.  Moreover, even if the insurer’s determination is upheld on appeal, the patient cannot be discharged until after all appeal rights have been exhausted and the insurer must provide benefits through the date following the final determination.

Conversely, outpatient treatment after the initial 28 days may be subject to retroactive review of medical necessity by the insurer.  Nevertheless, it is not until the first 180 days of either inpatient or outpatient substance abuse treatment has passed that further treatment can be subject to preauthorization by the insurer.

The bill further limits initial prescriptions of opioid medications to a five day supply which shall be for the lowest effective dose of the immediate-release opioid medication.  Prior to issuing an initial prescription a practitioner is required to: (1) take and document a thorough medical history, including the patient’s past experience with non-opioid medication and pain management techniques, and the patient’s substance abuse history; (2) conduct and document a physical examination of the patient; (3) develop a treatment plan focused on determining the cause of the patient’s pain; and (4) access relevant information from the Prescription Monitoring Program.

Four days after the issuance of an initial opioid prescription, a practitioner may issue a subsequent prescription for up to a thirty day supply. However, such prescriptions may be written only if: (1) the patient’s prior prescription for the opioid drug was given within the last year; (2) the practitioner determines the subsequent prescription is necessary and appropriate to the patient’s treatment needs and documents his or her rationale for that determination; and (3) the practitioner determines and documents that the subsequent prescription does not present an undue risk of abuse, addiction or diversion.

Moreover, if a third prescription for opioid medication is given the practitioner must enter into a “pain management agreement” with the patient.  The “pain management agreement” is a written contract executed between practitioner and patient which is designed to: (1) prevent the development of physical or psychological dependence; (2) document both the practitioner’s and patient’s understanding of the pain management plan; (3) establish the patient’s rights in regard to treatment  and obligations associated with the use and storage of opioid medications; (4) identify the specific medications and other modes of treatment that are included in the pain management plan; (5) specify the measurers the practitioner may employ to ensure the patient’s compliance, including random specimen screens and pill counts; and (6) establish the process for terminating the agreement, and consequences if the practitioner has reason to believe the patient is not complying with the agreement.

Furthermore, the bill attempts to ensure that patients taking these medications are doing so with informed consent.  To do so, prior to issuing the first and third prescriptions of an opioid drug a practitioner is required to discuss with the patient, or the patient’s parent or guardian if under 18 years of age, the risks associated with the drugs being prescribed.  This discussion must include, but is not limited to: (1) the reasons the prescription is necessary; (2) alternative treatments that may be available; and (3) the risks of addiction and overdoes associated with the drugs being prescribed, including that: (i) opioids are highly addictive, even when taken as prescribed; (ii) that there is a risk of developing physical of psychological dependence on the drug; and (iii) that taking more opioids than prescribed, or mixing opioids with alcohol, sedatives or benzodiazepines can result in fatal respiratory depression.  A record of these discussions must be documented in the patient’s chart.

There are additional requirements on practitioners treating patients requiring long term treatment, exceeding three months, from opioid medications.  Under those circumstances, the practitioner must: (1) at a minimum of every three months, review and document the course of treatment, any new information regarding the source of the pain and the patient’s progress toward treatment objectives; (2) determine and document whether the patient is experiencing problems associated with physical and psychological dependence prior to each prescription renewal; (3) periodically make and document reasonable efforts, unless clinically contraindicated, to stop the use of opioid medications by attempting other medications or treatments to reduce the potential for abuse or dependency; (4) review Prescription Drug Monitoring information; and (5) monitor compliance with the pain management agreement.

Finally, the bill adds additional continuing education requirements on practitioners.  Specifically, to meet their continuing education requirements practitioners are now required to complete at least one credit per compliance period of educational programs on topics or issues concerning prescription of opioid medications including responsible prescribing, alternatives for managing and treating pain and the risks and signs of opioid abuse, addiction and diversion.  These continuing education requirements apply to physicians, physician assistants, nurses, advanced practice nurses, optometrists, dentists and pharmacists.

The new bill is a significant attempt to curb the opioid epidemic facing New Jersey.  While it remains to be seen how effective these attempts will be, if success is shown, given Governor’s Christie’s recent appointment by President Trump as the chairman to the White House’s commission to combat America’s opioid problem, this bill may form the basis for federal attempts to combat this nationwide epidemic.