The 42 CFR Part 2 and NHIN conundrum

Former President George W. Bush enacted Executive Order 13335 calling for the creation of a Nationwide Health Information Network (NHIN), which will provide electronic information sharing among healthcare providers. The goal is seamless and secure information movement between networks, resulting in a single infrastructure for sharing electronic health information. All of this was once considered far reaching and somewhat unattainable, especially for addiction treatment providers.

Health information exchanges (HIEs) and regional health information organizations (RHIOs) are forming NHIN's backbone. Interoperability standards for electronic information exchange are under development. Yet the addiction treatment and behavioral healthcare fields are just beginning to review, discuss, and debate the effect of interoperable systems for electronic health record (EHR) exchange.

Evolving health information technology (HIT) is dragging healthcare providers into a world in which confidentiality rules, designed when patient records were maintained almost universally in paper charts, either do not apply or are in serious practical conflict with electronic information exchange. Thus, the free movement of electronic health information collides with privacy and security rules when interoperable electronic information exchange systems are required to comply with patient confidentiality standards. This collision profoundly impacts addiction treatment providers, who function under the most restrictive confidentiality constraints.

The HIPAA regulations protecting medical records, even psychiatric records, are not as restrictive as the regulations under laws that protect addiction treatment records. The need for special addiction treatment confidentiality rules is rooted in the stigma associated with alcohol/drug dependence and treatment. Addiction is chronic and progressive, often ending in death if untreated. Addiction often is viewed as a mark of shame or discredit. Such stigma interferes with alcohol/drug-dependent persons' willingness to seek treatment. Addicted persons, even in recovery, often are denied jobs or insurance coverage.

The need to address this stigma is so powerful that Congress extended legal protection to addiction treatment records through confidentiality laws enacted in the 1970s. These laws and the resulting regulations, now referred to as 42 CFR Part 2, protect the confidentiality of information about persons receiving alcohol/drug prevention and treatment services. Violating these federal confidentiality laws may lead to administrative, civil, or criminal sanctions.

These laws make sure that an alcohol/drug abuse patient is not made more vulnerable through the availability of his/her patient record than an individual who has an alcohol/drug problem and does not seek treatment. This is a critical concept. If seeking treatment makes an individual increasingly vulnerable to discrimination, then it is logical to conclude that fewer people suffering from addiction will seek treatment.

Regulations under 42 CFR Part 2 prohibit unauthorized disclosure of addiction patients' health records. These regulations apply to law enforcement or other officials, even with a subpoena. Indeed, covered programs are compelled to resist information disclosure even when presented with a subpoena. Disclosing even the presence of a patient at a facility or unit identified as a place where only alcohol/drug services are provided requires the patient's written authorization. A payer or funding source that maintains records of recipients of alcohol/drug treatment is subject to 42 CFR Part 2, as well.

When records are released, the regulations require a statement prohibiting redisclosure. If the entity receiving the disclosure wishes to redisclose the information, the entity also must comply with the regulatory requirements. Generally this would result in the receiving entity obtaining another properly executed release of information from the patient. Additionally, the regulations further limit permitted disclosures to the minimum information necessary to carry out the purpose of the disclosure.

Yet the evolving NHIN requires the exchange of electronic health information, and for all practical purposes 42 CFR Part 2 severely prohibits releasing such information. These are the colliding interests. Under 42 CFR Part 2 a covered program is required to obtain a properly executed release of information before disclosing addiction treatment records. There is no language in the regulations that permits an exception to this requirement for an HIE or RHIO. When an HIE or RHIO receives disclosed information about an addictions treatment patient, the HIE or RHIO would assume the disclosing covered program did so legally under the auspices of a properly executed release of information. The release of information used by the covered program does not permit the HIE or RHIO to further disclose the information. To function legally under 42 CFR Part 2, the HIE or RHIO must obtain its own properly executed release of information from the patient and must obtain a new release from the patient each and every time information is disclosed to a different party. It seems clear there is no practical way to facilitate the purpose of an HIE or RHIO under this requirement.

Even if some clever electronic security method restricted the identity of a patient's addiction treatment provider, the treatment provided (e.g., withdrawal protocols and certain medications) is still a likely giveaway that the patient received addiction treatment. 42 CFR Part 2 prohibits disclosing information that could lead to the identity of an addiction treatment patient even if his/her identity is not directly disclosed.

In summary, if a patient wishes to release records to an HIE or RHIO, he/she would have to execute a proper release before the addiction treatment provider could disclose the records. Once they were disclosed to the HIE or RHIO, 42 CFR Part 2 additionally constrains the HIE or RHIO from further releasing the records without another properly executed release, effectively rendering the HIE's or RHIO's purpose useless.

Efforts are under way to address this conflict. For example, in New York State there is a plan to manage privacy and security according to 42 CFR Part 2. The plan's elements include:

1. Providers will have a choice to upload information to the RHIO.

2. Patients will be required to sign an advanced affirmative consent to allow providers to share their information with the RHIO.

3. Patients will determine whether all or none of their information goes to the RHIO, and which providers may see the information.

4. The RHIO will need to execute a similar release with a patient should it warrant a redisclosure of information.

These plan elements may or may not meet 42 CFR Part 2's legal requirements, so the assessment continues. A comprehensive view of the consent process can be found within Recommendations for Standardized Consumer Consent Policies and Procedures for RHIOs in New York to Advance Interoperable Health Information Exchange to Improve Care at https://www.nyehealth.org/files/File_Repository16/pdf/Consent_White_ Paper_20081125.pdf. Of particular note is the clear disclaimer that the information will include sensitive data that in many cases is not shared today. Clearly, the electronic revolution is raising new concerns about confidentiality laws that have not been updated to reflect this new reality, and the only way for the promise of full information sharing to be realized may be for laws like 42 CFR Part 2 to be updated.

The national challenge to automate health records has been under way in many healthcare sectors, and the health and human services markets already are feeling the pressure to move in that direction with the passage of federal stimulus bills that support record automation and interoperability. Many providers have acknowledged the benefits of an automated health record, and the movement toward EHRs is meant to continue to allow all providers the ability to further benefit from automation and data sharing. This is a central issue for addiction and mental health treatment providers and will need to be monitored by everyone entrusted with patients' care.

So far the NHIN development process appears supportive and very conscious of sensitive data. Managing the impending collision between electronic health information exchange and confidentiality requirements is a critical element of the current national challenge.

Bill Connors, MSW, is President/CEO of Sequest Technologies (www. sequest.net), which provides software solutions for the health and human services market. John Leipold, DBA, MBA, is Executive Vice-President/COO of Valley Hope Association, an alcohol/drug treatment provider that offers Information Management Consulting and Software Solutions (VHA-IMCSS, https://www.winpims.com). Both companies are members of the Software and Technology Vendors' Association (SATVA).

For further information, e-mail bconnors@sequest.net or jleipold@valleyhope.com.

Sidebar

Behavioral Healthcare invites information technology vendors, including members of the Software and Technology Vendors' Association (SATVA), to contribute to this department.

Sidebar

The Echo Group's Raden is new SATVA chair

The Software and Technology Vendors' Association (SATVA) has chosen John Raden, president of The Echo Group, as its new chair, succeeding outgoing chair Kevin Scalia, executive vice-president of corporate development at Netsmart Technologies, as of July 1. Also elected to the 2009-2010 Board were Bill Connors, president and CEO of Sequest Technologies, as vice-chair; Michael Morris, president and CEO of Anasazi Software, Inc., as treasurer; and Ravi Ganesan, president of Core Solutions, Inc., as secretary. Board members-at-large for 2009-2010 include Fran Loshin-Turso, president and CEO of DeFran Systems, Inc.; J.J. Farook, president and CEO of InfoMC, Inc.; and John Leipold, executive vice-president/COO of Valley Hope Association Information Management Consulting and Software Solutions (VHA-IMCSS). -Douglas J. Edwards

Behavioral Healthcare 2009 July-August;29(7):52-53