Home > Appendices

Appendix B: Background on the Legal Landscape Pertaining To Exchange of Health Information

Legal Disclaimer: The analysis provided in this road map is for informational purposes only and is not intended to be legal advice. You should contact your attorney to obtain advice with respect to any particular issue or question described herein.

Federal law, state law and individual organization-level policies govern the exchange of health information. HIPAA sets the floor for national privacy standards, but Part 2 and other federal privacy laws add layers of requirements for sharing information. In addition, states have the ability to set their own laws with regard to health information privacy; when these laws are more stringent than HIPAA, the state laws prevail.

This appendix provides background information about HIPAA, Part 2 and state laws as well as related key challenges.

Federal Privacy Laws


HIPAA, which Congress passed in 1996, governs the sharing of personally identifiable health information. HIPAA is intended to allow the flow of PHI while safeguarding patients’ rights and protecting their privacy. HIPAA applies to health information shared by “covered entities,” which include health plans, health care clearinghouses and health care providers and their business associates. The U.S. Department of Health and Human Services defines a “business associate” as a “person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.”69 Examples of business associates under HIPAA include agents, contractors or other entities hired to help covered entities serve their patients and that may have access to PHI.

HIPAA includes broad provisions that allow for exchange of information between entities pertaining to treatment, payment and health care operations without requiring patient consent. Providers and organizations can exchange PHI without patient permission provided that the information is necessary for one of those purposes. The one category of patient information HIPAA excludes from its normal provisions for treatment, payment and operations is psychotherapy notes. Psychotherapy notes must be kept separate from a patient’s medical record and patient consent is required before they can be shared.

Confidentiality of Alcohol and Drug Abuse Patient Records (Part 2)

The federal rules governing exchange of information related to substance abuse treatment are more stringent than the rules governing health information under HIPAA, in part because of concerns about potential discrimination against patients whose recovery status is exposed. 70 The Part 2 rule requires strict protections for sharing individually identifiable substance abuse treatment information as well as for the storage and destruction of treatment files.

Part 2 applies to federally-assisted drug and alcohol programs. In this context, “federal assistance” is defined broadly to include the receipt of Medicaid or Medicare payments, federal grants or other federal financial support. A “drug and alcohol treatment program” is defined as “any person or entity that holds itself out as providing, and provides, drug abuse diagnosis, treatment, or referral for treatment.”71 Information can be shared only when written patient consent is provided. Currently, the Part 2 consent form must contain the following information:

  • Patient’s name;
  • Name or designation of the person or program permitted to disclose the information;
  • Recipient of the information;
  • Purpose of the disclosure;
  • Quantity and type of information to be disclosed;
  • Right of the patient to revoke consent at any time;
  • Date the consent expires; and
  • A note prohibiting re-disclosure of the information.

Part 2 disclosure requirements add a layer beyond HIPAA to preserve the privacy of patients undergoing treatment for substance abuse, but also limit the ability of providers to easily access and review complete patient information. Approximately 8 million adults in the United States have co-occurring mental health conditions and substance use disorders; the care these individuals receive is fragmented among mental health, substance abuse and physical health systems, resulting in poor-quality care and higher costs.72 According to the Medicaid and CHIP Payment Access Commission, in 2011, “one in five Medicaid beneficiaries had behavioral health diagnoses but accounted for almost half of total Medicaid expenditures, with more than $131 billion spent on their care (including physical, behavioral, and other Medicaid-covered services).”73 With new system transformation efforts focusing on better coordination of care for high-need patients, there is a growing need for providers to be able to seamlessly exchange health information.

Because of the Notice of Proposed Rule Making (NPRM) that the Substance Abuse and Mental Health Services Administration issued in March 2016, changes are expected to the Part 2 rule.74 The proposed changes would largely apply to what is contained in the Part 2 consent form. The NPRM clarifies certain definitions within the law but, more importantly, allows a general designation in the “to whom” field of the form, letting a patient designate a general entity—such as an HIO, ACO or “all of my treating providers”—receive his or her treatment information. The proposed change could improve the ability of providers to exchange Part 2–covered information.