Federal and State Legal Framework for Sharing Health Information
The federal Health Insurance Portability and Accountability Act (HIPAA) is the law that sets the floor for national privacy standards for the use and disclosure of personally identifiable health information, also referred to as “protected health information.”5 The law includes broad provisions that allow for exchange of information between entities pertaining to treatment, payment and health care operations without patient consent.6 Federal laws and regulations governing exchange of information related to substance abuse treatment are more stringent than the requirements under HIPAA.7 Federal regulation regarding confidentiality of alcohol and drug abuse patient records—42 CFR Part 2 (“Part 2”)—requires strict protections for sharing individually identifiable substance abuse treatment information. Part 2 restrictions limit providers’ ability to easily access and review complete patient information or improve care coordination for patients unless they have sophisticated technological capabilities.8
Moreover, many states have privacy laws pertaining to health information that are more protective than HIPAA, restricting disclosure of specific categories of information deemed to be sensitive, such as mental health and communicable disease information, without explicit consent from the patient. Further, hospital systems and provider groups are responsible for setting their own privacy policies, which vary and in some cases are more restrictive than federal or state laws based on narrow legal interpretation. Hospital systems and provider groups may apply a more restrictive interpretation of the law to avoid legal risks associated with improperly sharing patient information. The variable nature of hospital and other provider policies creates a further layer of complexity on top of federal and state laws and can be an additional barrier to sharing patient information.