Page images
PDF
EPUB

sample notice in paragraph (d) to comply with the requirement to provide the patient with a summary in writing of the Federal law and regulations. In addition, the program may include in the written summary information concerning State law and any program policy not inconsistent with State and Federal law on the subject of confidentiality of alcohol and drug abuse patient records.

(d) Sample notice.

CONFIDENTIALITY OF ALCOHOL AND DRUG
ABUSE PATIENT RECORDS

The confidentiality of alcohol and drug abuse patient records maintained by this program is protected by Federal law and regulations. Generally, the program may not say to a person outside the program that a patient attends the program, or disclose any information identifying a patient as an alcohol or drug abuser Unless:

(1) The patient consents in writing:

(2) The disclosure is allowed by a court order; or

(3) The disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation.

Violation of the Federal law and regulations by a program is a crime. Suspected violations may be reported to appropriate authorities in accordance with Federal regulations.

Federal law and regulations do not protect any information about a crime committed by a patient either at the program or against any person who works for the program or about any threat to commit such a crime.

Federal laws and regulations do not protect any information about suspected child abuse or neglect from being reported under State law to appropriate State or local authorities.

(See 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3 for Federal laws and 42 CFR part 2 for Federal regulations.)

(Approved by the Office of Management and Budget under control number 0930-0099)

§2.23 Patient access and restrictions

on use.

(a) Patient access not prohibited. These regulations do not prohibit a program from giving a patient access to his or her own records, including the opportunity to inspect and copy any records that the program maintains about the patient. The program is not required to obtain a patient's written consent or other authorization under these regula

tions in order to provide such access to the patient.

(b) Restriction on use of information. Information obtained by patient access to his or her patient record is subject to the restriction on use of his information to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under §2.12(d)(1).

Subpart C-Disclosures With
Patient's Consent

$2.31 Form of written consent.

(a) Required elements. A written consent to a disclosure under these regulations must include:

(1) The specific name or general designation of the program or person permitted to make the disclosure.

(2) The name or title of the individual or the name of the organization to which disclosure is to be made. (3) The name of the patient. (4) The purpose of the disclosure. (5) How much and what kind of information is to be disclosed.

(6) The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under §2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under §2.15 in lieu of the patient.

(7) The date on which the consent is signed.

(8) A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third party payer.

(9) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given.

(b) Sample consent form. The following form complies with paragraph (a) of this section, but other elements may be added.

1. I (name of patient) Request

Authorize: 2. (name or general designation of program which is to make the disclosure)

3. To disclose: (kind and amount of information to be disclosed)

4. To: (name or title of the person or organization to which disclosure is to be made)

5. For (purpose of the disclosure)

6. Date (on which this consent is signed)

7. Signature of patient

8. Signature of parent or guardian (where required)

9. Signature of person authorized to sign in lieu of the patient (where required)

10. This consent is subject to revocation at any time except to the extent that the program which is to make the disclosure has already taken action in reliance on it. If not previously revoked, this consent will terminate upon: (specific date, event, or condition)

(c) Expired, deficient, or false consent. A disclosure may not be made on the basis of a consent which:

(1) Has expired;

(2) On its face substantially fails to conform to any of the requirements set forth in paragraph (a) of this section;

(3) Is known to have been revoked; or (4) Is known, or through a reasonable effort could be known, by the person holding the records to be materially false.

(Approved by the Office of Management and Budget under control number 0930-0099) §2.32 Prohibition on redisclosure.

Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by the following written statement:

This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to crimi

nally investigate or prosecute any alcohol or drug abuse patient.

[52 FR 21809, June 9, 1987; 52 FR 41997, Nov. 2, 1987]

§2.33 Disclosures permitted with written consent.

If a patient consents to a disclosure of his or her records under §2.31, a program may disclose those records in accordance with that consent to any individual or organization named in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§2.34 and 2.35, respectively.

§2.34 Disclosures to prevent multiple enrollments in detoxification and maintenance treatment programs.

(a) Definitions. For purposes of this section:

Central registry means an organization which obtains from two or more member progams patient identifying information about individuals applying for maintenance treatment or detoxification treatment for the purpose of avoiding an individual's concurrent enrollment in more than one program.

Detoxification treatment means the dispensing of a narcotic drug in decreasing doses to an individual in order to reduce or eliminate adverse physiological or psychological effects incident to withdrawal from the sustained use of a narcotic drug.

Maintenance treatment means the dispensing of a narcotic drug in the treatment of an individual for dependence upon heroin or other morphine-like drugs.

Member program means a detoxification treatment or maintenance treatment program which reports patient identifying information to a central registry and which is in the same State as that central registry or is not more than 125 miles from any border of the State in which the central registry is located.

(b) Restrictions on disclosure. A program may disclose patient records to a central registry or to any detoxification or maintenance treatment program not more than 200 miles away for the purpose of preventing the multiple enrollment of a patient only if:

(1) The disclosure is made when:

(i) The patient is accepted for treatment;

(ii) The type or dosage of the drug is changed; or

(iii) The treatment is interrupted, resumed or terminated.

(2) The disclosure is limited to:

(i) Patient identifying information; (ii) Type and dosage of the drug; and (iii) Relevant dates.

(3) The disclosure is made with the patient's written consent meeting the requirements of §2.31, except that:

(i) The consent must list the name and address of each central registry and each known detoxification maintenance treatment program to which a disclosure will be made; and

or

(ii) The consent may authorize a disclosure to any detoxification or maintenance treatment program established within 200 miles of the program after the consent is given without naming any such program.

(c) Use of information limited to prevention of multiple enrollments. A central registry and any detoxification or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not redisclose or use patient identifying information for any purpose other than the prevention of multiple enrollments unless authorized by a court order under subpart E of these regulations.

(d) Permitted disclosure by a central registry to prevent a multiple enrollment. When a member program asks a central registry if an identified patient is enrolled in another member program and the registry determines that the patient is so enrolled, the registry may disclose

(1) The name, address, and telephone number of the member program(s) in which the patient is already enrolled to the inquiring member program; and

(2) The name, address, and telephone number of the inquiring member program to the member program(s) in which the patient is already enrolled. The member programs may communicate as necessary to verify that no error has been made and to prevent or eliminate any multiple enrollment.

(e) Permitted disclosure by a detoxification or maintenance treatment program to prevent a multiple enrollment. A detoxi

fication or maintenance treatment program which has received a disclosure under this section and has determined that the patient is already enrolled may communicate as necessary with the program making the disclosure to verify that no error has been made and to prevent or eliminate any multiple enrollment.

§2.35 Disclosures to elements of the criminal justice system which have referred patients.

(a) A program may disclose information about a patient to those persons within the criminal justice system which have made participation in the program a condition of the disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if:

(1) The disclosure is made only to those individuals within the criminal justice system who have a need for the information in connection with their duty to monitor the patient's progress (e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or posttrial release, probation or parole officers responsible for supervision of the patient); and

(2) The patient has signed a written consent meeting the requirements of §2.31 (except paragraph (a)(8) which is inconsistent with the revocation provisions of paragraph (c) of this section) and the requirements of paragraphs (b) and (c) of this section.

(b) Duration of consent. The written consent must state the period during which it remains in effect. This period must be reasonable, taking into account:

(1) The anticipated length of the treatment;

(2) The type of criminal proceeding involved, the need for the information in connection with the final disposition of that proceeding, and when the final disposition will occur; and

(3) Such other factors as the program, the patient, and the person(s) who will receive the disclosure consider pertinent.

(c) Revocation of consent. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified,

ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given.

(d) Restrictions on redisclosure and use. A person who receives patient information under this section may redisclose and use it only to carry out that person's official duties with regard to the patient's conditional release or other action in connection with which the consent was given.

Subpart D-Disclosures Without Patient Consent

§2.51 Medical emergencies.

(a) General Rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel who have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.

(b) Special Rule. Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers.

(c) Procedures. Immediately following disclosure, the program shall document the disclosure in the patient's records, setting forth in writing:

(1) The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;

(2) The name of the individual making the disclosure;

(3) The date and time of the disclosure; and

(4) The nature of the emergency (or error, if the report was to FDA).

(Approved by the Office of Management and Budget under control number 0930-0099)

$2.52 Research activities.

(a) Patient identifying information may be disclosed for the purpose of conducting scientific research if the program director makes a determination that the recipient of the patient identifying information:

(1) Is qualified to conduct the research;

(2) Has a research protocol under which the patient identifying information:

(i) Will be maintained in accordance with the security requirements of §2.16 of these regulations (or more stringent requirements); and

(ii) Will not be redisclosed except as permitted under paragraph (b) of this section; and

(3) Has provided a satisfactory written statement that a group of three or more individuals who are independent of the research project has reviewed the protocol and determined that:

(i) The rights and welfare of patients will be adequately protected; and

(ii) The risks in disclosing patient identifying information are outweighed by the potential benefits of the research.

(b) A person conducting research may disclose patient identifying information obtained under paragraph (a) of this section only back to the program from which that information was obtained and may not identify any individual patient in any report of that research or otherwise disclose patient identities.

[52 FR 21809, June 9, 1987, as amended at 52 FR 41997, Nov. 2, 1987]

§2.53 Audit and evaluation activities.

(a) Records not copied or removed. If patient records are not copied or removed, patient identifying information may be disclosed in the course of a review of records on program premises to any person who agrees in writing to comply with the limitations on redisclosure and use in paragraph (d) of this section and who:

(1) Performs the audit or evaluation activity on behalf of:

(i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is

authorized by law to regulate its activities; or

(ii) Any private person which provides financial assistance to the program, which is a third party payer covering patients in the program, or which is a peer review organization performing a utilization or quality control review; or

(2) Is determined by the program director to be qualified to conduct the audit or evaluation activities.

(b) Copying or removal of records. Records containing patient identifying information may be copied or removed from program premises by any person who:

(1) Agrees in writing to:

(i) Maintain the patient identifying information in accordance with the security requirements provided in §2.16 of these regulations (or more stringent requirements);

(ii) Destroy all the patient identifying information upon completion of the audit or evaluation; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and

(2) Performs the audit or evaluation activity on behalf of:

(i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate its activities; or

(ii) Any private person which provides financial assistance to the program, which is a third part payer covering patients in the program, or which is a peer review organization performing a utilization or quality control review.

(c) Medicare or Medicaid audit or evaluation. (1) For purposes of Medicare or Medicaid audit or evaluation under this section, audit or evaluation includes a civil or administrative investigation of the program by any Federal, State, or local agency responsible for oversight of the Medicare or Medicaid program and includes administrative enforcement, against the program by the agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.

(2) Consistent with the definition of program in §2.11, program includes an employee of, or provider of medical

services under, the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section.

(3) If a disclosure to a person is authorized under this section for a Medicare or Medicaid audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this section, then a peer review organization which obtains the information under paragraph (a) or (b) may disclose the information to that person but only for purposes of Medicare or Medicaid audit or evaluation.

(4) The provisions of this paragraph do not authorize the agency, the program, or any other person to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the Medicare or Medicaid audit or evaluation activity as specified in this paragraph.

(d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under §2.66 of these regulations.

Subpart E-Court Orders Authorizing Disclosure and Use

$2.61 Legal effect of order.

(a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited by 42 U.S.C. 290ee-3, 42 U.S.C. 290dd-3 and these regulations. Such an order does not compel disclosure. A subpoena or a similar legal mandate must be issued in order to compel disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under these regulations.

« PreviousContinue »