This Metro Mayors Coalition (MMC) initiative is the result of recommendations from the 2017 MMC Opioid Forum.
A major challenge in providing care and ongoing support for people with opioid use disorders is effectively and legally sharing information.
Individuals with a substance use disorder (SUD) interact with a range of organizations and individuals, from hospitals to police officers, recovery coaches, or family members. Helping people with SUDs recover often requires that those parties work together and understand the circumstances of those in recovery in as close to real time as possible. There are of course operational barriers to effective information sharing, but of equal importance is an understanding of the legal parameters that delineate what medical and addiction treatment information can be shared – and shared by whom, and with whom; with whose consent; in what formats; and when.
Harvard Cyberlaw Clinic: Austin Bohn, Mason Kortz, Michael Roig
Navigate this toolkit by clicking on the sections below.
The content of this resource was developed by the Harvard Law School CyberLaw Clinic.
The Clinic conducted this work in support of a project the Metropolitan Area Planning Council (MAPC) is leading on behalf of the 15 cities and towns in Greater Boston’s inner core that make up the Metropolitan Mayor’s Coalition (MMC).
A forum held in May 2017 and subsequent engagement with municipal public health and safety personnel from MMC communities identified information sharing as a key challenge in addressing the opioid epidemic for local governments. This project intends to help municipal officials improve information sharing approaches and this document is intended to inform their options.
This is designed to address some basic questions for organizations and municipal officials about the laws that govern medical and addiction treatment related information. To achieve that goal, this resource summarizes federal and state data sharing laws and their application; presents the role of consent regimes that enable information sharing; provides some scenario-based examples to inform practice; and describes data sharing models that currently exist.
By no means is this resource comprehensive and the statements herein do not constitute formal legal advice. The rules governing data sharing can be highly case-specific and different circumstances may result in different applications. Talking to appropriate legal counsel is therefore recommended before implementing any data sharing plans.
OVERVIEW OF FEDERAL AND STATE PRIVACY LAWS
FEDERAL LAWS REGULATING DATA SHARING
The primary, federal bodies of law that apply are HIPAA’s Privacy Act,
HIPAA’s Part 2, and FERPA.
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) is the implementation of the Health Insurance Portability and Accountability Act (“HIPAA”) to protect certain healthcare data. The Confidentiality of Substance Use Disorder Patient Records (“Part 2”) imposes additional restrictions on the disclosure and use of substance use disorder patient records. Depending on the person or organization holding the data, and the nature of the information involved, healthcare data may fall under the Privacy Rule, Part 2, or both.
HIPAA Privacy Rule
Under 45 CFR Parts 160 and 164, the Privacy Rule applies to all covered entities and business associates.
Covered entities include health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by the Privacy Rule. Government agencies may be covered entities. For example, Medicare and Medicaid are health plans, and public health agencies that process data or facilitate health information exchanges may qualify as health care clearinghouses.
Business associates are organizations that handle Protected Health Information (PHI) on behalf of covered entities, usually as contractors. Common business associates include data storage providers, benefits managers, patient portal providers, and legal, business, or accounting firms.
HIPAA Part 2
Part 2 applies to any substance abuse information obtained by a federally assisted substance abuse program, which means any program that (1) directly or indirectly receives federal funds, is federally licensed, or is tax-exempt under federal law and (2) primarily provides substance abuse treatment. Such programs may include an individual, entity, or identified unit within a general medical facility holding itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment. Such programs also include medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment, and who are identified as such providers.
Family Educational Rights and Privacy (FERPA)
FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This law exists because these educational agencies generally would not be covered entities under HIPAA.
An educational agency subject to FERPA may not have a policy or practice of disclosing the education records of students, or personally identifiable information from education records, without a parent or eligible student’s written consent. An “eligible student” is a student who is at least 18 years of age or one who attends a postsecondary institution at any age.
Education records are records that directly relate to a student and are maintained by the educational agency or by a party acting for the agency or institution. At the elementary or secondary level, a student’s health records, including immunization records and records by a school nurse, maintained by an educational agency subject to FERPA are considered education records. As education records, the information is protected under FERPA and not HIPAA. Education records also include transcripts, disciplinary records, and attendance information.
De-identified education records may be shared without consent under FERPA.
MASSACHUSETTS STATE LAWS REGULATING DATA SHARING
Massachusetts privacy law is not as comprehensive as HIPAA or HIPAA Part 2. Under Massachusetts General Law, MGL c.111, s.70E, the “Patients’ Rights Law,” patients are conferred a broad right to “confidentiality of all records and communications to the extent provided by law” and are granted the right to “informed consent to the extent provided by law.” However, despite its sweeping language, the Patients’ Rights Law has been interpreted to permit the sharing of private health information insofar as it is done in compliance with HIPAA and Part 2.
Other discrete laws and regulations impose piecemeal restrictions that, by and large, are consistent with or slight variations on the federal confidentiality regime.
Voluntary Non-Opioid Directive Form
This law directs the health departments to create forms, which would be voluntarily signed by patients, directing hospitals not to administer opioids to them.
THE ROLE OF CONSENT UNDER THE LAW
The type of consent required for the sharing of private information is contingent on two main factors: the kind of data sought to be shared, and the stakeholders involved in the sharing. Of course, an individual is free to personally share information about him or herself with anyone of their choosing. The legal limits on information sharing come into play when a health provider who controls someone’s private information seeks to make a disclosure to a third party. Often, consent is the vehicle that enables third party disclosures.
When health providers seek to share information, their disclosures are governed by HIPAA and Part 2. Such disclosures generally require one of two types of consent: an opportunity to object (which can be oral or written) or authorization (which must be written and often has additional requirements). However, as discussed above, HIPAA does provide some narrow exceptions where Private Health Information (PHI) may be disclosed without a patient’s prior approval. Barring those exceptions, all PHI disclosures require consent.
HIPAA PRIVACY RULE
The vast majority of healthcare disclosures require HIPAA authorization. An authorization is a special type of consent given by the patient that enables healthcare providers to share PHI.
Authorizations are written; a patient cannot give authorization orally. The form must be signed by the patient, and must also include a disclaimer articulating the patient’s rights with respect to the authorization (e.g., the patient’s right to revoke authorization). HIPAA authorizations are subject to the “minimum determination rule” which provides that disclosures should only contain the amount of information necessary to achieve their purpose.
In sum, an authorization form must include:
- The patient’s name
- The identity of the party disclosing the information
- The identity of the third party recipients of the information
- For HIPAA, a “class” of individuals may identified, as opposed to specific individual’s names. The class can be as broad as “medical professionals.”
- A specific description of the information meant to be disclosed
- The purpose of the disclosure
- An expiration date, or expiration event
- The expiration date must relate in some way to the purpose of the disclosure.
Consent may also be conferred under HIPAA by providing the patient the opportunity to agree or to object.19 This kind of consent only applies in very narrow circumstances. Under two specific scenarios, a healthcare provider may disclose PHI to the patient’s family member, relative, close personal friend, or any other person identified by the individual.
HIPAA PART 2
Part 2 allows for disclosure on the basis of one kind of consent, though it provides instances where information can be divulged without consent, for example, during medical emergencies.
Even if a disclosure could be made with just an opportunity to object or without consent at all under the Privacy Rule, if the disclosure also falls under Part 2 then Part 2 consent is required.
Part 2 Consent Forms are similar to HIPAA authorizations, but contain some notable differences.
In addition to a disclaimer of the patient’s rights, such authorizations must include:
- The patient’s name
- A “general designation” of the party disclosing the information.
This is perhaps somewhat narrower than “class,” but still need not include the name of the individuals making the disclosure.
- The name and title of the individuals receiving the information.
- A description of the amount and kind of information to be disclosed.
- The purpose of the disclosure
- An expiration date
- Patient signature and date of signature.
Importantly, any disclosure of information through Part 2 requires the inclusion of specific language directed at the third party receiving the data. This language explicitly forbids any further disclosure of the information conveyed.
Each Part 2 authorization must include one of the following disclaimers:
This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see § 2.31). The federal
rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65.
Finally, valid, written consent under FERPA is required for most disclosures of education records, which includes PHI and other health care data held by the educational agency.
Valid, written consent requires:
- Signature of a parent
- A student can sign if he or she is
- 18 years or older, or
- enrolled in a postsecondary institution
- A student can sign if he or she is
- A description of the specific records to be disclosed
- A description of the purpose of the disclosure
- The provision of a copy of the records to the parents and the student (if so desired)
Valid consent must be written and signed by the parent or eligible student and include certain information: specific records that may be disclosed; the purpose of the disclosure; and the party or class of parties to whom the disclosure may be made.
INFORMATION SHARING IN THE MUNICIPAL CONTEXT
EXAMPLES OF CITIES THAT HAVE
IMPLEMENTED DATA SHARING SYSTEMS
There are no restrictions on the use or disclosure of de-identified health information.
De-identified health information neither identifies nor provides a reasonable basis to identify an individual.
There are two ways to de-identify information under the Privacy Rule, either:
- a formal determination by a qualified statistician; or
- the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
However, the difficulty arises when PHI is involved. A healthcare organization covered by Part 2 or the Privacy Rule must either have authorization from the individual or fall under a specified exemption in order to use or disclose any PHI. Even organizations that are not governed by HIPAA, such as law enforcement departments, are sometimes prohibited from sharing substance abuse information obtained from a Part 2 program. Some states have similar “re-disclosure rules” that apply to non-substance abuse PHI as well.
There are also a number of exceptions to HIPAA that apply to law enforcement. The Privacy Rule allows law enforcement to obtain an individual’s PHI without his or her written authorization in certain circumstances.
Camden Arise is a data-sharing plan information from public data systems, including criminal justice, healthcare, and housing, to create a multi-dimensional picture of citywide challenges. It is a program of the Camden Coalition—a coalition of healthcare providers, community partners, and advocates—working to address complex medical and social challenges. In their first project integrating data, they have created two separate agreements. One is a data sharing agreement between the Camden City School District and the Camden Coalition of Healthcare Providers in which the School District to provides data to the Coalition, particularly regarding absenteeism. The other is a memorandum of understanding between The County of Camden (Department of Police Services) and the Camden Coalition of Healthcare Providers authorizing the police to provide information to the Coalition. (https://www.camdenhealth.org/arise-camden/)
Chelsea Hub is a collection of community organizations, organized by the Police Department, that meets weekly to share information about individuals or families at risk and strategize ways to intervene. The data sharing that occurs goes through a four-stage process: identification of individuals at risk (through the identification of risk factors); introduction of de-identified data to gain intervention consensus; identification of the appropriate parties through revealing limited information; and a detailed conversation among the parties who deliver relevant services about the individual. (http://chelseapolice.com/chelsea-hub/)
Data-Driven Justice Initiative
The Data-Driven Justice Initiative is a data-sharing program that initially started in the Obama White House, and is now coordinated by the Laura and John Arnold Foundation. One of its most successful projects is a collaboration between Johnson County, Kansas, and the University of Chicago’s Center for Data Science and Public Policy. The program tracks individuals across multiple public systems, including jails, emergency rooms, mental-health facilities, and social services, and attempts to identify the most effective ways to get people the care they need. The University of Chicago has entered multiple data-sharing agreements with private and public data providers so that it can integrate and analyze the data in a secure and confidential environment. (http://www.naco.org/resources/data-driven-justice-playbook; http://dsapp.uchicago.edu/projects/criminal-justice/data-driven-justice-initiative/)
A medical provider may disclose information to law enforcement in the following situations:
- In compliance with a court order, warrant or subpoena;
- In response to an administrative request;
- Administrative requests are made without the involvement of a judge. They can be made by law enforcement or certain other administrative agencies. Such a request must include a description of the limited information desired, as well as the purpose of that information.
- In response to a request for information that serves the purpose of identifying a suspect, fugitive, witness, or missing person;
- In response to a request for information about the victim of a crime;
- The victim must him or herself agree to this disclosure.
- In order to report abuse, neglect, or domestic violence (these disclosures may also be made to other authorized agencies, such as public health agencies, social services, or protective services);
- In order to report to law enforcement when required by state law;
- In order to report the death of an individual;
- When necessary to alert police to an on-site criminal activity, or off-site criminal activity to which medical providers responded;
- Where, in the medical provider’s professional judgment, disclosure is necessary to prevent domestic violence or any other serious, imminent threat to an individual or the public;
- In the course of investigation concerning national security;
- In response to a request concerning an individual in a correctional facility or in police custody.
A police officer asks a hospital's representative (not a substance abuse, Part 2, organization) if a particular individual has been to the hospital, and if so, ow often and for what purpose. How should the representative respond?
First, the representative may share the information if the hospital has a valid HIPAA authorization from the individual, the authorization lists the hospital as a party who can make the disclosure and lists the police as a party to whom the disclosure can be made, and the authorization has not expired or has been revoked.
If there is no authorization, the representative may indicate the individual’s presence in a facility if the individual has had the opportunity to object to this type of disclosure, but it is limited to location and general condition, as discussed above. Additionally, they may disclose information about a patient who is suspected to be a victim of a crime if either the individual agrees to the disclosure or the individual is unable to agree because of incapacity or emergency circumstances and the representative reasonably believes it is in the best interest of the individual.
If there is no authorization and no opportunity to object to certain disclosures, then the representative may disclose if it falls under one of the exceptions. Particularly applicable are the exceptions for requests by law enforcement. Among others, the representative may disclose limited information for purposes of identification and location of a suspect, fugitive, material witness, or missing person. They may also disclose information about a patient who is reasonably believed to be a victim of abuse, neglect, or domestic violence as required by law.
A police officer is sitting among various social service oriented organizations, including hospitals, and asks ifand individual has been hospitalized recently or regularly. How should the representative respond?
First, the representatives may disclose the relevant PHI (e.g. name, admitted date, etc.) if the individual has granted valid HIPAA authorization to do so. In this case, each participating organization could receive information from the representative. However, each participating organization would need to obtain separate authorization to disclose information separately (although only if the organization is covered by HIPAA).
Without authorization, it is unlikely that one of the exceptions would apply because of the many stakeholders present (thus, the law enforcement exceptions do not apply), and the representative is unable to respond. This is the same for organizations that are covered entities under the HIPAA Privacy Rule, regardless of whether Part 2 applies (although they have different requirements for valid authorization).
Other organizations who are not subject to HIPAA may be able to share this information if they are able. However, they must be compliant with any applicable re-disclosure limitations, which may apply if the information was originally disclosed from an organization subject to HIPAA.
A HEALTH CARE REPRESENTATIVE ASKS A POLICE OFFICER IF AN INDIVIDUAL HAS BEEN ARRESTED OR PREVIOUSLY IMPRISONED, AND IF SO, HOW OFTEN AND FOR WHAT REASON. HOW SHOULD THE OFFICER RESPOND?
Arrest and conviction records are public record, so the officer should be able to respond accordingly, subject to Massachusetts state law.
A HOSPITAL RECEIVES A NEW PATIENT AND KNOWS THAT THEY HAVE A RECOVERY COACH. THE HOSPITAL IS UNSURE IF THE RECOVERY COACH IS AWARE OF THE HOSPITALIZATION. WHAT CAN THE HOSPITAL DO?
If the hospital has either obtained the individual’s agreement, provided an opportunity for the individual to object to the disclosure and they did not object, or reasonably inferred that the individual does not object, then the hospital may notify a family member, personal representative of the individual, or another person responsible for the care of the individual. The notification may include the individual’s location and general condition. If the recovery coach is considered “responsible for the care of the individual,” then it is likely the recovery coach may be notified.
If the individual is not present or the opportunity to practicably object to the disclosure due to incapacity or anemergency circumstance is not present, then the hospital may exercise its professional judgment to determine if the disclosure is in the individual’s best interest. However, the recovery coach must still be considered responsible for the care of the individual to allow notification.
4. Department of Health and Human Services (“HHS”) provides a summary here: https://www.hhs.gov/sites/default/files/privacysummary.pdf
5. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html. See 45 CFR § 160.103 for further definition of business associates.
6. 45 CFR § 164.514
7. https://www.hhs.gov/sites/default/files/provider_ffg.pdf; https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf.
8. Big Ridge, Inc. v. Fed. Mine Safety & Health Review Comm’n, 715 F.3d 631 (7th Cir. 2013).
9. Miguel M. v. Barron, 17 N.Y.3d 37, 950 N.E.2d 107 (2011).
10. 42 CFR § 2.11
12. 42 CFR § 2.12(c)(3).
13. 42 CFR § 2.51.
14. See joint guidance on FERPA and HIPAA here: https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf
15. https://www.law.cornell.edu/cfr/text/34/99.31; https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf