By Edmund Murphy

Last updated: 18 January 2023 & medically reviewed by Dr. Lindeman

One of the top reasons for people not seeking help for substance abuse problems is the fear and shame of revealing their problem to friends and family, religious groups, and employers. However, there are strict privacy laws in place to keep treatment confidential and health records private.

Key takeaways:

  • The Code of Regulations (CFR), Title 42 Part 2, was enacted in 1975 as a way of providing additional protection to those getting treatment for a substance use disorder (SUD)
  • The Enforcement Final Rule of 2006 allows for penalties to be given to any doctor, healthcare organization or medical individual who discloses a patient's PHI without their consent, breaking confidentiality laws
  • If a patient does not wish for any information relating to their SUD or treatment to be shared with anyone, the clinical staff will not be permitted to give it

Health Insurance Portability and Accountability Act, medical records & laws

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that prevents a patient's private health information from being shared with another party without their consent [1]. Initially formed to protect and improve health insurance for those between jobs, HIPAA now includes security rules for Protected Health Information (PHI) in personal medical records. [2] PHI includes health status, demographic, where care was received, and payment method and can all be used to identify an individual. The US Department of Health and Human Services has strengthened HIPAA by introducing a Privacy Rule that must be adhered to by all healthcare providers [1].

Substance use disorder and 42 CFR part 2

The Code of Regulations (CFR), Title 42 Part 2, was enacted in 1975 as a way of providing additional protection to those getting treatment for a substance use disorder (SUD) [3]. Originally used to protect someone’s SUD information in criminal proceedings, 42 CFR part 2 prohibits SUD information from being shared without consent outside of a healthcare setting, including rehab centers.

All rehab treatment staff will be trained in HIPAA and 42 CFR Part 2 regulations. When you enroll in a rehab treatment program, information on HIPAA will be given to you upfront, and you will be asked to read and sign paperwork to say you have understood it.

They will also present consent forms relating to PHI and 42 CFR Part 2. These forms give staff the right to share your health information with people outside of the clinical team that is treating you [4]; these forms ask for specific names of people with whom they are allowed to share information and to what degree.

For example, it may be necessary for someone receiving treatment to update their family on how they are doing, though they may not want to divulge explicit details. The consent form will allow the patient to specify precisely what PHI may be disclosed to any named individual of their choosing.[4] If the patient does not wish for any information relating to their SUD or treatment to be shared with anyone, the clinical staff will not be permitted to give it. This even includes confirmation that they are attending or staying at a rehab facility [4].

Once someone has signed a consent form, they have the right to revoke it at any time and for any reason. This can be confirmed with the care team in any form (verbally, in writing, etc.) and will be communicated with all clinical staff in the rehab facility that has access to your PHI [4].

Doctor-patient confidentiality

A medical professional's first port of duty is the care of their patients. This means that they require full details and transparency to give the best care they can. That is why doctor-patient confidentiality, also known as the doctor-patient privilege, is in place to protect a patient's information [5].

This includes all SUD-related issues, including concerns about drink driving or illicit drug use. If you disclose this information to a doctor or medical professional, privacy policies dictate they cannot report it to the authorities. Nor can they force you to attend a rehab facility if you do not want to or are not ready (though they may strongly recommend it).

They do, however, have the authority and right to send a patient to an acute care hospital for evaluation if they show signs of medical or psychiatric emergencies. In SUDs, this typically relates to any co-occurring mental health disorder that may make the patient a risk to themselves or others.

Penalties for disclosing information

The Enforcement Final Rule of 2006 allows for penalties to be given to any doctor, healthcare organization or medical individual who discloses a patient's PHI without their consent, breaking confidentiality laws [6]

Violations can be issued by the Department of Health Services’ Office for Civil Rights or the state attorney general and can result in either substantial financial fines, corrective action, or both [7]; the fines associated with breaking HIPAA law can be significant and are in place to ensure the safeguarding of confidential patient information.