What’s more harmful to patients being treated for drug or alcohol use: Risking their health by keeping other medical providers in the dark about the care, or risking the patients’ jobs, homes and child custody arrangements by allowing potentially damaging details to be shared widely among providers?
Advocates have painted the possible patient outcomes in starkly different terms as they consider the federal government’s recently proposed update to guidelines that govern the release of patient records about treatment for alcohol and drug use.
What everyone can agree on is that protecting the privacy of people who are being treated for substance use is critical. If such information becomes public, it may have a devastating effect on their work and family lives. In some cases, it also may have legal repercussions, including arrest, prosecution and jail. The mere threat that treatment details might be disclosed can be enough to deter some people from seeking help.
The current privacy guidelines — often referred to as “Part 2” as an abbreviation for “42 CFR Part 2,” the section of the code of federal regulations where the rules are published — last got a meaningful update in 1987. Since then, electronic medical records have proliferated and become integrated.
Existing privacy rules are too cumbersome for today’s integrated world, say proponents who favor loosening the rules. Under current Part 2 rules, providers can’t disclose treatment information unless patients give their consent to release it to a specific health care provider.
Part 2 “is well intentioned, but it’s just not working,” said Matt Salo, executive director of the National Association of Medicaid Directors. “These special [treatment] silos are actually hurting people.” The Medicaid program for lower-income people is responsible for a significant and growing share of the money spent on treatment for substance use, Salo said.
In family medicine, it’s not unusual for patients to have 5 to 10 different diagnoses, one of them being substance abuse, said Dr. Wanda Filer, president of the American Academy of Family Physicians who practices at a federally qualified health center in York, Pa. Not having access to all the relevant medical information can be difficult or even dangerous. If someone is taking methadone to treat a heroin addiction, for example, the doctor may need to adjust his antidepressant or anxiety medications.
“Finding the right balance between getting access to information and protecting their privacy” is challenging, said Filer. The AAFP is still reviewing the potential changes.
The proposal from the Department of Health and Human Services would allow patients to give their consent to disclose their records not just to a specific provider but to the health care system or the accountable care organization with which the provider is affiliated, for example.
While the HHS proposal is an improvement over existing rules, it doesn’t go far enough, said Salo. His organization, along with others, would prefer that HHS align substance-use treatment disclosure rules with the federal Health Insurance Portability and Accountability Act of 1996, which governs other types of health care records disclosure.
Under HIPAA, health plans, providers and health care clearinghouses don’t have to get patients’ consent before disclosing their records to other similar groups and “business associates,” such as claims processing operations, if the disclosure is related to a patient’s treatment, payment or health care operations.
Strong protections must remain in place to prevent information from being used for criminal charges or to conduct criminal investigations, said Lindsey Browning, senior policy analyst at the National Association of Medicaid Directors.
That’s not good enough, say some patient advocates. They argue that the HHS privacy rule changes are too broad.
Under the HHS proposal, “anybody throughout the system can get access” to patient substance use treatment records, said Jim Pyles, a principal at Powers Pyles Sutter & Verville who is an expert on patient privacy and has represented the American Psychoanalytic Association on this issue. “When the patient is at their most vulnerable time, it gets them to sign … this very general consent form.”
Patients can’t rely on health care systems to keep their information private, Pyles said, noting that in the past six years, more than 150 million Americans have been involved in health data breaches, according to an analysis of HHS data released by Melamedia, a healthcare research company.
In the midst of a privacy breach epidemic, “we’re substituting the interests of integrated delivery systems and accountable care organizations for patients’ interests, when what we should be doing is asking patients what they want,” Pyle said.
Comments on the proposed rules are due on April 11.
Kaiser Health News is an editorially independent news service that is part of the nonpartisan Henry J. Kaiser Family Foundation. Email questions for future columns: KHNHelp@KFF.org. Michelle Andrews is on Twitter: @mandrews110.