Courses: 0

Total: $00.00

Confidentiality and Documentation for Substance Abuse Records 20-782024 1 Hour Back to Course Index






The United States is facing an overwhelming growth in drug and alcohol addiction.  While the most recent statistics show that more than 23 million people in the U.S. are living with addiction, only roughly 10% of people with addiction actually seek and receive treatment.  This means that over 20 million people who need treatment for addiction are not getting it.

Despite addiction is a progressive, potentially fatal disease that ruins careers, families, and lives, many who need help don’t feel like they can get the help they need because of the stigma of addiction.  Concerns over losing their current job, losing insurance coverage, and connections to family and friends looms over all decisions.

The laws and regulations governing the confidentiality of substance use disorder records were written out of great concern about the potential use of substance use disorder information against individuals, causing individuals with substance use disorders not to seek needed treatment.  The disclosure of records of individuals with substance use disorders can lead to a host of negative consequences, including loss of employment, housing, child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

A risk-managed approach to documentation is a best practice to protect both the client and the professional.  Risk management is a coordinated effort to both benefit the client and protect the practice or agency from legal vulnerability.  Records’ maintenance, content, and disclosure pose a threat regarding exposure.  By looking at the documentation with a risk-managed approach, the professional becomes sensitive to what is stated, how it is said, where it is kept, who has access, and in turn, the consequences of what-if scenarios are reduced.

The primary regulations that effective substance abuse treatment confidentiality are title 42 of the Code of Federal Regulations (CFR) and HIPAA.  There are individual Codes of Ethics for certified and licensed practitioners.  This course will primarily focus on appropriate documentation, HIPAA, and 42 CFR.


Title 42 of the Code of Federal Regulations (CFR) part 2

The purpose of the regulations in title 42 of the Code of Federal Regulations (CFR) part 2 (42 CFR part 2) is to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.  Now, more than 29 years since part 2 regulations were last substantively amended, this final rule makes policy changes to the regulations to better align them with advances in the U.S. health care delivery system while retaining important privacy protections.

The privacy provisions in 42 CFR Part 2 were motivated by the understanding that stigma and fear of prosecution might dissuade persons with substance use disorders from seeking treatment.  To add an extra layer of protection to these records, the regulations outline under what limited circumstances information about a patient’s treatment may be disclosed with and without the patient’s consent.  Who and what is covered can be confusing, though.

42 CFR Part 2 applies to any individual or entity that is federally assisted and holds itself out as providing alcohol or drug abuse diagnosis, treatment, or referral for treatment.  Most drug and alcohol treatment programs are federally assisted.  For-profit programs and private practitioners that do not receive federal assistance of any kind would not be subject to the requirements of 42 CFR Part 2 unless the state licensing or certification agency requires them to comply.  However, any clinician who uses a controlled substance for detoxification or maintenance treatment of a substance use disorder requires a federal DEA registration and becomes subject to the regulations through the DEA license.

A program is “federally-assisted” if it:

  • Receives federal funds in any form, whether or not the funds directly pay for alcohol or drug abuse services; or
  • Is being carried out under a license, certification, registration, or other authorization granted by the federal government (e.g., licensed to provide methadone, certified as a Medicare provider); or
  • Is assisted by the IRS through a grant of tax-exempt status or allowance of tax deductions for contributions; or
  • It is conducted directly by the federal government or by a state or local government that receives federal funds, which could be (but are not necessarily) spent for alcohol or drug abuse programs.

The Federal Drug and Alcohol Confidentiality Law – 42 CFR Part 2 states that any information that would identify a patient as having an alcohol or drug problem, either directly or indirectly, is protected.  

The Federal Drug and Alcohol Confidentiality Law – 42 CFR Part 2 42 CFR, Part 2’s prohibition on disclosing patient-identifying information, has very few exceptions.  The following are the general categories of exceptions:

  • written consent
  • internal program communications
  • removal of all patient-identifying information
  • medical emergency
  • court order
  • crime on program premises or against program personnel
  • research
  • audits and evaluations
  • child abuse

The best way to ensure communications are permissible under 42 CFR Part 2 is to have the individual sign a consent/authorization form that complies with the requirements of both HIPAA and 42 CFR Part 2.  

The elements of a consent/authorization form that must be included are listed below.  In addition, it also includes applicable state law as well.

  • Name or general designation of the program or person permitted to make the disclosure
  • Name or title of the individual or name of the organization to which disclosure is to be made
  • Name of the patient
  • Purpose of the disclosure
  • How much and what kind of information is to be disclosed
  • Signature of the patient (and, in some states, a parent or guardian)
  • The date on which consent is signed revocation at any time except to the extent that the program has already acted on it
  • Date, event, or condition upon which consent will expire if not previously revoked

The following are questions and answers regarding the application of 42CFR to the Substance Abuse and Mental Health Services Administration (SAMHSA).


Yes.  Under 42 CFR Part 2 (hereafter referred to as “Part 2”), a patient can revoke consent to one or more parties named in a multi-party consent form while leaving the rest of the consent in effect.  In a non-Health Information Exchange (HIE) environment, this can be accomplished simply by the Part 2 program indicating on the consent form or in the patient’s record that consent has been revoked with respect to one or more named parties.  In an HIE environment, the revocation with respect to one or more parties should be clearly communicated to the Health Information Organization (HIO) as well as noted in the patient’s record by the Part 2 program.

NOTES: Health Information Exchange (“HIE”) is a generic term that refers to a number of methods and mechanisms through which information can be exchanged electronically.  As used in these FAQs, the term Health Information Organization “HIO” means an organization that oversees and governs the exchange of health-related information among organizations according to nationally recognized standards.

To ensure compliance with consent requirements, an HIO should have policies and procedures in place for implementing patient decisions to give and revoke consent.  Once a patient has revoked a Part 2 consent with respect to one or more parties, that revocation should be immediately communicated to the HIO by the entity obtaining the patient’s revocation so that it implements the revocation decision and no longer transmits the Part 2 program’s protected patient information to those one or more parties.  Part 2 permits a patient to revoke consent orally [42 CFR §2.31(a)(8),(c)(8)].  While oral revocations must be honored under Part 2, SAMHSA recommends the entity obtaining the revocation get it in writing and/or document the revocation in the patient’s record.  Part 2 prohibits a program from making a disclosure on the basis of consent that it knows has been revoked.  A program, however, is entitled to act in reliance on a signed consent prior to a revocation, and such disclosure would not be improper [42 CFR § 2.31(c)(3) and § 2.31(a)(8)].  SAMHSA recommends that revocation be communicated as soon as practicable to entities relying on such consent.

The requirements of the HIPAA Privacy Rule must also be considered. 


Whether a consent form remains in effect when a program merges with another program or undergoes corporate restructuring depends on how the entity making the disclosure is identified on the consent form.

Under Section 2.31(a)(1), the disclosing entity can be listed by “specific name or general designation.” If a particular program is designated by a specific name as the entity permitted to make the disclosure, then the consent form would no longer be valid if the program’s name is changed (following a merger or restructuring or for another reason) since the new entity is not identified as the same one that was listed on the consent form.  If the disclosing entity is listed by a general designation, such as “any drug or alcohol treatment program that is affiliated with the XYZ HIO,” then that consent would continue to be valid if the program making the disclosure merges or undergoes corporate restructuring, assuming the newly merged program is also an HIO-affiliated member.

Section 2.19 sets forth the requirements when a Part 2 program is discontinued, taken over, or acquired by another program, as opposed to just undergoing a name change or restructuring.  This section provides that a discontinued program or one acquired by another program must purge patient identifying information from its records or destroy the records unless the patient consents to the transfer of his or her records, except to the extent that there is a legal requirement that records be retained.

In cases where a recipient organization has undergone a name change, whether or not a new consent form is needed depends upon the specific designation made on the original consent.  Section 2.31(a)(2) allows for the specification of either the name or title of the individual or the name or the organization to which the disclosure is to be made.  Therefore, an organizational name change alone may not necessitate a new consent.



Yes.  42 CFR § 2.11 defines “Qualified Service Organization (QSO)” and lists the types of services that a QSO provides, and further references Qualified Service Organization Agreements (QSOA).  Medical services are included on that list; thus, a Part 2 program can enter into a QSOA with providers of “on-call coverage.”

A QSOA is a two-way agreement between a Part 2 program and the entity providing the service, in this case, the provider of on-call coverage.  The QSOA authorizes communication between those two parties; however, the Part 2 program should only disclose information to the QSO that is necessary for the QSO to perform its duties under the QSOA.  Also, the QSOA does not permit a QSO to redisclose information to a third party unless that third party is a contract agent of the QSO, helping them provide services described in the QSOA, and only as long as the agent only further discloses the information back to the QSO or to the Part 2 program from which the information originated. 

Thus, if a QSOA exists between a Part 2 program and an HIO for services rendered to the program by the HIO, the QSOA would not allow the HIO to redisclose that information to a third party, like providers of “on-call coverage.” For an HIO to redisclose Part 2 information to providers of “on-call coverage” that are not part of the Part 2 program, a consent form that allows the HIO to make the redisclosures to the providers of “on-call coverage” would be needed.

Since “on-call coverage” arrangements are fluid and the identity of the health care provider who is providing the on-call coverage might not be known, the designation of the recipient could be “the health care provider who is providing on-call coverage for the ABC treatment program.” By designating the recipient as the “on-call coverage provider,” the requirement that the recipient’s name or title be listed would be met.  Consent for disclosures to providers of on-call coverage can be included in the same consent form used for other disclosures of patient information if the program so chooses.

An HIO can also redisclose Part 2 information without patient consent to providers of “on-call coverage” who are part of the Part 2 program or of an entity having direct administrative control over the program, as long as the on-call providers need the information in connection with their duties that arise out the provision of diagnosis, treatment or referral for treatment services [42 CFR § 2.12(c)(3)].



Yes.  Part 2 allows the use of a single consent form authorizing the disclosure of Part 2 patient information to different recipients for different purposes.  However, Part 2 also requires a consent form to specify the kind and amount of information that can be disclosed to each of the recipients named in the consent.  The amount of information to be disclosed “must be limited to that information which is necessary to carry out the purpose of the disclosure” [42 C.F.R. §2.13(a)].  This will vary depending on the different purposes for which different recipients are being allowed access to the information made available through an HIE.  Thus the consent form would have to be structured to make it clear what information may be given to which recipients and for which purposes.  The HIE system must also be designed to limit the different recipients’ access through the HIE to only the kind and amount of patient information each needs to fulfill the specific purpose for which they are being allowed access.


Part 2 permits the disclosure of information under certain circumstances without consent during a medical emergency or in other limited situations.  If a Part 2 program (or a healthcare provider that has received Part 2 patient information) believes that there is an immediate threat to the health or safety of any individual, there are steps described below that the Part 2 program or healthcare provider can take in such a situation:

Notifications to medical personnel in a medical emergency: A Part 2 program can make disclosures to medical personnel if there is a determination that a medical emergency exists, i.e., there is a situation that poses an immediate threat to the health of any individual and requires immediate medical intervention [42 CFR §2.51(a)].  Information disclosed to the medical personnel who are treating such a medical emergency may be redisclosed by such personnel for treatment purposes as needed.  For additional information regarding disclosures during a medical emergency, see FAQs Numbered 7, 8, and 9 below.

Notifications to law enforcement: Law enforcement agencies can be notified if an immediate threat to the health or safety of an individual exists due to a crime on program premises or against program personnel.  A Part 2 program is permitted to report the crime or attempted crime to a law enforcement agency or to seek its assistance [42 CFR §2.12(c)(5)].  Part 2 permits a program to disclose information regarding the circumstances of such incidents, including the suspect’s name, address, last known whereabouts, and status as a patient in the program.

Immediate threats to health or safety that do not involve medical emergencies or crimes on programs premises or against program personnel: Part 2 programs and health care providers and HIOs who have received Part 2 patient information can make reports to law enforcement about an immediate threat to the health or safety of an individual or the public if patient-identifying information is not disclosed.  The regulations do not address immediate threats to health or safety that do not involve a medical emergency or crimes (e.g., a fire).  Programs should evaluate those circumstances individually.

Reports of child abuse and neglect: The restrictions on disclosure do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities.  However, Part 2 restrictions continue to apply to the original alcohol, or drug abuse patient records maintained by the program, including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect [42 CFR § 2.12(c)(6)].  Also, a court order under Part 2 may authorize the disclosure of confidential communications made by a patient to a program in the course of diagnosis, treatment, or referral for treatment if, among other reasons, the disclosure is necessary to protect against an existing threat of life or serious bodily injury, including circumstances which constitute suspected child abuse and neglect [42 CFR § 2.63(a)(1)].

Court-ordered disclosures: Under the regulations, Part 2 programs or “any person having a legally recognized interest in the disclosure which is sought” may apply to a court for an order authorizing disclosure of protected patient information [42 CFR § 2.64].  Thus, if there is an existing threat to life or serious bodily injury, a Part 2 program or “any person having a legally recognized interest in the disclosure which is sought” can apply for a court order to disclose information.


Once Part 2 information has been initially disclosed (with or without patient consent), no redisclosure is permitted without the patient’s express consent to redisclose or unless otherwise permitted under Part 2.

Disclosures made with patient consent must be accompanied by a statement notifying the recipient that Part 2 redisclosure is prohibited unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by Part 2 (42 CFR § 2.32).

When disclosures are made without patient consent under the following circumstances, limited redisclosures without obtaining the patient’s consent: are permitted, such as medical emergencies [42 CFR § 2.51], child abuse reporting [42 CFR § 2.12(c)(6)], crimes on program premises or against program personnel [42 CFR § 2.12(c)(5)], and court-ordered disclosures when procedures and criteria are met [42 CFR §§ 2.61-2.67].

When disclosures are made under the following circumstances, the recipient is prohibited from redisclosing the information without consent, except under the following restricted circumstances:

Research: Researchers who receive patient identifying information are prohibited from redisclosing the patient-identifying information to anyone except back to the program [42 CFR § 2.52(b)].

Audits and Evaluations: Part 2 permits disclosures to persons and organizations authorized to conduct audits and evaluation activities but imposes limitations by requiring any person or organization conducting the audit or evaluation to agree in writing that it will redisclose patient identifying information only (1) back to the program, or (2) pursuant to a court order to investigate or prosecute the program (not a patient), or (3) to a government agency that is overseeing a Medicare or Medicaid audit or evaluation [42 CFR § 2.53(c)(d)].

Qualified Service Organization Agreements (QSOAs): Part 2 requires the QSO to agree in writing that in receiving, storing, processing, or otherwise dealing with any information from the program about patients, it is fully bound by Part 2, it will resist, in judicial proceedings if necessary, any efforts to obtain access to information pertaining to patients except as permitted by Part 2, and will use appropriate safeguards to prevent the unauthorized use or disclosure of the protected information [42 CFR § 2.11].  In addition, QSOAs may allow disclosure in certain circumstances.

Authorizing Court Orders: When information is disclosed pursuant to an authorizing court order, Part 2 requires that steps be taken to protect patient confidentiality.  In a civil case, Part 2 requires that the court order authorizing a disclosure include measures necessary to limit disclosure for the patient’s protection, which could include sealing from public scrutiny the record of any proceeding for which disclosure of a patient’s record has been ordered [42 CFR § 2.64(e)(3)].  In a criminal case, such an order must limit the disclosure to those law enforcement and prosecutorial officials who are responsible for or are conducting the investigation or prosecution and must limit their use of the record to cases involving extremely serious crimes or suspected crimes.  For additional information regarding the contents of court orders authorizing disclosure, see 42 CFR § 2.65(e).


The Part 2 regulations at 42 CFR §2.51 specify that when a disclosure is made in connection with a medical emergency, the Part 2 program must document in the patient’s record the name and affiliation of the recipient of the information, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency [42 CFR § 2.51(c)].  See previous FAQs, and specifically, Number 30 of the 2010 FAQs.  SAMHSA recommends that HIE data systems be designed to ensure that the Part 2 program is notified when disclosure occurs and Part 2 records are released pursuant to a medical emergency.  To promote compliance, SAMHSA recommends that the notification include all the information that the Part 2 program is required to document in the patient’s records (e.g., date and time of disclosure, the nature of the emergency, etc.).  Similarly, SAMHSA recommends that the information about emergency disclosures be kept in the HIO’s electronic system and protected using appropriate safeguards.

Before a Part 2 program enters into an affiliation with an HIO, it should consider whether the HIO system has the capability to comply with all Part 2 requirements, including the capacity to notify the Part 2 program when its records have been disclosed pursuant to a medical emergency.  For additional information regarding disclosures during a medical emergency, see the FAQs Numbered 5, 8, and 9.

Part 2 allows patient-identifying information to be disclosed to medical personnel in a medical emergency [42 CFR § 2.51].  Part 2 does not define the term “medical personnel” but merely provides that information can be given to medical personnel who have a need for information about a patient for the purpose of treating a condition that poses an immediate threat to the health of any individual and which requires immediate medical intervention.  It is up to the health care provider or facility treating the emergency to determine the existence of a medical emergency and which personnel is needed to address the medical emergency.  The name of the medical personnel to whom the disclosure was made, their affiliation with any health care facility, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the medical emergency must be documented in the patient’s records by the Part 2 program disclosing them [42 CFR §2.51(c)].  Additional information about disclosures in medical emergencies is found in FAQs Numbered 5, 7, and 9.

If a health care provider treating an individual determines that a medical emergency exists as defined in Part 2, i.e., “a condition which poses an immediate threat to the health of any individual [not just the patient], and which requires immediate medical intervention,” and in treating the medical emergency the health care provider needs information about potential drug interactions, then that information and any other information contained in the Part 2 record that the treating health care provider determines he or she needs to treat the medical emergency can be disclosed.  If no such determination exists, SAMHSA recommends trying to obtain consent from the patient.

If a health care provider is treating a patient in a non-emergency situation and the health care provider is concerned about potential drug interaction in an HIE environment, an HIO may only disclose a Part 2 program patient’s records to a health care provider if the patient signs a consent form releasing the Part 2 record to the health care provider.  Such a consent form may already exist if the patient previously signed a Part 2 consent form allowing the HIO to disclose Part 2 information to HIO-affiliated health care providers, and the provider seeking access is listed as a recipient on that form.

A health care provider who is concerned about potential drug interaction and treating a patient in a non-emergency situation can also gain access to a Part 2 program patient’s record if the health care provider has signed a QSOA with the patient’s Part 2 program (and the information is limited to what is needed for the provider to provide services to the Part 2 program) or obtains patient consent.

In a non-emergency situation, if the health care provider concerned about a potential drug interaction is part of the Part 2 program (or of an entity that has direct administrative control over the program), he or she can gain access to the Part 2 patient’s record without consent if the health care provider needs the information to treat the patient.  42 CFR § 2.12(c)(3) does not restrict communications between and among such personnel who have a need for the information in connection with their duties arising out of the provision of diagnosis, treatment, or referral for treatment services.

It should be noted that concern alone about potential drug interaction may not be sufficient to meet the standard of a medical emergency.  Thus, based on the circumstances of the presenting situation, SAMHSA recommends that health care providers should obtain consent from the patient where feasible.


No.  Not every primary care provider who prescribes controlled substances meets the definition of a “program” or part of a “program” under Part 2.  For providers to be considered “programs” covered by the Part 2 regulations, they must be both” federally-assisted” and meet the definition of a program under 42 CFR § 2.11.  Physicians who prescribe controlled substances to treat substance use disorders are DEA-licensed and thus meet the test for federal assistance [42 CFR § 2.12(b)(2)].  Nevertheless, the regulations establish additional criteria to meet the definition of a “program”:

  1. If a provider is not a general medical care facility, then the provider meets Part 2’s definition of a “program” if it is an individual or entity that holds itself out as providing and provides alcohol or drug abuse diagnosis, treatment, or referral for treatment.
  2. If the provider is an identified unit within a general medical care facility, it is a “program” if it holds itself out as providing and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment.
  3. If the provider consists of medical personnel or other staff in a general medical care facility, it is a program if its primary function is the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment and is identified as such specialized medical personnel or other staff within the general medical care facility.

In addition, in explaining Part 2’s applicability and coverage, § 2.12(e)(1) states that “coverage includes, but is not limited to, employee assistance programs, programs within general hospitals, school-based programs and private practitioners who hold themselves out as providing, and provide alcohol or drug abuse diagnosis, treatment or referral for treatment” [42 CFR § 2.12(e)(1)].

Accordingly, primary care providers who do not work in general medical care facilities meet Part 2’s definition of a program if their principal practice consists of providing alcohol or drug abuse diagnosis, treatment, or referral for treatment, and they hold themselves out as providing the same.  If their principal practice consists of providing alcohol or drug abuse diagnosis, treatment, or referral for treatment, but they do not hold themselves out as providing those services, then it is likely that they would not meet the definition of a program.  The phrase “holds itself out” is not defined in the regulations but could mean a number of things, including but not limited to state licensing procedures, advertising or the posting of notices in the offices, certifications in addiction medicine, listings in registries, internet statements, consultation activities for non-“program” practitioners, the information presented to patients or their families, or any activity that would lead one to reasonably conclude that the provider is providing or provides alcohol or drug abuse diagnosis, treatment or referral for treatment.

Further, while the term “general medical care facility” is not defined in the definitions section of 42 CFR 2.11, hospitals, trauma centers, or federally qualified health centers would generally be considered “general medical care” facilities.  Therefore, primary care providers who work in such facilities would only meet Part 2’s definition of a program if 1) they work in an identified unit within such a general medical care facility that holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment, or 2) the primary function of the provider is alcohol or drug abuse diagnosis, treatment or referral for treatment and they are identified as providers of such services.  In order for a program in a general medical care facility to share information with other parts or units within the general medical care facility, administrative controls must be in place to protect Part 2 information if it is shared.

In addition, a practice comprised of primary care providers could be considered a “general medical facility.” As such, only an identified unit within that general medical care facility that holds itself out as providing alcohol or drug abuse diagnosis, treatment, or referral for treatment would be considered a “program” under the definition in the Part 2 regulations.  Medical personnel or staff within that facility whose primary function is the provision of those services and who are identified as such providers would also qualify as a “program” under the definition in the Part 2 regulations.  Other units or practitioners within that general medical care facility would not meet the definition of a Part 2 program unless such units or practitioners also hold themselves out as providing alcohol or drug abuse diagnosis, treatment, or referral for treatment.

Screening, Brief Intervention, and Referral to Treatment (SBIRT) is a cluster of activities designed to identify people who engage in risky substance use or who might meet the criteria for a formal substance use disorder.  Clinical findings indicate that the overwhelming majority of individuals screened in a general medical setting do not have a substance use disorder and do not need substance use disorder treatment.

The determination of whether patient information acquired when conducting SBIRT services is subject to Part 2 depends on whether the entity conducting the SBIRT activities is a federally-assisted “program” as defined in the regulations.  If the entity conducting SBIRT services is not a federally-assisted program, then the SBIRT services and patient records generated by such services would not be covered under 42 CFR Part 2, although HIPAA and state laws may apply.  However, if the entity or unit within a general medical care facility conducting the SBIRT services is a federally-assisted program under Part 2, then the SBIRT patient records would be subject to Part 2 regulations.

See FAQ Number 10 of these FAQs for a discussion of the definition of a program under 42 CFR Part 2.

42 CFR § 2.20 states that “no State law may authorize or compel any disclosure prohibited by these [Part 2] regulations.” However, States may impose additional confidentiality protections.  Thus, § 2.20 provides that, “If a disclosure permitted under these regulations is prohibited under State law, neither these regulations nor the authorizing statutes may be construed to authorize any violation of that State law.”


No.  Part 2 requires each disclosure made with written patient consent to be accompanied by a written statement that the information disclosed is protected by federal law and that the recipient cannot make any further disclosure of it unless permitted by the regulations (42 CFR § 2.32).  A logon page is a page where a user logs onto a computer system; a splash page is an introductory page to a website.  A logon or splash page notification on an HIO’s portal, including the statement as required by § 2.32, would not be sufficient notification regarding prohibitions on redisclosure since it would not accompany a specific disclosure.  The notification must be tied to the Part 2 information being disclosed in order to ensure that the recipient of that information knows that specific information is protected by Part 2 and cannot be redisclosed except as authorized by the express written consent of the person to whom it pertains or as otherwise permitted by Part 2.

No.  A QSOA is a two-way agreement between a Part 2 program and the entity providing the service, for example, a lab.  The QSOA authorizes communication only between the Part 2 program and QSO.  The QSO, in this case, the lab, would not be allowed to redisclose lab results about the Part 2 program’s patient to another QSO, such as an HIO, even if the HIO has also signed a QSOA with the Part 2 program.  In order for the lab to redisclose Part 2 patient information to the HIO, it would need the patient’s signed Part 2 consent or be otherwise permitted by Part 2. One consent form could both authorize the Part 2 program to disclose information to the lab and authorize the lab to redisclose Part 2 information to the HIO.  Once the HIO obtains the lab results, it could, through the QSOA it signed with the Part 2 program, send those results to the Part 2 program, assuming that was a service described in the QSOA.


Yes, as long the consent form signed conforms to the requirements of Part 2.  (See previously issued FAQ Number 11 published by SAMHSA and ONC in 2010 for a list of the required elements of a patient consent under Part 2:  A QSOA does not allow a QSO such as an HIO to redisclose Part 2 information to a third party, except to a contract agent of the HIO if it needs to do so in order to provide the service(s) described in the QSO.  However, if a patient signs a consent form authorizing the HIO, which has received the disclosed information from the Part 2 program, to redisclose the Part 2 information to an HIO affiliated member, then the Part 2 information can be redisclosed by the HIO.

Part 2’s consent provision requires that a consent form includes the “specific name or general designation of the program or person permitted to make the disclosure” [42 CFR Part 2, § 2.31(a)(1)].  In the case where Part 2 information is made available to an HIO, whether through a QSOA or written patient consent, the consent form allowing the HIO to redisclose the Part 2 information must identify by name or general designation the Part 2 program(s) as the entity permitted to make the disclosure of the Part 2 information.  This is because, while the HIO is redisclosing the Part 2 information, the disclosing entity remains the Part 2 program.  The consent can also name the HIO as a redisclosing party.

As noted above, the disclosing Part 2 program may be identified either by its specific name or by “general designation.” Language such as “all programs in which the patient has been enrolled as an alcohol or drug abuse patient” would be an acceptable general designation.

Yes, the consent form can refer to the HIO’s website for the list of entities permitted to make disclosures if the disclosing entity is identified by a “general designation” in the consent form as permitted under Part 2.  Part 2’s consent provisions allow either the “name or general designation of the program or person permitted to make the disclosure” to be specified on the consent form.  Because a general designation is permitted, if such a general designation is used, then the specific names of those disclosing entities do not need to be included on the consent form, and patients can be referred to the HIO’s website for a list of those entities.

This is in contrast to Part 2’s consent provision regarding recipients of Part 2 data.  42 CFR §2.31(a)(2) requires that a consent form include “the name or title of the individual or the name of the organization to which disclosure is to be made.” Thus Part 2 consents cannot refer patients to the HIO’s website for a list of potential recipients of their data but rather must identify within the consent all the HIO affiliated members by name or title that are potential recipients of the Part 2 data.  Therefore, a new consent form (e.g., by the additional Part 2 program or the HIO) would be required when a new recipient of the information is added.

How does the Supreme Court’s decision in United States v Windsor which overturned section 3 of the Defense of Marriage Act (DOMA), affect 42 CFR Part 2?

On June 26, 2013, in United States v. Windsor, the Supreme Court held that section 3 of the Defense of Marriage Act (DOMA), which prohibited federal recognition of same-sex spouses/marriages, was unconstitutional.  Consistent with HHS policy, same-sex spouses/marriages are to be recognized in SAMHSA regulatory provisions.  This means that this policy applies to you as a person or entity subject to SAMHSA’s confidentiality regulation governing alcohol and drug abuse patient records.  The regulation contains a provision that is affected by the Windsor decision, which addresses consent on behalf of incompetent or deceased patients and provides that in the absence of a personal representative, consent to the disclosure of information identifying a deceased patient as an alcohol or drug abuse patient may be given by the patient’s spouse or, if none, by any responsible member of the patient’s family.  See 42 C.F.R. § 2.15(b)(2).  SAMHSA now interprets this provision to include same-sex spouses in the meaning of the terms “spouse” and “family.” This means that, for purposes of this provision under 42 C.F.R. Part 2, you are required to treat valid marriages of same-sex couples whose marriage was legal when entered into.  This applies regardless of whether the couple now lives in a jurisdiction that recognizes same-sex marriage or a jurisdiction that does not recognize same-sex marriage.  Any same-sex marriage legally entered into in one of the 50 states, the District of Columbia, a U.S. territory, or a foreign country will be recognized.  However, this does not apply to registered domestic partnerships, civil unions, or similar formal relationships recognized under state law as something other than a marriage.


Health Insurance Portability and Accountability Act (HIPAA)

HIPAA was enacted in 1996, and its legislation addresses insurance portability, fraud enforcement, and administrative simplification.  

Portability is primarily concerned with controlling the continuity of health coverage when an individual changes jobs.  It also addresses under what situations pre-existing medical conditions will be covered.

Fraud enforcement addresses federal governments’ fraud enforcement authority in various situations.

We will focus most intently on Administrative Simplification.  A significant challenge for most health care providers is to determine the most efficient and cost-effective method to protect patient’s privacy and the confidentiality of protected health information.

HIPAA privacy and security regulations include provisions for the punishment of individuals and/or organizations that fail to protect the confidentiality of patient information.  Prior to HIPAA, no federal law protected patient information; consequently, it was sometimes exploited for personal gain.

The HIPAA Act requires that covered entities comply with the regulations.  Most health care providers, clearinghouses, and health plans are covered entities.  Whether your work setting falls under the regulations or not, you should be committed to protecting patient privacy and confidentiality.  When an employee compromises patient information and/or records by not adhering to the policies regarding privacy, there is a potential impact on both the hospital or practice and, when appropriate, their license to practice.  It is the employee’s responsibility to carefully review and become knowledgeable of the privacy policy and to comply with the requirements.

The guiding principle for communication with or about patient information should be based on the concept of the need to know or who needs the information for treatment and/or health care operations.

Activities such as medical record review, training, and evaluation of staff performance are essential functions and must be supported.  However, only those with a need to know will have access to protected information. 

There are numerous ways medical information may be used by others.  The following are three examples:

  • Early termination of an employee because of his medical condition could lead to future medical problems.
  • Unauthorized release of potentially damaging medical history which could limit career opportunities
  • Refusal to hire based on certain medical risks.

HIPAA requires covered entities to implement comprehensive policies and procedures to protect the privacy and security of health information.  These requirements are contained in regulations published by the U.S. Department of Health and Human Services.

Covered entities are:

  • Providers who use electronic transactions
  • Health plans
  • Health care clearinghouses

The privacy rule protects individually identifiable health information in the hands of covered entities and their contractors.

This information is also called protected health information or PHI.  The privacy rule protects individually identifiable health information, whatever the form of the information (written, electronic, or spoken).

Examples of protected health information include:

  • A providers patients medical record
  • A health plan claims information.
  • Providers billing information
  • Providers’ quality assurance files if they contain information about identifiable individuals.
  • A conversation between a doctor’s receptionist and a patient about the patient’s insurance coverage.

Any information that could potentially identify the patient is considered individually identifiable information under HIPAA.

Examples include, but are not limited to:

  • Name
  • Address
  • Social Security Number
  • Relatives Name
  • Date of Birth
  • Telephone Number
  • Medical Records Number
  • Fingerprints
  • Photos

Releasing any of this information without establishing that the recipient has a need to know and/or a signed authorization to release is a violation of the HIPAA privacy regulation.

A significant departure from the standard practice is the handling of psychotherapy notes.  These notes have more stringent protection as they generally contain the personal notes of the treating psychotherapist, which may be damaging to the individual should the information become available to the general public.

HIPAA requires specific authorization for the release of psychotherapy notes.

The minimum necessary standard for the protection of confidentiality is that a reasonable effort is made by health care workers to use or disclose only the protected health information needed to do their job.  Experienced health care workers can make these reasonable effort decisions more professionally as they are more aware of good business practices and HIPAA regulations.  Needless to say, it is an ongoing challenge to maintain the proper balance between patient privacy and comprehensive and timely patient treatment.  One should always ask, “Is this needed to do my job” and if the answer is no, act accordingly.

The clinical staff is allowed to review the entire patient record and share information with other attending clinicians.  This broad approach to record availability for treatment may occasionally expose a clinician to confidential information that is not needed for treatment.  An example would be a patient who is in isolation, and you become aware of why he or she is there.  This information is confidential and should not be communicated to others.  It is also possible to view a patient information at other locations in the hospital.  This information is generally posted in areas that are not readily available to the public.  Again, this information is confidential and should not be disclosed to anyone, including co-workers, other patients, visitors, or anyone else who may ask.

Protect privacy by:

  • Hold private conversations with patients.  Close room doors when possible.
  • Speak softly in semi-private or ward areas and close curtains or other privacy items when possible.
  • Avoid discussions of patient information in public places such as the cafeteria, elevators, restrooms, etc.
  • Restrict the use of answering machines to non-confidential information and, when appropriate, get approval to leave a message
  • Limit paging information to non-confidential information

Every patient has a right to privacy.  It is essential to the success of any practice or facility to adhere to the privacy rules and to also encourage co-workers to follow the rules.

Protect electronic date by:

  • Block patient information when not in use of screen savers or log off.
  • Place screens in locations and positions so as to minimize exposure to others.
  • Do not make passwords obvious, such as your name.  Commit the password to memory; do not write it down and place it on or near the computer.
  • Never share your password with anyone.

The transmission of health information by fax is not covered by security standards.  However, good business practices mandate that an entity should only fax to a secure location and coordinate with the recipient to ensure their awareness that you are sending a fax and that it contains sensitive information.  If you are to receive a fax, the process is reversed.  Never send a fax to an unattended machine.

If information is obtained appropriately from an entity by an authorized person and subsequently transmitted by fax to an entity that is not authorized to receive that information, this could constitute a violation of both privacy and security standards.

Providers sometimes are required to release patient information even if the patient does not agree with the transaction.  In most cases, the courts authorize the release.  Examples of circumstances that may arise are:

  • Communicable diseases that the law required to be reported to health agencies
  • Certain information regarding the failure of medical devices is required to be reported by the Food and Drug Administration.
  • Suspected child abuse or domestic violence is required to be reported to the police in some states.
  • The court has a right to certain information about patients when conducting a criminal investigation.
  • Providers are required to report suspicious death or certain injuries.
  • Providers are required to report the death to the coroner.

Part 2 and HIPAA protect patient privacy by regulating how patient information can be shared and disclosed. HIPAA applies to many types of patient information, not just SUD information, and generally is less protective of patient privacy than Part 2.

Unlike HIPAA, Part 2’s privacy protections follow the records even after they are disclosed – the recipient of the records is now bound by Part 2’s privacy and security requirements for Part 2 records.



Effective documentation can provide a client’s treatment or situation history and current status.  This can benefit the therapeutic process by noting progress and marking the appropriate course of services.  It provides the professional the means of reviewing the myriad of services and professionals all on a file.  If the client begins to decline, the progress notes can provide insight into what might have preceded the difficulty.  What information is maintained in the record is of consequence in many cases; one of the points is if the record becomes a court document, as many do.  Additionally, conscientious maintenance of records may be necessary for financial purposes.  Third-party payers often require certain types of documentation for reimbursement. 


As we have explored, there are federal laws that govern record keeping, and in addition, there are state laws and facility rules and policies that have their own requirements.




Good documentation can:

  • Provide accountability for the agency and the professional.  Records should describe who is and is not served (including any other household members who may not be participating in services), the kinds of services provided (or not provided due to availability or level of service issues), the basis for all decisions, the degree to which policies and procedures are implemented, and other aspects of accountability and quality control.  The record provides a statement about the quality of work that may decrease personal liability should legal action be taken against the agency or a case manager.
  • Serve as a therapeutic tool for the professional and the family.  Case records can demonstrate how the professional and family collaborate to define the purpose of child welfare work, including the goals and outcomes that will reduce the risk of maltreatment and evaluate the progress toward them.  Some agencies are using instruments and tools that seek input; therefore, the record provides an illustration of this collaborative process.
  • Organize the professional’s thinking about the work.  Structured presentation of factual information leads to more in-depth assessment and treatment planning.  Sloppy recording and disorganized thinking go hand-in-hand and will likely lead to poor service delivery to clients.

Important notes for documentation:

  • Maintain only information that is relevant and necessary to the agency’s purposes.  Facts should be recorded and distinguished from opinions.  When opinions are offered, their basis should be documented (e.g., Mr. Smith appeared to be intoxicated; his eyes were red; he had difficulty standing without losing his balance; his breath smelled of alcohol).
  • Never record details of clients’ intimate lives or their political, religious, or other personal views unless this information is relevant.
  • Record as much information as possible based on direct communication with clients.

Recommendations to include in a substance abuse progress note

  • Condition overview:  Overall, how is the patient?  Better,  the same, or worse?
  • Symptom status:  What is the status of the “target symptoms”?  That is, the signs and symptoms the psychiatrist is monitoring to determine how the treatment is progressing.  Are they still present?  In your opinion, are they better, the same, or worse?  Why?
  • Behaviors:  Information about basic behaviors during the shift, like attendance at activities, appetite, compliance with rules, and medication compliance.  This will certainly tell the psychiatrist something about the patient’s progress and state of mind.
  • Side effects from medications:  Are there any reports or signs of possible side effects of the medication?  They do not need to be labeled as possible side effects, but drowsiness, unsteady gait, dry mouth, and other such symptoms should be documented.  This is particularly important.  It alerts the psychiatrist to potentially serious problems.
  • A mental status examination:  It need not be a full MSE, but a few basic areas should be touched on.  What is the patient’s appearance?  Any psychotic process?  Any anxiety?  What does the mood seem to be?  Again, this highlights the patient’s status and progress and permits the nurse’s powers of observation to be utilized.
  • Special Circumstances: Some patients have special documentation requirements.  For example, patients in restraints or seclusion have special documentation requirements because they are at medical-legal risk.  Some patients have medical needs or need to be re-evaluated with, for example, a fall assessment for a patient who has become unsteady or a patient who needs a body search.
  • Level of Care: Nurses should opine on the reasons or not that the patient requires continued hospitalization.  This means a lot to utilization reviewers; insurance companies need to hear it.
  • Link to Treatment Plan: Most progress notes should be linked to the Treatment Plan. 

Quality documentation is an integral part of treatment.  To ensure the client’s right to confidentiality and to be consistent with many federal and state regulations, professionals must take reasonable steps to control the access of information arising from the delivery of services.

Ultimately, it is the provider’s responsibility to document appropriately and maintain control over their client’s records, taking into account the facilities’ policies and the laws of the state in which they practice. 


Cheng T, Savageau JA, Sattler AL, Dewitt TG. Confidentiality in health care: a survey of knowledge, perceptions, and attitudes among high school students. JAMA. 1993;269(11):1404-1407.

Ford CA, Millstein S. Delivery of confidentiality assurances to adolescents by primary care physicians. Arch Pediatr Adolesc Med. 1997;151(5):505-509.

Ford CA, Bearman PS, Moody J. Foregone health care. JAMA. 1999;282(23):2227-2234.

Marks A, Malizio J, Hoch J, et al. Assessment of health needs and willingness to utilize health care resources of adolescents in a suburban population. J Pediatr. 1983;102(3):456-460.

Thrall JS, McCloskey L, Ettner SL, et al. Confidentiality and adolescents’ use of providers for health information and for pelvic exams. Arch Pediatr Adolesc Med. 2000;154(9):885-892.


Thank you for using!

We appreciate you!