Courses: 0

Total: $00.00

Documentation and Patient Confidentiality 20-364720 4 Hours Back to Course Index




Documentation and Patient Confidentiality



Confidentiality and Documentation for Substance Abuse Records  



The laws and regulations governing the confidentiality of substance use disorder records were written out of great concern about the potential use of substance use disorder information against individuals, causing individuals with substance use disorders not to seek needed treatment. The disclosure of records of individuals with substance use disorders has the potential to lead to a host of negative consequences, including loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

A risk managed approach to documentation is a best practice to protect both the client and the professional.  Risk management is a coordinated effort to both benefit the client and protect the practice or agency from legal vulnerability.  The maintenance, content and disclosure of records clearly pose a threat regarding exposure.  By looking at documentation with a risk managed approach, the professional becomes sensitive to what is stated, how it is stated, where it is kept, who has access, and in turn, the consequences of what if scenarios are reduced.

The primary regulations that effect substance abuse treatment confidentiality are title 42 of the Code of Federal Regulations (CFR Part 2), the alcohol and substance abuse treatment confidentiality rule and Health Insurance Portability and Accountability Act of 1996 (HIPAA), federal rules covering all health related information.  There are individual Codes of Ethics for certified and licensed practitioners, as well. 

This course will primarily explore:

  • Regulations of the 42 CFR
  • Patient Rights
  • Documentation 
    • Active Listening
    • Behavioral Observation
  • Release of Information and Informed Consent


Title 42 of the Code of Federal Regulations (CFR) part 2

The purpose of the regulations at title 42 of the Code of Federal Regulations (CFR) part 2  is to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment. Now, more than 29 years since the part 2 regulations were last substantively amended, this final rule makes policy changes to the regulations to better align them with advances in the U.S. health care delivery system while retaining important privacy protections.

The privacy provisions in 42 CFR Part 2 were motivated by the understanding that stigma and fear of prosecution might dissuade persons with substance use disorders from seeking treatment. To add an extra layer of protection on these records, the regulations outline under what limited circumstances information about a patient’s treatment may be disclosed with and without the patient’s consent. Who and what are covered can be confusing, though.

42 CFR Part 2 applies to any individual or entity that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment. Most drug and alcohol treatment programs are federally assisted. For-profit programs and private practitioners that do not receive federal assistance of any kind would not be subject to the requirements of 42 CFR Part 2 unless the State licensing or certification agency requires them to comply. However, any clinician who uses a controlled substance for detoxification or maintenance treatment of a substance use disorder requires a federal DEA registration and becomes subject to the regulations through the DEA license.

A program is “federally-assisted” if it:

(a) Receives federal funds in any form, whether or not the funds directly pay for alcohol or drug abuse services; or

(b) Is being carried out under a license, certification, registration, or other authorization granted by the federal government (e.g. licensed to provide methadone, certified as a Medicare provider); or

(c) Is assisted by the IRS through a grant of tax exempt status or allowance of tax deductions for contributions; or

(d) Is conducted directly by the federal government or by a state or local government that receives federal funds which could be (but are not necessarily) spent for alcohol or drug abuse programs.

The Federal Drug and Alcohol Confidentiality Law – 42 CFR Part 2 states that any information that would identify a patient as having an alcohol or drug problem, either directly or indirectly, is protected.  

The Federal Drug and Alcohol Confidentiality Law – 42 CFR Part 2’s prohibition on disclosing patient-identifying information has very few exclusions. The following are the general categories of exceptions:

  • written consent
  • internal program communications
  • removal of all patient-identifying information
  • medical emergency
  • court order
  • crime on program premises or against program personnel
  • research
  • audits and evaluations
  • child abuse

The best way to ensure communications are permissible under 42 CFR Part 2 is to have the individual sign a consent/authorization form that complies with the requirements of both HIPAA and 42 CFR Part 2.  

The elements of a consent/authorization form that that must be included are listed below.  In addition also include applicable state law, as well.

  • Name or general designation of the program or person permitted to make the disclosure
  • Name or title of the individual or name of the organization to which disclosure is to be made
  • Name of the patient
  • Purpose of the disclosure
  • How much and what kind of information is to be disclosed
  • Signature of patient (and, in some States, a parent or guardian)
  • Date on which consent is signed revocation at any time except to the extent that the program has already acted on it
  • Date, event, or condition upon which consent will expire if not previously revoked

When information is forwarded to another agency, it must contain the following prohibition:

This notice accompanies a disclosure of information concerning a patient in alcohol/drug abuse treatment, made to you with the consent of such patient. This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR, Part 2).

We will explore consent further in the course.

The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by 42 CFR, Part 2.  A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of this information to criminally investigate or prosecute a client or patient.


Health Insurance Portability and Accountability Act (HIPAA)

HIPAA was enacted in 1996 and its legislation addresses insurance portability, fraud enforcement and administrative simplification.  

Portability is primarily concerned with controlling the continuity of health coverage when an individual changes jobs.  It also addresses under what situations pre-existing medical conditions will be covered.

Fraud enforcement addresses the federal governments fraud enforcement authority in various situations.

We will focus most intently on Administrative Simplification. A significant challenge for most health care providers is to determine the most efficient and cost effective method to protect patients privacy and the confidentiality of protected health information.

HIPAA privacy and security regulations include provisions for punishment of individuals and/or organizations that fail to protect the confidentiality of patient information.  Prior to HIPAA, no federal law protected patient information; consequently, it was sometimes exploited for personal gain.

The HIPAA Act requires that covered entities comply with the regulations. 
Most health care providers, clearinghouses and health plans are covered entities.  Whether your work setting falls under the regulations or not you should be committed to protecting patient privacy and confidentiality.  When an employee compromises patient information and/or records by not adhering to the policies regarding privacy, there is a potential impact to both the hospital or practice and when appropriate, their license to practice.  It is the employees responsibility to carefully review and become knowledgeable of the privacy policy and to comply with the requirements.

The guiding principle for communication with or about patient information should be based on the concept of need to know or who needs the information for treatment and/or health care operations.

Activities such as medical record review, training and evaluation of staff performance are essential functions and must be supported.  However, only those with a need to know will have access to the protected information. 

There are numerous ways medical information may be used by others. The following are three examples:

  • Early termination of an employee because his medical condition could lead to future medical problems.
  • Unauthorized release of potentially damaging medical history which could limit career opportunities
  • Refusal to hire based on certain medical risks.

HIPAA requires covered entities to implement comprehensive policies and procedures to protect the privacy and security of health information.  These requirements are contained in regulations published by the US Department of Health and Human Services.

Covered entities are:

  • Providers who use electronic transactions
  • Health plans
  • Health care clearinghouses

The privacy rule protects individually identifiable heath information in the hands of covered entities and their contractors.

This information is also called protected health information, or PHI. The privacy rule protects individually identifiable heath information, whatever the form of the information (written, electronic or spoken).

Examples of protected health information include:

  • A providers patients medical record
  • A health plans claims information
  • A providers billing information
  • A providers quality assurance files, if they contain information about identifiable individuals
  • A conversation between a doctors receptionist and a patient about the patients insurance coverage.

Any information that could potentially identify the patient is considered individually identifiable information under HIPAA.

Examples include, but are not limited to:

  • Name
  • Address
  • Social Security Number
  • Relatives Name
  • Date of Birth
  • Telephone Number
  • Medical Records Number
  • Fingerprints
  • Photos

Releasing any of this information without establishing that the recipient has a need to know and/or a signed authorization to release is a violation of the HIPAA privacy regulation.

A significant departure from the standard practice is the handling of psychotherapy notes.  These notes have more stringent protection as they generally contain the personal notes of the treating psychotherapist which may be damaging to the individual should the information become available to the general public.

HIPAA requires a specific authorization for the release of psychotherapy notes.

The minimum necessary standard for protection of confidentiality is that a reasonable effort be made by health care workers to use or disclose only the protected health information needed to do their job.  Experienced health care workers can make these reasonable effort decisions more professionally as they are more awareness of good business practices and the HIPAA regulations.  Needless to say, it is an ongoing challenge to maintain the proper balance between patient privacy and comprehensive and timely patient treatment.  One should always ask, “is this needed to do my job” and if the answer is no, act accordingly.

Clinical staff is allowed to review the entire patient record and to share information with other attending clinicians.  This broad approach to record availability for treatment may occasionally expose a clinician to confidential information that is not needed for treatment.  An example would be a patient is in isolation and you become aware of why he or she is there.  This information is confidential and should not be communicated to others.  It is also possible to view patient information at other locations in the hospital.  This information is generally posted in areas that are not readily available to the public.Again, this information is confidential and should not be disclosed to anyone, including co-workers, other patients, visitors or anyone else who may ask.

Protect privacy by:

  • Hold private conversations with patients.Close room doors when possible.
  • Speak softly in semi-private or ward areas and close curtains or other privacy items when possible
  • Avoid discussions of patient information in public places such as the cafeteria, elevators, restrooms, etc.
  • Restrict the use of answering machines to non-confidential information and when appropriate get approval to leave a message
  • Limit paging information to non-confidential information

Every patient has a right to privacy.  It is essential to the success of any practice or facility to adhere to the privacy rules and to also encourage co-workers to follow the rules.

Protect electronic date by:

  • Block patient information when not in use screen savers or log off.
  • Place screens in locations and positions so as to minimize exposure to others.
  • Do not make passwords obvious, such as your name.Commit the password to memory do not write it down and place it on or near the computer.
  • Never share your password with anyone.

The transmission of health information by fax is not covered by the security standards. However, good business practices mandate that an entity should only fax to a secure location and to coordinate with the recipient to ensure their awareness that you are sending a fax and that it contains sensitive information.If you are to receive a fax the process is reversed.Never send a fax to an unattended machine.

If information is obtained appropriately from an entity by an authorized person, and subsequently transmitted by fax to an entity that is not authorized to receive that information this could constitute a violation of both the privacy and security standards.

Providers sometimes are required to release patient information even if the patient does not agree with the transaction.  In most cases the courts authorize the release.  Examples of circumstances that may arise are:

  • Communicable diseases that the law required be reported to health agencies
  • Certain information regarding failure of medical devices is required to be reported by the Food and Drug administration
  • Suspected child abuse or domestic violence is required to be reported to the police in some states
  • The court has a right to certain information about patients when conducting a criminal investigation
  • Providers are required to report suspicious death or certain injuries
  • Providers are required to report death to the coroner


Releasing Information

Authorization for release of records is required for disclosure of health information except for treatment, payment and /or health care operations. The authorization may be revoked at any time or the patient may restrict how such information is used in support of treatment, payment and health care operations.

Health information is sometimes disclosed to people who do not need it. For example:

  • A receptionist calls out a patients name in a waiting room, disclosing their identity to others in the room
  • A patient in a semi-private room overhears a discussion between another patient and a physician

The only time client information can be released is:

  • The client consents/authorization
  • When rule does not apply:  
    • Communication internal to agency
    • Crimes on the program premises or against agency personnel
    • Qualified Service Organization Agreement
    • Reporting suspected child abuse or neglect
    • Medical Emergencies
    • Research
    • Audit and evaluation
  • Court order authoring disclosure (Subpoena is not the same as court order)

Patients are generally informed when their health information is reported; however, they do not have the authority to block the release.  Individuals should not report this information unless reporting is part of their job.  Consult with your supervisor if you have any questions about whether a report is necessary.

Release of information forms should include:

  • Name of client
  • Name of organization to make the disclosure
  • Name of organization to whom information is being disclosed
  • Kind and amount of information to be given
  • Purpose of disclosure
  • Statement that consent may be revoked at any time, except as already relied upon and/or criminal justice system consent
  • Date or condition when consent will terminate
  • Client signature and date or signature of minor’s parent or other authorized to sign in lieu of client when necessary
  • Signature of staff assisting client with release

When any information is released it should be documented in the file.  



What information is available to be protected or released is a product of documenting what occurs during treatment.  Documentation is an opportunity to reflect on the session or group, the work with the client, and the client’s progress or barriers to progress. Without this opportunity for reflection, counselors and clinicians may get stuck in a cycle of reactivity, responding to the latest crisis without the foundation setting that may prevent future crises, and repeating past mistakes or doing what has always been done without reflecting on their practice.

In addition, progress notes are critical in order to provide a summary of the unique treatment goals, barriers, progress, and needs of a particular case. Provider agencies are encouraged to ensure that their counselors and clinicians document accordingly and to ensure that clinical documentation is thorough, purposeful, and conveys the important details of why services are being provided and how the client is responding to their care. Effective documentation can provide a history and current status of a client’s treatment or situation.  This can benefit the therapeutic process by noting progress and marking the appropriate course of services.  If the client begins to decline the progress notes can provide insight into what might have preceded the difficulty.  What information is maintained in the record is of consequence in many cases; one of point is if the record becomes a court document, as many do.  Additionally, conscientious maintenance of records may be necessary for financial purposes.  Third party payers often require certain types of documentation for reimbursement. 

A good understanding of treatment progress can be obtained through active listening and behavioral observation.  Active listening is an essential skill counselors can use to develop a positive and healthy interaction with a client.  Active listening intentionally focuses an individual on who and what they are listening to, whether in a group or one-on-one, in order to understand what is being said and what is meant by it.  Direct observation is a method of collecting information by watching someone and paying attention to what they say and do.

A counselor should:

  1. Give the person speaking their full attention.
  2. Repeat the conversation back to them, in their own words, providing their interpretation or understanding of the client’s meaning (paraphrasing).
  3. By reflecting the content of what is being said back to the speaker, check their understanding of the message.
  4. Be as accurate in summarizing the client’s meaning as much as they can.
  5. Try again if their paraphrasing is not accurate or well received.
  6. Feed back to the client their feelings as well as the content (e.g. how did you feel when…? How did that affect you…? It looks like that made you really angry).
  7. Challenge in a non-threatening and subtle manner.
    1. Statement: “This is hopeless.” Paraphrasing: “It seems hopeless to you right now”.
    2. Statement: “There is nothing I can do”. Paraphrasing: “You can’t find anything that would fix it”.
  8. Not try to force conversation, allow silences — and be aware of body language, notice changes and respond accordingly.

Counselors should refrain from…

  1. Talking about themselves and introducing their own reactions or well intended comments.
  2. Changing topics and thinking about what they will say next.
  3. Advising, diagnosing, reassuring, encouraging, criticizing or baiting a client.
  4. Using “mm” or “ah ah” exclusively or inappropriately or parrot their words.
  5. Pretending to have understood the person or their meaning if they haven’t.
  6. Allowing the client to drift to a less significant topic, because they feel the counselor doesn’t understand.
  7. Fixing, changing or improving what they have said — or finishing their sentences for them.
  8. Filling every space with talk.
  9. Ignoring their feelings in the situation.

As we have explored there are federal laws that govern record keeping and in addition there are state laws and facility rules and policies that have their own requirements.

Good documentation can:

  • Provide accountability for the agency and the professional. Records should describe who is and is not served (including any other household members who may not be participating in services), the kinds of services provided (or not provided due to availability or level of service issues), the basis for all decisions, the degree to which policies and procedures are implemented, and other aspects of accountability and quality control. The record provides a statement about the quality of work that may decrease personal liability should legal action be taken against the agency or a case manager.


  • Serve as a therapeutic tool for the professional and the family. Case records can demonstrate the way in which the professional and family collaborate to define the purpose of child welfare work, including the goals and outcomes that will reduce the risk of maltreatment, and serve to evaluate the progress toward them. Some agencies are using instruments and tools that seek input, and, therefore, the record itself provides an illustration of this collaborative process.


  • Organize the professional’s thinking about the work. Structured presentation of factual information leads to more in depth assessment and treatment planning. Sloppy recording and disorganized thinking go hand-in-hand and will likely lead to poor service delivery to clients.


Important notes for documentation:

  • Maintain only information that is relevant and necessary to the agency’s purposes. Facts should be recorded and distinguished from opinions. When opinions are offered, their basis should be documented (e.g., Mr. Smith appeared to be intoxicated; his eyes were red; he had difficulty standing without losing his balance; his breath smelled of alcohol).


  • Never record details of clients’ intimate lives or their political, religious, or other personal views, unless this information is relevant.


  • Record as much information as possible based on direct communication with clients.


Recommendations to include in a substance abuse progress note:

  • Condition overview:  Overall, how is the patient?  Better, the same, or worse?


  • Symptom status:  What is the status of the “target symptoms”? That is, the signs and symptoms the psychiatrist is monitoring to determine how treatment is progressing. Are they still present? In your opinion are they better, the same, or worse? Why?


  • Behaviors:  Information about basic behaviors during the shift, like attendance at activities, appetite, compliance with rules, and medication compliance. This will certainly tell the psychiatrist something about the patient’s progress and state of mind.


  • Side effects from medications:  Are there any reports or signs of possible side effects of the medication? They do not need to be labeled as possible side effects, but drowsiness, unsteady gait, dry mouth, and other such symptoms should be documented. This is particularly important. It alerts the psychiatrist to potentially serious problems.


  • A mental status examination:  It need not be a full MSE, but a few basic areas should be touched on. What is the patient’s appearance? Any psychotic process? Any anxiety? What does the mood seem to be? This again highlights the patient’s status and progress but also permits the nurse’s powers of observation to be utilized.


  • Special Circumstances:  Some patients have special documentation requirements. Patient’s in seclusion, for example, have special documentation requirements because they are at medical-legal risk. Some patients have medical needs or need to be re-evaluated with, for example, a fall assessment for a patient who has become unsteady or a patient who needs a body search.


Quality documentation is an integral part of treatment.  To ensure the client’s right of confidentiality and to be consistent with many federal and state regulations, professionals must take reasonable steps to control the access of information arising from the delivery of services.

Ultimately, it is the providers responsibility to document appropriately and to maintain control over their client’s records, taking into account the policies of the facilities and the laws of the state in which they practice. 


Privacy must be considered in any meaningful discussion about sharing medical records. An individual’s health information is private and, if shared inappropriately, could cause great harm. For clients with substance use disorders, inappropriate disclosure of their treatment can be devastating. Prejudice against people with alcohol and other substance use disorders can lead to job loss and the ruin of important relationships. Too many clients hide their substance use and put off treatment because of this stigma.  Appropriate documentation and the protection of these records make an important change in whether someone seeks treatment.

Thank you for using!

We appreciate you!