4.3 HIPAA in SUD Treatment

HIPAA in Substance Use Disorder Treatment

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to most SUD treatment settings because they are covered entities: health care providers that transmit health information electronically in connection with standard transactions such as claims. Part 2 sits on top of HIPAA for SUD programs; HIPAA still governs everything Part 2 does not address. HIPAA has two main rules the ADC exam expects you to distinguish: the Privacy Rule (who may use or disclose PHI) and the Security Rule (administrative, physical, and technical safeguards for electronic PHI, or ePHI).

What HIPAA Protects: PHI

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity in any form: paper, electronic, or oral. The rule lists 18 identifiers, including name, address, dates more specific than year, phone, email, medical record number, Social Security number, biometric identifiers, full-face photographs, and any other unique code that can be linked back to the patient.

De-identified data (when all 18 identifiers are removed, or a qualified statistician certifies a very low re-identification risk) is no longer PHI and falls outside the Privacy Rule.

The TPO Framework

Under HIPAA, a covered entity may use or disclose PHI for Treatment, Payment, and Health Care Operations (TPO) without separate patient authorization.

For disclosures outside TPO (for example, sharing with a friend, an employer, or for marketing or fundraising), HIPAA requires a separate written authorization. Note the difference in terms: HIPAA uses "authorization" for these uses, while Part 2 uses "consent." Part 2 imposes its own consent requirement on top of HIPAA for SUD records, even for treatment.

Minimum Necessary

When using or disclosing PHI, the covered entity must limit the information to the minimum necessary to accomplish the purpose. Three categories are exempt from this standard: treatment disclosures to other providers, disclosures to the patient themselves, and disclosures required by law. Sending the entire chart when only the discharge summary was requested is a Privacy Rule violation even when HIPAA otherwise permits the disclosure.

Patient Rights Under HIPAA

HIPAA grants patients enforceable rights over their PHI:

1. Right of access: a patient may inspect and obtain a copy of their PHI, generally within 30 days of request (one 30-day extension permitted with written notice).
2. Right to amend: a patient may request correction of inaccurate or incomplete PHI; the provider may deny in limited circumstances and must allow a written statement of disagreement.
3. Right to an accounting of disclosures: for most non-TPO disclosures made in the prior six years.
4. Right to request restrictions: including a mandatory restriction when the patient pays out of pocket in full and asks that the disclosure not be made to a health plan.
5. Right to confidential communications: patients may ask that PHI be sent to an alternate address or by an alternate method.
6. Right to a Notice of Privacy Practices (NPP): describing how PHI is used and patient rights.
7. Right to file a complaint with the provider and with the HHS Office for Civil Rights (OCR).

HIPAA vs 42 CFR Part 2: Which Wins?

When both rules apply to the same record:

• For disclosure to providers for treatment, HIPAA allows it without separate authorization; Part 2 requires patient consent. Part 2 controls because it is stricter.
• For breach notification, HIPAA's breach rule applies; the 2024 Part 2 final rule explicitly incorporates HIPAA breach notification.
• For patient access to their own records, both rules grant access, and the program follows whichever timeline is faster for the patient.
• For uses and disclosures NOT mentioned in Part 2 (for example, fundraising), HIPAA's rules apply.

The practical rule is: follow whichever law gives the patient more protection on the specific issue in front of you.

Business Associate Agreements

A Business Associate (BA) is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include EHR vendors, billing services, transcription services, cloud storage providers, shredding services, and external consultants.

A Business Associate Agreement (BAA) is a written contract that:

• Limits the BA's use and disclosure of PHI to the contracted purposes.
• Requires the BA to safeguard PHI.
• Requires the BA to report breaches to the covered entity.
• Extends downstream to the BA's subcontractors.

Using a vendor that handles PHI without a BAA is itself a HIPAA violation, regardless of whether a breach ever occurs.

Breach Notification

Under the HIPAA Breach Notification Rule, an impermissible use or disclosure is presumed a reportable breach unless a risk assessment shows a low probability that PHI was compromised. Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery; OCR is notified within 60 days for breaches affecting 500 or more individuals, and annually for smaller breaches. As of the 2024 final rule, these obligations extend to Part 2 records.

Common SUD-Setting HIPAA Mistakes

• Leaving a chart open on a screen visible from the waiting room.
• Discussing a patient by name in a hallway or elevator.
• Texting a colleague about a case from a personal phone with no encryption and no BAA covering the device.
• Posting a recovery success story on social media with identifying details even with verbal patient permission, when no authorization was ever signed.