If you are ready to enter drug rehab and are worried about how your privacy might be affected, it may be comforting to know that there are laws and regulations in place to protect you. And know that before you enter any treatment center, you can call it directly and ask about its privacy policies. You should always feel empowered to make a decision about whether or not you feel comfortable with how a given program handles patient information before entering it.
The Federal government created confidentiality laws to protect your information under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which all federally assisted drug and alcohol treatment centers must follow. They cannot release patient information unless you give consent or it is authorized under qualifying regulations. Treatment centers that violate these regulations may face a fine of as much as $500 for the first offense and as much as $5,000 for additional offenses. Licensed or State-certified employees (this includes nearly all programs and their employees) run the risk of losing their license or certification if they violate these privacy laws. Further, as a patient, you can sue anyone who discloses your information without your consent.1
The more confident people are that the details of their treatment or diagnosis will not be shared to others without their consent, the more likely they may be to enter (and successfully complete) treatment. This is the guiding principle that led to the establishment of these confidentiality laws in the first place.
After a person completes their intake interviews, they should receive a copy of the facility’s confidentiality and privacy guidelines, which outline their rights as a patient. In almost all cases, rehab center employees must also sign these confidentiality agreements.1
Am I Protected by Law?
In the United States, your medical records are protected through these laws:2-4
- The Health Insurance and Portability and Accountability Act of 1996 (HIPAA): HIPAA protects all identifying information about a person who has applied for, been given a diagnosis of, or received treatment for alcohol or drug abuse at a federally assisted program. Programs cannot legally disclose any information about a patient unless they have given written consent, or unless their case qualifies for another exception that is specified in the HIPPA policy. If medical information is disclosed, it must only be the bare minimum required to carry out the purpose of the disclosure. The same regulations apply to minors who must give written consent before a program will release information to their parent or guardian.
- The Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR Part 2) issued in 1975 and revised in 1987: This regulation specifies that substance abuse treatment programs are not allowed to share any patient information that would directly or indirectly identify someone having previous or current alcohol or drug abuse problems, unless the patient gives written consent. A few exceptions to the law’s requirement of written consent exist, including court-ordered criminal investigation against patients, suspected child abuse or neglect, medical emergencies, scientific research, and audit or program evaluation.
HIPAA was designed to give patients more control over their health information and privacy whenever they seek medical care. It sets boundaries on the use and release of medical records and gives patients the right to obtain copies of their own health information.5
Under HIPAA, hospitals, rehab centers, and similar organizations must:5
- Use safeguards that protect their clients’ information.
- Use procedures that keep the number of people who are aware of confidential information to a minimum.
- Train employees about the best ways to maintain confidentiality.
- Post guidelines about their privacy practices and provide copies for clients.
How Your Information May Be Used
Part 2 of HIPAA protects all information that could be used to identity a person, and it permits a patient to revoke their consent orally if they want to. Substance abuse programs must honor any verbal revocation.
According to Part 2 of HIPAA and the Privacy Rule, people within the same treatment program or hospital can communicate patient health information (PHI) on a “need to know” basis. The Privacy Rule requires that programs identify which employees need access to PHI, as well as the appropriate conditions of access to it. After determining which employees have a legitimate need for access, the treatment program must limit access of PHI to these employees only.
There are extenuating circumstances that may arise, which will permit the disclosure of limited patient information, including but not limited to:2
- Crimes: If a patient commits a crime at the treatment center or against employees of the treatment center, Part 2 permits the release of limited patient information to the police. The information is limited to the patient’s name, address, last known whereabouts, and the circumstances of the incident.
- Child abuse: Part 2 allows programs to comply with State laws that require reporting on child abuse and neglect. However, programs may only make an initial report; they may not respond to follow-up requests for information unless the patient has given consent to do so.
- Medical emergencies: Part 2 allows for identifying information to be shared with medical personnel if they need to treat the patient for an immediate medical emergency. The information shared must be limited only to that which is necessary to treat the medical emergency.
- Court-ordered release: If a patient is subpoenaed and signs a consent permitting the release of the information requested in the subpoena, then the program may release it. They may not release information in this case, however, unless the court issues an order that complies with Part 2.
Patients’ Rights Over Information
HIPAA gives patients a number of rights over their personal information, including:
- The right to be informed about how their personal information may be shared.
- The right to withhold permission from their information being used in certain ways.
- The right to receive a report on why and when health practitioners shared their information.
- The right to file a complaint if they believe their health information has not been protected.
When you know your rights and that reputable drug rehabs abide by these confidentiality laws, you can be free of the worry about privacy issues and focus on the most important thing: overcoming your addiction.
Unsure where to start? Take Our Substance Abuse Self-Assessment
Take our free, 5-minute substance abuse self-assessment below if you think you or someone you love might be struggling with substance abuse. This evaluation consists of 11 yes or no questions that are designed to be used as an informational tool to assess the severity and probability of a substance use disorder. The test is free, confidential, and no personal information is needed to receive the result. Please be aware that this evaluation is not a substitute for advice from a medical doctor.
- U.S. Department of Health and Human Services, Public Health Service, Substance Abuse and Mental Health Services Administration, Center for Substance Abuse Treatment. (1994). Confidentiality of Patient Records for Alcohol and Other Drug Treatment.
- U.S. Department of Health and Human Services, Public Health Service, Substance Abuse and Mental Health Services Administration, Center for Substance Abuse Treatment. (2004). The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs.
- Substance Abuse and Mental Health Services Administration. (2018). 42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records.
- Hu, L.L., Sparenborg, S., & Tai, B. (2011). Privacy protection for patients with substance use problems. Substance Abuse and Rehabilitation, 2, 227–233.
- Centers for Disease Control and Prevention. (2003). HIPAA Privacy Rule and Public Health.