Mid-Atlantic Health Law TOPICS

Background hero atmospheric image for Revised Privacy Rules for Drug Treatment

Revised Privacy Rules for Drug Treatment

This spring, the federal government revised the special rules governing the confidentiality of medical records maintained by health care providers offering substance abuse treatment, the first such revision in thirty years. These rules impose obligations on these providers in addition to — and not in lieu of — the requirements of HIPAA. Three changes in particular should affect the compliance plans for these providers.

First, the rules now cover more records and more patients. The “patients” now covered include prospective patients who have given information to the provider (such as in an intake process), whether or not the patient actually receives services or has an in-person encounter with the provider. The “records” covered now include information about the patient maintained in any medium (including paper records, oral recordings, or electronic records) — matching HIPAA’s wider definition of health information.

Second, the rules have tightened with respect to disclosures and consent to disclosures. The consents must now specify the exact information to be disclosed, and, in most instances, the particular names of the entities or individuals to receive the disclosures. Moreover, the rules now require treatment programs to maintain, for each patient, a list of disclosures made pursuant to such consents. Patients now have a right to request this list of disclosures.

Third, the rules more specifically obligate treatment programs to implement security protections for patient information. For example, the rules now require treatment programs to take measures to control access to workstations, storage rooms, or other locations where the program stores patient information. These rules are generally in harmony with similar security rules under HIPAA.

Health care providers that offer substance abuse treatment should evaluate how the revised rules apply to them. In particular, these providers should amend their existing privacy policies and procedures to accommodate the new rules, and should revise their form consent documents to comply with the new consent requirements.

Jonathan E. Montgomery
410-576-4088 • jmontgomery@gfrlaw.com


June 19, 2017




Rosen, Barry F.


Health Care