HIPAA: A Trap for the Unwary

Recently, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (DHHS) issued a Guidance discussing protection of mental health treatment information under the federal Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations at 45 CFR Parts 160 and 164. The Guidance and other information on the OCR website about mental health treatment information can be very misleading for Michigan mental health (MH) and substance use disorder (SUD) treatment providers and payors, as well as general providers that handle HIV/AIDS patient information.

The Guidance paints a far too liberal picture of when these Michigan providers and payors are permitted to disclose MH, HIV/AIDS and SUD treatment information. In reality, the Michigan Mental Health Code, the Michigan Public Health Code  (regarding HIV/AIDS information) and federal regulations protecting the confidentiality of SUD treatment information (42 CFR Part 2) directly prohibit many disclosures that HIPAA permits. Accordingly, looking only to HIPAA for answers about disclosure of MH, HIV/AIDS  and SUD information can be a huge and costly mistake. Michigan MH, HIV/AIDS, and SUD treatment providers, payors and even their business contractors need to ask whether a proposed disclosure of information is lawful under a combination of HIPAA, the Michigan Mental Health Code, the Michigan Public Health Code and the federal SUD confidentiality regulations – a question which often is not easy to answer.

For example, HIPAA permits providers and plans to disclose individually identifiable health information (called “protected health information" or PHI under HIPAA) for treatment, payment and health care operations without any patient authorization or consent. But, the Michigan Mental Health Code, the Michigan Public Health Code, and 42 CFR Part 2 expressly require a specific kind of patient consent for most of these purposes, with very limited exceptions. Additionally, HIPAA permits a provider or payor to disclose PHI to a business associate (e.g. a vendor that needs PHI in order to perform services for the provider or plan) so long as there is a HIPAA-compliant business associate agreement (BAA) in place. But, 42 CFR Part 2 requires a different kind of agreement—called a Qualified Service Organization Agreement (QSOA)—before SUD information can be shared with the equivalent of business associates (called “Qualified Service Organizations”). To avoid the inconvenience of two separate agreements, we have developed a consolidated BAA and QSOA to comply with the slightly incongruent requirements of both HIPAA and 42 CFR Part 2. 

Similar issues arise regarding disclosures pursuant to subpoenas, investigative demands, and court orders; disclosures to law enforcement; disclosures to patient family and friends; disclosures to public health authorities; disclosures for scientific research; and disclosure for child welfare protections – to name a few. It often takes very close analysis to chart a path of compliance with all applicable laws without being steered astray by the tempting leniency of HIPAA.

Simply doing what HIPAA permits without considering Michigan and other federal law can result in many legal problems. Failure to consider the Michigan Mental Health Code, the Michigan Public Health Code and 42 CFR Part 2 can:

• Violate Medicaid managed care regulations of PIHPs at 42 CFR Part 438;
• Violate Michigan recipient rights protections;
• Violate 42 CFR Part 2, resulting in potential fines or criminal prosecutions;
• Violate Michigan facility and individual licensing requirements, leading to potential fines, corrective action plans and even licensure suspension or revocation in extreme cases;
• Violate contracts between CMHSPs, Regional Entities and MDCH;
• Violate the terms of SAMSA grants, potentially jeopardizing SAMSA funding;
• Generate potential civil lawsuits for breach of privacy.

SAMSA recently announced a public listening session on June 11, 2014 to hear the concerns of entities affected by 42 CFR Part 2. Accordingly, Michigan providers and plans have a unique opportunity to tell SAMSA about the confusion and even burden involved in compliance with 42 CFR Part 2.

With enough stakeholder input, SAMSA might even be convinced to approach Congress for statutory authority to align 42 CFR Part 2 more closely to HIPAA and alleviate at least some burdens upon affected providers and payors.

For more information on HIPAA, 42 CFR Part 2 and state confidentiality laws, please contact the authors of this alert, Joanne R. Lax at 248-203-0816 or Roselyn R. Parmenter at 734-214-7612.