4.1 Disclosure of Behavioral Health Information
4.1.4 Did you know…?
4.1.7-A. Overview of confidentiality information
4.1.7-B. General procedures for all disclosures
4.1.7-C. Disclosure of information not
related to alcohol and drug treatment
4.1.7-D. Disclosures of alcohol and drug
4.1.7-E Security Breach Notification
To improve the efficiency and effectiveness of the health care system,
the Health Insurance Portability and Accountability Act (HIPAA)
of 1996 included provisions for national standards for electronic
health care transactions. To safeguard the privacy of health care
information, Congress incorporated provisions that mandated the
adoption of federal privacy protections for individually identifiable
health information. HIPAA specifies how a person’s protected
health information will be used and disclosed. The U.S. Department
of Health and Human Services has issued federal regulations (the
Privacy Rule) that provide individuals with certain rights to control
the use and disclosure of their protected health information. The
Privacy Rule is applicable to any agency that has identified itself
to be one of three types of “covered entities”: health
plan, health care provider and/or health care clearinghouse. By
the compliance date of April 14, 2003, covered entities must have
implemented standards to protect and guard against the misuse of
protected health information.
In 2009 Congress enacted the HITECH Act (Health Information Technology
for Economic and Clinical Health Act) (Title XII, Subtitle D of the American
Recovery and Reinvestment Act of 2009 (P.L. 111-005), which substantially
expands the HIPAA Privacy and Security Rule. Tribal and Regional Behavioral
Health authorities (T/RBHAs) and their subcontracted providers are now required
to comply with the HITECH Act regarding how they use and disclose protected
health information. In the event a behavioral health recipient’s unsecured PHI
has been impermissibly used or disclosed, T/RBHAs and their subcontracted
providers are responsible for notifying each affected individual in accordance
with the HITECH Act Security Breach Notification requirement.
Department of Health Services/Division of Behavioral Health Services,
the T/RBHAs and behavioral health providers must all comply with
the Privacy Rule when providing health care services and/or paying
for services with state and federal funds. Each organization is
a separate “covered entity” and therefore must individually
institute practices for complying with the Privacy Rule.
is intended to provide guidance as to whom information can be disclosed
to and when authorization1 is required prior to that disclosure.
It is not all-inclusive of the HIPAA and State Laws; the references
throughout are available for providers to access and examine the
applicable laws for more detail.
The following citations can serve as additional resources for this
To whom does this apply?
receiving, or who have received, services through Arizona’s
public behavioral health system.
Did you know...?
- The “minimum
necessary” standard ensures that only the minimum information
necessary to accomplish an intended purpose is requested and disclosed.
- The United
States Health and Human Services Department/Office of Civil Rights
(OCR) has the authority for administering and enforcing compliance
with the Privacy Rule. The OCR can assess significant penalties
for failure to comply with HIPAA, including monetary fines and
the loss of federal funds.
- Other components
of HIPAA include the Transaction and Code Set Rules and the Security
- All covered
entities must have a HIPAA Compliance Officer to hear complaints
and address inquiries regarding the provider’s practices.
and Drug Abuse Program (42 C.F.R. Part 2)
Designated Record Set
Health Insurance Portability and Accountability Act (HIPAA)
Individually Identifiable Health
Unsecured Protected Health Information
To give guidance to behavioral health providers on the
obligations relating to the HIPAA laws and State laws and regulations
related to the use, disclosure or when responding to requests for
protected health information.
Overview of confidentiality information
T/RBHAs and subcontracted behavioral health providers must
keep medical and behavioral health records
and all information contained in those records confidential and
cannot disclose such information unless permitted or required by
federal or state law. The law regulates two major categories of
obtained when providing behavioral health services not related
to alcohol or drug abuse referral, diagnosis and treatment; and
obtained in the referral, diagnosis and treatment of alcohol or
Health Information Not Related to Alcohol and Drug Treatment
Information obtained when providing behavioral health services not
related to alcohol and drug abuse treatment is governed by state
law and the HIPAA Privacy Rule, 45 C.F.R., Part 164, Subparts A and
E, Part 160 Subparts A and B (“the HIPAA Rule”). The
HIPAA Rule permits a covered entity (health plan, health care provider,
health care clearinghouse) to use or disclose protected health information
with or without patient authorization in a variety of circumstances,
some of which are required and others that are permissive. Many
of the categories of disclosures contain specific words and phrases
that are defined in the HIPAA Rule. Careful attention must be paid
to the definitions of words and phrases in order to determine whether
disclosure is allowed. In addition, the HIPAA Rule may contain exceptions
or special rules that apply to a particular disclosure. State law
may affect a disclosure. For example, the HIPAA Rule may preempt a
state law or a state law may preempt the HIPAA Rule.
In addition, a covered entity must, with certain exceptions, make
reasonable efforts to limit protected health information to the
minimum necessary to accomplish the intended purpose of the disclosure.
Before disclosing protected health information, it is good practice
to consult the specific citation to the HIPAA Rule, state law and
consult with legal counsel before disclosing an individual’s
protected health information. See 4.1.7-C. for more detail regarding
the disclosure of behavioral health information not related to alcohol
or drug referral, diagnosis or treatment.
Alcohol Abuse Information
Information regarding treatment for alcohol or drug abuse is afforded
special confidentiality by Federal statute and regulation. This
includes any information concerning a person’s diagnosis or
treatment from a federally assisted alcohol or drug abuse program
or referral to a federally assisted alcohol or drug abuse program.
See subsection 4.1.7-D. for more detail regarding the disclosure
of drug and alcohol abuse information.
General procedures for all disclosures
- Unless otherwise
excepted by state or federal law, all information obtained about
a person related to the provision of behavioral health
services to the person is confidential whether the information
is in oral, written, or electronic format.
records generated as a part of the ADHS/DBHS or RBHA grievance
and appeal processes are legal records, not medical records, although they may contain copies of portions of a person’s
medical record. To the extent these legal records contain personal
medical information, ADHS/DBHS or the RBHA will redact or de-identify
the information to the extent allowed or required by law.
of Persons Accessing Records
The T/RBHA must ensure that a list is kept of every person or organization
that inspects a currently or previously enrolled person’s records
other than the person’s clinical team, the uses to be made
of that information and the staff person authorizing access. The
access list must be placed in the enrolled person’s record
and must be made available to the enrolled person, their guardian
or other designated representative.
to Clinical Teams
Disclosure of information to members of a clinical team may or may
not require an authorization depending upon the type of information
to be disclosed and the status of the receiving party. Information
concerning diagnosis, treatment or referral for drug or alcohol
treatment may only be disclosed to members of a clinical team with
patient authorization as prescribed in subsection 4.1.7-D. Information
not related to drug and alcohol treatment may be disclosed without
patient authorization to members of a clinical team who are providers
of health, mental health or social services, provided the information
is for treatment purposes as defined in the HIPAA Rule. Disclosure
to members of a clinical team who are not providers of health, mental
health or social services requires the authorization of the person
or the person’s legal guardian or parent as prescribed in
to persons involved in court proceedings
Disclosure of information to persons involved in court proceedings
including attorneys, probation or parole officers, guardians ad
litem and court appointed special advocates may or may not require
an authorization depending upon the type of information to be disclosed
and whether the court has entered orders permitting the disclosure.
Disclosure of information not related to alcohol and drug treatment
The HIPAA Rule and state law allow a covered entity to
disclose protected health information under a variety of conditions.
This is a general overview and does not include an entire description
of legal requirements for each disclosure. The latter part of subsection
4.1.7-C. contains a more detailed description of circumstances that
are likely to involve the use or disclosure of behavioral health
Below is a general
description of all required or permissible disclosures:
To the individual and the individual’s health care decision
To health, mental health and social service providers for treatment,
payment or health care operations;
Incidental to a use or disclosure otherwise permitted or required
by 45 C.F.R. Part 164, Subpart E;
To a person or entity with a valid authorization;
Provided the individual is informed in advance and has the
opportunity to agree or prohibit the disclosure:
For use in facility directories;
persons involved in the individual’s care and for
When required by law;
For public health activities;
About victims of child abuse, neglect or domestic violence;
For health oversight activities;
For judicial and administrative proceedings;
For law enforcement purposes;
About deceased persons;
For cadaveric organ, eye or tissue donation purposes;
For research purposes;
To avert a serious threat to health or safety or to prevent
harm threatened by patients;
To a human rights committee;
For purposes related to the Sexually Violent Persons program;
With communicable disease information;
To personal representatives including agents under a health
For evaluation or treatment;
To business associates;
To the Secretary of Health and Human Services or designee
to investigate or determine compliance with the HIPAA Rule;
For specialized government functions;
Under a data use agreement for limited data;
For underwriting and related purposes;
the Arizona Center For Disability Law in its capacity as
the State Protection and Advocacy Agency;
To a third party payor to
To a private entity that accredits a health care provider;
To the legal representative of a health care entity in possession
of the record for the purpose of securing legal advice;
To a person or entity as otherwise required by state or
To a person or entity permitted by the federal regulations
on alcohol and drug abuse treatment (42 C.F.R. Part 2);
To a person or entity to conduct utilization review, peer
review and quality assurance pursuant to Section 36-441,
36-445, 36-2402 or 36-2917;
To a person maintaining health statistics for public health
purposes as authorized by law; and
To a grand jury as directed by subpoena.
Below is a description
of the circumstances in which behavioral health information is likely
to be required or permitted to be disclosed.
to an individual
covered entity is required to disclose information in a designated
record set to an individual when requested unless contraindicated.
Contraindicated means that access is reasonably likely to endanger
the life or physical safety of the patient or another person (See
A.R.S. § 36-507(3); 45 C.F.R. § 164.524; A covered entity
should read and carefully apply the provisions in §164.524
before disclosing protected health information in a designated record
set to an individual.
has a right of access to his or her designated record set, except
for psychotherapy notes and information compiled for pending litigation.
See 45 C.F.R. §164.524(a)(1) and Section 13405(e) or the HITECH
Act. Under certain conditions a covered entity
may deny an individual access to the medical record without providing
the individual an opportunity for review. See 45 C.F.R.
§164.524(a)(2). Under other conditions, a covered entity may
deny an individual access to the medical record and must provide
the individual with an opportunity for review. See 45 C.F.R. §164.524(a)(3).
A covered entity must follow certain requirements for a review when
access to the medical record is denied. See 45 C.F.R. §164.524(a)(4).
must be permitted to request access or inspect or obtain a copy
of his or her medical record. See 45 C.F.R. §164.524(b)(1). A covered
entity is required to act upon an individual’s request in
a timely manner. See 45 C.F.R. §164.524(b)(2).
may inspect and be provided with one free copy per year of his or
her own medical record, unless access has been denied.
A covered entity
must follow certain requirements for providing access, the form
of access and the time and manner of access. See 45 C.F.R. §164.524(c).
A covered entity
is required to make other information available in the record when
access is denied, must follow other requirements when making a denial
of access, must inform an individual of where medical records are
maintained and must follow certain procedures when an individual
requests a review when access is denied. See 45 C.F.R. §164.524(d).
A covered entity
is required to maintain documentation related to an individual’s
access to the medical record. See 45 C.F.R. §164.524(e).
Disclosure with an individual’s authorization
The HIPAA Rule allows information to be disclosed with an individual’s
For all uses
and disclosures that are not permitted by the HIPAA Rule, patient
authorization is required. See 45 C.F.R. §§ 164.502(a)(1)(iv); and
164.508. An authorization must contain all of the elements in 45
A copy of the
authorization must be provided to the individual. The authorization
must be written in plain language and must contain the following
- A description
of the information to be used or disclosed that identifies the
information in a specific and meaningful fashion;
- The name
or other specific identification of the person(s), or class of
persons, authorized to make the requested use or disclosure;
- The name
or other specific identification of the person(s), or class of
persons, to whom the covered entity may make the requested use
- A description
of each purpose of the requested use or disclosure. The statement
“at the request of the individual” is a sufficient
description of the purpose when an individual initiates the authorization
and does not, or elects not to, provide a statement of the purpose;
- An expiration
date or an expiration event that relates to the individual or
the purpose of the use or disclosure. The statement “end
of the research study,” “none,” or similar language
is sufficient if the authorization is for a use or disclosure
of protected health information for research, including for the
creation and maintenance of a research database or research repository;
of the individual and date. If the authorization is signed by
a personal representative of the individual, a description of
the representative’s authority to act for the individual
must also be provided.
to the core elements, the authorization must contain statements
adequate to place the individual on notice of all of the following:
- The individual’s
right to revoke the authorization in writing, and either:
exceptions to the right to revoke and a description of how
the individual may revoke the authorization; or
- A reference
to the covered entity’s notice of privacy practices
if the notice of privacy practices tells the individual how
to revoke the authorization.
- The ability
or inability to condition treatment, payment, enrollment or eligibility
for benefits on the authorization, by stating either:
covered entity may not condition treatment, payment, enrollment
or eligibility for benefits on whether the individual signs
the authorization when the prohibition on conditioning of
authorizations in 45 C.F.R. §164.508 (b)(4) applies; or
- The consequences
to the individual of a refusal to sign the authorization when,
in accordance with 45 C.F.R. §164.508 (b)(4), the covered entity
can condition treatment, enrollment in the health plan or
eligibility for benefits on failure to obtain such authorization.
- The potential
for information disclosed pursuant to the authorization to be
subject to redisclosure by the recipient.
to health, mental health and social service providers for treatment,
payment or health care operations; reports of abuse and neglect
Disclosure is permitted without patient authorization to health,
mental health and social service providers involved in caring for
or providing services to the person for treatment, payment or health
care operations as defined in the HIPAA Rule. These disclosures
are typically made to primary care physicians, psychiatrists, psychologists,
social workers (including DES and DDD) or other behavioral health
professionals. Particular attention must be paid to 45 C.F.R. §164.506(c)
and the definitions of treatment, payment and health care operations
to determine the scope of disclosure. For example, a covered entity
is allowed to disclose protected health information for its own
treatment, payment or health care operations. See 45 C.F.R. §164.506(c)(1).
A covered entity may disclose for treatment activities of a health
care provider including providers not covered under the HIPAA Rule.
See 45 C.F.R. §164.506(c)(2). A covered entity may disclose to both
covered and non-covered health care providers for payment activities.
See 45 C.F.R. §164.506(c)(3). A covered entity may disclose to another
covered entity for the health care operations activities of the
receiving entity if each entity has or had a direct treatment relationship
with the individual and the disclosure is for certain specified
purposes in the definition of health care operations. See 45 C.F.R. §164.506(c)(4).
If the disclosure
is not for treatment, payment, or healthcare operations or
required by law, patient
authorization is required.
The HIPAA Rule
does not modify a covered entity’s obligation under A.R.S.
§ 13-3620 to report child abuse and neglect to Child Protective
Services or disclose a child’s medical records to Child Protective
Services for investigation of child abuse cases.
covered entity may have an obligation to report adult abuse and
neglect to Adult Protective Services. See A.R.S. § 46-454.
The HIPAA Rule imposes other requirements in addition to those contained
in A.R.S. § 46-454, primarily that the individual be notified
of the making of the report or a determination by the reporting
person that it is not in the individual’s best interest to
be notified. See 45 C.F.R. §164.512(c).
to other persons including family members
A covered entity may disclose protected health information without
authorization to other persons including family members actively
participating in the patient's care, treatment or supervision. Prior
to releasing information, an agency or non-agency treating professional
or that person's designee must have a verbal discussion with the
person to determine
whether the person objects to the disclosure. If the person objects,
the information cannot be disclosed. If the person does not object,
or the person lacks capacity to object, the treating professional must perform an evaluation to determine
whether disclosure is in that person's best interests. A decision
to disclose or withhold information is subject to review pursuant
to A.R.S. § 36-517.01.
An agency or
non-agency treating professional may only release information relating
to the person's diagnosis, prognosis, need for hospitalization,
anticipated length of stay, discharge plan, medication, medication
side effects and short-term and long-term treatment goals. See A.R.S.
The HIPAA Rule
imposes additional requirements when disclosing protected health
information to other persons including family members. A covered
entity may disclose to a family member or other relative the protected
health information directly relevant to the person’s involvement
with the individual’s care or payment related to the individual’s
health care. If the individual is present for a use or disclosure
and has the capacity to make health care decisions, the covered
entity may use or disclose the protected health information if it
obtains the individual’s agreement, provides the individual
with the opportunity to object to the disclosure, and the individual
does not express an objection. If the individual is not present,
or the opportunity to agree or object to the use or disclosure cannot
practicably be provided because of the individual’s incapacity
or an emergency circumstance, the covered entity may, in the exercise
of professional judgment, determine whether the disclosure is in
the best interests of the individual and, if so, disclose only the
protected health information that is directly relevant to the person’s
involvement with the individual’s health care. See 45 C.F.R. §164.510(b).
to an agent under a health care directive
A covered entity may treat an agent appointed under a health
care directive as a personal representative of the individual. See
45 C.F.R. §164.502(g). Examples of agents appointed to act on an individual’s
behalf include an agent under a health care power of attorney, see A.R.S. § 36-3221 et seq.; surrogate decision makers, see A.R.S.
§ 36-3231; and an agent under a mental health care power of
attorney, see A.R.S. § 36-3281.
to a personal representative
Minors. A covered entity may disclose protected health information
to a personal representative, including the personal representative
of an unemancipated minor, unless one or more of the exceptions
described in 45 C.F.R. §§ 164.502(g)(3)(i) or 164.502(g)(5) applies.
See 45 C.F.R. § 164.502(g)(1).
rule is that if state law, including case law, requires or permits
a parent, guardian or other person acting in loco parentis to
obtain protected health information, then a covered entity may
disclose the protected health information. See 45 C.F.R. § 164.502(g)(3)(ii)(A).
if state law, including case law, prohibits a parent, guardian
or other person acting in loco parentis from obtaining protected
health information, then a covered entity may not disclose the
protected health information. See 45 C.F.R. §164.502(g)(3)(ii)(B).
law, including case law, is silent on whether protected health
information can be disclosed to a parent, guardian or other
person acting in loco parentis, a covered entity may provide
or deny access under 45 C.F.R. § 164.524 to a parent, guardian or
other person acting in loco parentis if the action is consistent
with State or other applicable law, provided that such decision
must be made by a licensed health care professional, in the
exercise of professional judgment. See 45 C.F.R. §164.502(g)(3)(ii)(C).
- Adults and
Emancipated Minors. If under applicable law, a person has authority
to act on behalf of an individual who is an adult or an emancipated
minor in making decisions related to health care, a covered entity
must treat such persons as a personal representative with respect
to protected health information relevant to such personal representation.
See 45 C.F.R. § 164.502(g)(2). Simply stated, if there is a state law
that permits the personal representative to obtain the adult or
emancipated minor’s protected health information, the covered
entity may disclose it. A covered entity may withhold protected
health information if one or more of the exceptions in 45 C.F.R. §
persons. If under applicable law, an executor, administrator or
other person has authority to act on behalf of a deceased individual
or of the individual’s estate, a covered entity must treat
such persons as a personal representative with respect to protected
health information relevant to the personal representation. See
45 C.F.R. §164.502(g)(4). A covered entity may withhold protected health
information if one or more of the exceptions in 45 C.F.R. § 164.502(g)(5)
applies. A.R.S. §§ 12-2294 (D) provides certain persons
with authority to act on behalf of a deceased person.
for court ordered evaluation or treatment
An agency in which a person is receiving court ordered evaluation
or treatment is required to immediately notify the person's guardian
or agent or, if none, a member of the person's family that the person
is being treated in the agency. See A.R.S. § 36-504(B). The
agency shall disclose any further information only after the treating
professional or that person's designee interviews the person undergoing
treatment or evaluation to determine whether the person objects
to the disclosure and whether the disclosure is in the person's
best interests. A decision to disclose or withhold information is
subject to review pursuant to section A.R.S. § 36-517.01.
If the individual
or the individual’s guardian makes the request for review,
the reviewing official must apply the standard in 45 C.F.R. § 164.524(a)(3).
If a family member makes the request for review, the reviewing official
must apply the “best interest” standard in A.R.S. §
decision may be appealed to the superior court. See A.R.S. §
36-517.01(B). The agency or non-agency treating professional must
not disclose any treatment information during the period an appeal
may be filed or is pending.
for health oversight agencies
A covered entity may disclose protected health information
without patient authorization to a health oversight agency for oversight
activities authorized by law, including audits; civil, administrative,
or criminal investigations; inspections; licensure or disciplinary
actions; civil, administrative, or criminal proceedings or actions
or other activities necessary for appropriate oversight of entities
subject to government regulatory programs for which health information
is necessary for determining compliance with program standards.
See 45 C.F.R. § 164.512(d).
for judicial and administrative proceedings including court ordered
A covered entity may disclose protected health information without
patient authorization in the course of any judicial or administrative
proceeding in response to an order of a court or administrative
tribunal, provided that the covered entity discloses only the protected
health information expressly authorized by the order. See 45 C.F.R. §
164.512(e). In addition, a covered entity may disclose information
in response to a subpoena, discovery request or other lawful process
without a court order if the covered entity receives satisfactory
assurances that the requesting party has made reasonable efforts
to provide notice to the individual or has made reasonable efforts
to secure a qualified protective order. See 45 C.F.R. §§ 164.512(e)(1)(iii),(iv)
and (v) for what constitutes satisfactory assurances.
to persons doing research
A covered entity may disclose protected health information
to persons doing research without patient authorization provided
it meets the de-identification standards of 45 C.F.R. §164.514(b). If
the covered entity wants to disclose protected health information
that is not de-identified, patient authorization is required or
an Institutional Review Board or a privacy board in accordance with
the provisions of 45 C.F.R. § 164.512(i)(1)(i) can waive it.
to prevent harm threatened by patients
Mental health providers have a duty to protect others against
the conduct of a patient. See A.R.S. § 36-517.02. When a patient
poses a serious danger of violence to another person, the
provider has a duty to exercise reasonable care to protect the foreseeable
victim of the danger. Little v. All Phoenix South Community Mental
Health Center, Inc., 186 Ariz. 97, 919 P.2d 1368 (1996). A covered
entity may, consistent with applicable law and standards of ethical
conduct, use or disclose protected health information without patient
authorization if the covered entity, in good faith, believes the
use or disclosure is necessary to prevent or lessen a serious and
imminent threat to the health or safety of a person or the public
and is to a person or persons reasonably able to prevent or lessen
the threat, including the target of the threat, or is necessary
for law enforcement authorities to identify or apprehend an individual.
See 45 C.F.R. §§ 164.512(j)(1)(ii); 164.512(f)(2) and (3) for rules
that apply for disclosures made to law enforcement. See 45 C.F.R. § 164.512(j)(4)
for what constitutes a good faith belief.
to human rights committees
Protected health information may be disclosed to a human rights
committee without patient authorization provided personally identifiable
information is redacted or de-identified from the record. See A.R.S.
§§ 36-509(10) and 41-3804. In redacting personally identifiable
information, a covered entity must comply with the HIPAA Rule de-identification
standards in 45 C.F.R. § 164.514(b) and not state law. If a human rights
committee wants non-redacted identifiable health information for
official purposes, it must first demonstrate to ADHS/DBHS that the
information is necessary to perform a function that is related to
the oversight of the behavioral health system, and in that case,
a covered entity may disclose protected health information to the
human rights committee in its capacity as a health oversight agency.
See 45 C.F.R. § 164.512(d)(1).
to the Arizona Department of Corrections
Protected health information may be disclosed without patient
authorization to the state department of corrections in cases where
prisoners confined to the state prison are patients in the state
hospital on authorized transfers either by voluntary admission or
by order of the court. See A.R.S. § 36-509(5) The HIPAA Rule
limits disclosure to correctional institutions to certain categories
of information that are contained in 45 C.F.R. § 164.512(k)(5).
to a governmental agency or law enforcement to secure return of
Protected health information may be disclosed to governmental or
law enforcement agencies if necessary to secure the return of a
patient who is on unauthorized absence from any agency where the
patient was undergoing court ordered evaluation or treatment. See
A.R.S. § 36-509 (6). A covered entity may disclose limited
information without patient authorization to law enforcement to
secure the return of a missing person. See 45 C.F.R. § 164.512(f)(2)(i).
In addition, a covered entity is permitted limited disclosure to
governmental agencies to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public. See 45
to a Sexually Violent Persons (SVP) Program
Protected health information may be disclosed to a governmental
agency or a competent professional, as defined in A.R.S. §
36-3701, in order to comply with the SVP Program (Arizona Revised
Statutes, Title 36, Chapter 37). See A.R.S. § 36-509(9).
professional" is a person who may be a psychologist or psychiatrist,
is approved by the Superior Court and is familiar with the state's
sexually violent persons statutes and sexual offender treatment
programs. A competent professional is either statutorily required
or may be ordered by the court to perform an examination of a person
involved in the sexually violent persons program and must be given
reasonable access to the person in order to conduct the examination
and must share access to all relevant medical and psychological
records, test data, test results and reports. See A.R.S. §
In most cases,
the disclosure of protected health information to a competent professional
or made in connection with the sexually violent persons program
is required by law or ordered by the court. In either case, disclosure
under the HIPAA Rule without patient authorization is permitted.
See 45 C.F.R. § 164.512(a) (disclosure permitted when required by law)
and 45 C.F.R. § 164.512(e) (disclosure permitted when ordered by the
court). If the disclosure is not required by law or ordered by the
court or is to a governmental agency other than the sexually violent
persons program, the covered entity may have the authority to disclose
if the protected health information is for treatment, payment or
health care operations. See 45 C.F.R. § 164.506(c) to determine rules
for disclosure for treatment, payment or health care operations.
to third party payors
Disclosure is permitted to a third party payor to obtain reimbursement
for health care, mental health care or behavioral health care provided
to a patient. See A.R.S. § 36-509(13).
to Accreditation Organization
Disclosure is permissible to a private entity that accredits a health
care provider and with whom the health care provider has an agreement
that requires the agency to protect the confidentiality of patient
information. See A.R.S. § 36-509(14).
of communicable disease information
A.R.S. § 36-661 et seq., includes a number of provisions that
address the disclosure of communicable disease information. The
general rule is that a person who obtains communicable disease related
information in the course of providing a health service or pursuant
to a release of communicable disease related information must not
disclose or be compelled to disclose that information. See A.R.S.
§ 36-664(A). Certain exceptions for disclosure are permitted
- The individual
or the individual’s health care decision maker;
- ADHS or
a local health department for the purpose of notifying a Good
- An agent
or employee of a health facility or a health care provider;
- A health
facility or a health care provider;
- A federal,
state or local health officer;
agencies authorized by law to receive communicable disease information;
authorized pursuant to a court order;
- The Department
of Economic Security for adoption purposes;
- The Industrial
- The Department
of Health Services to conduct inspections;
- A private
entity that accredits a health care facility or a health care
36-664 also addresses issues with respect to the following:
to the Department of Health Services or local health departments
are also permissible under certain circumstances:
for supervision, monitoring and accreditation;
information in death reports;
to the Department; and
to insurance entities.
for the release of communicable disease related information must
be signed by the protected person or, if the protected person lacks
capacity to consent, the person’s health care decision maker
(see A.R.S. § 36-664(F)). If an authorization for the release
of communicable disease information is not signed, the information
cannot be disclosed. An authorization must be dated and must specify
to whom disclosure is authorized, the purpose for disclosure and
the time period during which the authorization is effective. A general
authorization for the release of medical or other information, including
communicable disease related information, is not an authorization
for the release of HIV-related information unless the authorization
specifically indicates its purpose as authorization for the release
of HIV-related information and complies with the requirements of
A.R.S. § 36-664(F).
The HIPAA Rule
does not preempt state law with respect to disclosures of communicable
disease information; however, it may impose additional requirements
depending upon the type, nature and scope of disclosure. It is advisable
to consult with the HIPAA Compliance Officer and/ or legal counsel
prior to disclosure of communicable disease information.
if a disclosure of communicable disease information is made pursuant
to an authorization, the disclosure must be accompanied by a statement
in writing which warns that the information is from confidential
records which are protected by state law that prohibits further
disclosure of the information without the specific written consent
of the person to whom it pertains or as otherwise permitted by law.
A.R.S. § 36-664(H) affords greater privacy protection than
45 C.F.R. § 164.508(c)(2)(ii), which requires the authorization to contain
a statement to place the individual on notice of the potential for redisclosure by the recipient and thus, is no longer protected.
Therefore, any authorization for protected health information that
includes communicable disease information must contain the statement
that redisclosure of that information is prohibited.
to business associates
The HIPAA Rule allows a covered entity to disclose protected
health information to a business associate if the covered entity
obtains satisfactory assurances that the business associate will
safeguard the information in accordance with 45 C.F.R. § 164.502(e)
and the HITECH Act. See the definition
of “business associate” in 45 C.F.R. § 160.103. Also see
45 C.F.R. § 164.504(e) and Section 13404 of the HITECH Act for requirements related to the documentation
of satisfactory assurances through a written contract or other written
agreement or arrangement.
to the Arizona Center for Disability Law, acting in its capacity
as the State Protection and Advocacy Agency pursuant to 42 U.S.C.§
10805, is allowed when:
- An enrolled
person is mentally or physically unable to consent to a release
of confidential information, and the person has no legal guardian
or other legal representative authorized to provide consent; and
- A complaint
has been received by the Center or the Center asserts that the
Center has probable cause to believe that the enrolled person
has been abused or neglected.
Disclosures of alcohol and drug information
- T/RBHAs and
their subcontracted providers that provide drug and alcohol screening,
diagnosis or treatment services are federally assisted alcohol
and drug programs and must ensure compliance with all provisions
contained in the Federal statutes and regulations referenced in
and their subcontracted providers must notify persons seeking
and/or receiving alcohol or drug abuse services of the existence
of the federal confidentiality law and regulations and provide
each person with a written summary of the confidentiality provisions.
The notice and summary must be provided at admission or as soon
as deemed clinically appropriate by the person responsible for
clinical oversight of the person.
or their subcontracted providers may require enrolled persons
to carry identification cards while the person is on the premises
of an agency. A T/RBHA or subcontracted provider may not require
enrolled persons to carry cards or any other form of identification
when off the T/RBHA’s or subcontractor’s premises
that will identify the person as a recipient of drug or alcohol
or their subcontracted providers may not acknowledge that a currently
or previously enrolled person is receiving or has received alcohol
or drug abuse services without the enrolled person’s authorization
as provided in section 4.1.7-D. of this policy.
or their subcontracted providers must respond to any request for
a disclosure of the records of a currently or previously enrolled
person that is not permissible under this policy or federal regulations
in a way that will not reveal that an identified individual has
been, or is being diagnosed or treated for alcohol or drug abuse.
T/RBHA or subcontracted provider must advise the person or guardian
of the special protection given to such information by federal
of information concerning diagnosis, treatment or referral from
an alcohol or drug abuse program must be made only as follows:
currently or previously enrolled person or their guardian
authorizes the release of information. In this case, authorization
must be documented on an authorization form which has not
expired or been revoked by the patient. The proper authorization
form must be in writing and must contain each of the following
The name or general designation of the program making
name of the individual or organization that will receive
The name of the person who is the subject of the disclosure;
purpose or need for the disclosure;
much and what kind of information will be disclosed;
statement that the person may revoke the authorization
at any time, except to the extent that the program has
already acted in reliance on it;
date, event or condition upon which the authorization
expires, if not revoked before
The signature of the person or guardian; and
The date on which the authorization is signed.
- Authorization as provided above, must be accompanied by the
following written statement: “This information has been
disclosed to you from records protected by federal confidentiality
rules (42 C.F.R. Part 2). The federal rules prohibit you from making
any further disclosure of this information unless further disclosure
is expressly permitted by the written consent of the person to
whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A
general authorization for the release of medical or other information
is NOT sufficient for this purpose. The federal rules restrict
any use of the information to criminally investigate or prosecute
any alcohol or drug abuse patient.”
- If the person
is a minor, authorization must be given by both the minor and
his or her parent or legal guardian.
- If the person
is deceased, authorization may be given by:
- A court
appointed executor, administrator or other personal representative;
- If no
such appointments have been made, by the person’s spouse;
- If there
is no spouse, by any responsible member of the person’s
is not required under the following circumstances:
Medical Emergencies – information may be disclosed to
medical personnel who need the information to treat a condition
which poses an immediate threat to the health of any individual,
not necessarily the currently or previously enrolled person,
and which requires immediate medical intervention. The disclosure
must be documented in the person’s medical record and
must include the name of the medical person to whom disclosure
is made and his or her affiliation with any health care facility,
name of the person making the disclosure, date and time of
the disclosure and the nature of the emergency. After emergency
treatment is provided, written confirmation of the emergency
must be secured from the requesting entity.
Research Activities – information may be disclosed for
the purpose of conducting scientific research according to
the provisions of 42 C.F.R. § 2.52.
and Evaluation Activities – information may be disclosed
for the purposes of audit and evaluation activities according
to the provisions of 42 C.F.R. § 2.53.
Service Organizations – information may be provided
to a qualified service organization when needed by the qualified
service organization to provide services to a currently or
previously enrolled person.
Agency Communications - the staff of an agency providing alcohol
and drug abuse services may disclose information regarding
an enrolled person to other staff within the agency, or to
the part of the organization having direct administrative
control over the agency, when needed to perform duties related
to the provision of alcohol or drug abuse diagnosis, treatment,
or referral for treatment to a person. For example, an organization
that provides several types of services might have an administrative
office that has direct administrative control over each unit
or agency that provides direct services.
an enrolled person that does not include any information about the
enrolled person’s receipt of alcohol or drug abuse diagnosis,
treatment or referral for treatment is not restricted under this
section. For example, information concerning an enrolled person’s
receipt of medication for a psychiatric condition, unrelated to
the person’s substance abuse, could be released as provided
in section 4.1.7-C. of this policy.
disclosures – A state or federal court may issue an order
that authorizes an agency to make a disclosure of identifying
information that would otherwise be prohibited. A subpoena, search
warrant or arrest warrant is not sufficient standing alone, to
require or permit an agency to make a disclosure.
Crimes committed by a
person on an agency’s premises or against program personnel.
Agencies may disclose information to a law enforcement agency when
a person who is receiving treatment in a substance abuse program
has committed or threatened to commit a crime on agency premises
or against agency personnel. In such instances, the agency must
limit the information disclosed to the circumstances of the incident.
It may only disclose the person’s name, address, last known
whereabouts and status as a person receiving services at the agency.
abuse and neglect reporting – Federal law does not prohibit
compliance with the child abuse reporting requirements contained
in A.R.S. § 13-3620.
- A general
medical release form or any authorization form that does not contain
all of the elements listed in subsection 4.1.7-D. above is not
4.1.7-E. Security Breach
T/RBHAs and their subcontracted providers, in the event of an
impermissible use/disclosure of unsecured PHI, must provide
notification to any and all persons affected by the breach in
accordance with Section 13402 of the HITECH Act.
To ensure confidentiality of telemedicine sessions, providers must
do the following when providing services via telemedicine:
videoconferencing room door must remain closed at all times;
- If the room
is used for other purposes, a sign must be posted on the door,
stating that a clinical session is in progress.
purposes of uniformity and clarity, the term “authorization”
is used throughout this policy to reference a person’s permission
to disclose medical records and protected health information and has
the same meaning as “consent” which is used in 42 C.F.R.
Disclosure of Behavioral Health Information
Last Revised: 10/25/2010