Gila River Health Care Corporation
Gila River Health Care Corporation
PROVIDER MANUAL
Go to Manual Table of Contents
Go to Next Manual Section
Go to Previous Manual Section
Return to Home Page

Arizona Department of Health Services

Division of Behavioral Health Services
PROVIDER MANUAL
Gila River Regional Behavioral Health Authority Edition


Section 4.1 Disclosure of Behavioral Health Information

4.1.1 Introduction
4.1.2 References
4.1.3 Scope
4.1.4 Did you know…?
4.1.5 Definitions
4.1.6 Objectives
4.1.7 Procedures
4.1.7-A. Overview of confidentiality information
4.1.7-B. General procedures for all disclosures
4.1.7-C. Disclosure of information not related to alcohol and drug treatment
4.1.7-D. Disclosures of alcohol and drug information
4.1.7-E Security Breach Notification
4.1.7-F. Telemedicine

4.1.1 Introduction
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 included provisions for national standards for electronic health care transactions. To safeguard the privacy of health care information, Congress incorporated provisions that mandated the adoption of federal privacy protections for individually identifiable health information. HIPAA specifies how a person’s protected health information will be used and disclosed. The U.S. Department of Health and Human Services has issued federal regulations (the Privacy Rule) that provide individuals with certain rights to control the use and disclosure of their protected health information. The Privacy Rule is applicable to any agency that has identified itself to be one of three types of “covered entities”: health plan, health care provider and/or health care clearinghouse. By the compliance date of April 14, 2003, covered entities must have implemented standards to protect and guard against the misuse of protected health information.

In 2009 Congress enacted the HITECH Act (Health Information Technology for Economic and Clinical Health Act) (Title XII, Subtitle D of the American Recovery and Reinvestment Act of 2009 (P.L. 111-005), which substantially expands the HIPAA Privacy and Security Rule. Tribal and Regional Behavioral Health authorities (T/RBHAs) and their subcontracted providers are now required to comply with the HITECH Act regarding how they use and disclose protected health information. In the event a behavioral health recipient’s unsecured PHI has been impermissibly used or disclosed, T/RBHAs and their subcontracted providers are responsible for notifying each affected individual in accordance with the HITECH Act Security Breach Notification requirement.

The Arizona Department of Health Services/Division of Behavioral Health Services, the T/RBHAs and behavioral health providers must all comply with the Privacy Rule when providing health care services and/or paying for services with state and federal funds. Each organization is a separate “covered entity” and therefore must individually institute practices for complying with the Privacy Rule.

This section is intended to provide guidance as to whom information can be disclosed to and when authorization1 is required prior to that disclosure. It is not all-inclusive of the HIPAA and State Laws; the references throughout are available for providers to access and examine the applicable laws for more detail.

Go to top

4.1.2 References
The following citations can serve as additional resources for this content area:

Go to top

4.1.3 Scope
To whom does this apply?
All persons receiving, or who have received, services through Arizona’s public behavioral health system.

4.1.4 Did you know...?

  • The “minimum necessary” standard ensures that only the minimum information necessary to accomplish an intended purpose is requested and disclosed.
  • The United States Health and Human Services Department/Office of Civil Rights (OCR) has the authority for administering and enforcing compliance with the Privacy Rule. The OCR can assess significant penalties for failure to comply with HIPAA, including monetary fines and the loss of federal funds.
  • Other components of HIPAA include the Transaction and Code Set Rules and the Security Rules.
  • All covered entities must have a HIPAA Compliance Officer to hear complaints and address inquiries regarding the provider’s practices.

Go to top

4.1.5 Definitions
Alcohol and Drug Abuse Program (42 C.F.R. Part 2)

Clinical Teams

De-Identified Health Information

Designated Record Set

Health Care Decision-Maker

Health Care Provider

Health Insurance Portability and Accountability Act (HIPAA)

HITECH Act

HIV-Related Information

Individual

Individually Identifiable Health Information

Medical Records

Payment Records

Protected Health Information

Qualified Service Organization

Telemedicine

Unsecured Protected Health Information

 

4.1.6 Objectives
To give guidance to behavioral health providers on the obligations relating to the HIPAA laws and State laws and regulations related to the use, disclosure or when responding to requests for protected health information.

4.1.7 Procedures

Go to top

4.1.7-A. Overview of confidentiality information
T/RBHAs and subcontracted behavioral health providers must keep medical and behavioral health records and all information contained in those records confidential and cannot disclose such information unless permitted or required by federal or state law. The law regulates two major categories of confidential information:

  • Information obtained when providing behavioral health services not related to alcohol or drug abuse referral, diagnosis and treatment; and
  • Information obtained in the referral, diagnosis and treatment of alcohol or drug abuse.

Behavioral Health Information Not Related to Alcohol and Drug Treatment
Information obtained when providing behavioral health services not related to alcohol and drug abuse treatment is governed by state law and the HIPAA Privacy Rule, 45 C.F.R., Part 164, Subparts A and E, Part 160 Subparts A and B (“the HIPAA Rule”). The HIPAA Rule permits a covered entity (health plan, health care provider, health care clearinghouse) to use or disclose protected health information with or without patient authorization in a variety of circumstances, some of which are required and others that are permissive. Many of the categories of disclosures contain specific words and phrases that are defined in the HIPAA Rule. Careful attention must be paid to the definitions of words and phrases in order to determine whether disclosure is allowed. In addition, the HIPAA Rule may contain exceptions or special rules that apply to a particular disclosure. State law may affect a disclosure. For example, the HIPAA Rule may preempt a state law or a state law may preempt the HIPAA Rule. In addition, a covered entity must, with certain exceptions, make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the disclosure.

Before disclosing protected health information, it is good practice to consult the specific citation to the HIPAA Rule, state law and consult with legal counsel before disclosing an individual’s protected health information. See 4.1.7-C. for more detail regarding the disclosure of behavioral health information not related to alcohol or drug referral, diagnosis or treatment.

Drug and Alcohol Abuse Information
Information regarding treatment for alcohol or drug abuse is afforded special confidentiality by Federal statute and regulation. This includes any information concerning a person’s diagnosis or treatment from a federally assisted alcohol or drug abuse program or referral to a federally assisted alcohol or drug abuse program. See subsection 4.1.7-D. for more detail regarding the disclosure of drug and alcohol abuse information.

Go to top

4.1.7-B: General procedures for all disclosures

  • Unless otherwise excepted by state or federal law, all information obtained about a person related to the provision of behavioral health services to the person is confidential whether the information is in oral, written, or electronic format.
  • All records generated as a part of the ADHS/DBHS or RBHA grievance and appeal processes are legal records, not medical records, although they may contain copies of portions of a person’s medical record. To the extent these legal records contain personal medical information, ADHS/DBHS or the RBHA will redact or de-identify the information to the extent allowed or required by law.

List of Persons Accessing Records
The T/RBHA must ensure that a list is kept of every person or organization that inspects a currently or previously enrolled person’s records other than the person’s clinical team, the uses to be made of that information and the staff person authorizing access. The access list must be placed in the enrolled person’s record and must be made available to the enrolled person, their guardian or other designated representative.

Disclosure to Clinical Teams
Disclosure of information to members of a clinical team may or may not require an authorization depending upon the type of information to be disclosed and the status of the receiving party. Information concerning diagnosis, treatment or referral for drug or alcohol treatment may only be disclosed to members of a clinical team with patient authorization as prescribed in subsection 4.1.7-D. Information not related to drug and alcohol treatment may be disclosed without patient authorization to members of a clinical team who are providers of health, mental health or social services, provided the information is for treatment purposes as defined in the HIPAA Rule. Disclosure to members of a clinical team who are not providers of health, mental health or social services requires the authorization of the person or the person’s legal guardian or parent as prescribed in subsection 4.1.7-C.

Disclosure to persons involved in court proceedings
Disclosure of information to persons involved in court proceedings including attorneys, probation or parole officers, guardians ad litem and court appointed special advocates may or may not require an authorization depending upon the type of information to be disclosed and whether the court has entered orders permitting the disclosure.

Go to top

4.1.7-C: Disclosure of information not related to alcohol and drug treatment
The HIPAA Rule and state law allow a covered entity to disclose protected health information under a variety of conditions. This is a general overview and does not include an entire description of legal requirements for each disclosure. The latter part of subsection 4.1.7-C. contains a more detailed description of circumstances that are likely to involve the use or disclosure of behavioral health information.

Below is a general description of all required or permissible disclosures:

  • To the individual and the individual’s health care decision maker;
  • To health, mental health and social service providers for treatment, payment or health care operations;
  • Incidental to a use or disclosure otherwise permitted or required by 45 C.F.R. Part 164, Subpart E;
  • To a person or entity with a valid authorization;
    • Provided the individual is informed in advance and has the opportunity to agree or prohibit the disclosure:
    • For use in facility directories;
    • To persons involved in the individual’s care and for notification purposes;
    • When required by law;
    • For public health activities;
    • About victims of child abuse, neglect or domestic violence;
    • For health oversight activities;
    • For judicial and administrative proceedings;
    • For law enforcement purposes;
    • About deceased persons;
    • For cadaveric organ, eye or tissue donation purposes;
    • For research purposes;
    • To avert a serious threat to health or safety or to prevent harm threatened by patients;
    • To a human rights committee;
    • For purposes related to the Sexually Violent Persons program;
    • With communicable disease information;
    • To personal representatives including agents under a health care directive;
    • For evaluation or treatment;
    • To business associates;
    • To the Secretary of Health and Human Services or designee to investigate or determine compliance with the HIPAA Rule;
    • For specialized government functions;
    • For worker’s compensation;
    • Under a data use agreement for limited data;
    • For fundraising;
    • For underwriting and related purposes;
    • To the Arizona Center For Disability Law in its capacity as the State Protection and Advocacy Agency;
    • To a third party payor to obtain reimbursement;
    • To a private entity that accredits a health care provider;
    • To the legal representative of a health care entity in possession of the record for the purpose of securing legal advice;
    • To a person or entity as otherwise required by state or federal law;
    • To a person or entity permitted by the federal regulations on alcohol and drug abuse treatment (42 C.F.R. Part 2);
    • To a person or entity to conduct utilization review, peer review and quality assurance pursuant to Section 36-441, 36-445, 36-2402 or 36-2917;
    • To a person maintaining health statistics for public health purposes as authorized by law; and
    • To a grand jury as directed by subpoena.

Go to top

Below is a description of the circumstances in which behavioral health information is likely to be required or permitted to be disclosed.

Disclosure to an individual
A covered entity is required to disclose information in a designated record set to an individual when requested unless contraindicated. Contraindicated means that access is reasonably likely to endanger the life or physical safety of the patient or another person (See A.R.S. 36-507(3); 45 C.F.R. 164.524; A covered entity should read and carefully apply the provisions in 164.524 before disclosing protected health information in a designated record set to an individual.

An individual has a right of access to his or her designated record set, except for psychotherapy notes and information compiled for pending litigation. See 45 C.F.R. 164.524(a)(1) and Section 13405(e) or the HITECH Act. Under certain conditions a covered entity may deny an individual access to the medical record without providing the individual an opportunity for review. See 45 C.F.R. 164.524(a)(2). Under other conditions, a covered entity may deny an individual access to the medical record and must provide the individual with an opportunity for review. See 45 C.F.R. 164.524(a)(3). A covered entity must follow certain requirements for a review when access to the medical record is denied. See 45 C.F.R. 164.524(a)(4).

An individual must be permitted to request access or inspect or obtain a copy of his or her medical record. See 45 C.F.R. 164.524(b)(1). A covered entity is required to act upon an individual’s request in a timely manner. See 45 C.F.R. 164.524(b)(2).

An individual may inspect and be provided with one free copy per year of his or her own medical record, unless access has been denied.

A covered entity must follow certain requirements for providing access, the form of access and the time and manner of access. See 45 C.F.R. 164.524(c).

A covered entity is required to make other information available in the record when access is denied, must follow other requirements when making a denial of access, must inform an individual of where medical records are maintained and must follow certain procedures when an individual requests a review when access is denied. See 45 C.F.R. 164.524(d).

A covered entity is required to maintain documentation related to an individual’s access to the medical record. See 45 C.F.R. 164.524(e).

Go to top


Disclosure with an individual’s authorization
The HIPAA Rule allows information to be disclosed with an individual’s written authorization.

For all uses and disclosures that are not permitted by the HIPAA Rule, patient authorization is required. See 45 C.F.R. 164.502(a)(1)(iv); and 164.508. An authorization must contain all of the elements in 45 C.F.R. 164.508.

A copy of the authorization must be provided to the individual. The authorization must be written in plain language and must contain the following elements:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
  • The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
  • A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository; and
  • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act for the individual must also be provided.

In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

  • The individual’s right to revoke the authorization in writing, and either:
    • The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
    • A reference to the covered entity’s notice of privacy practices if the notice of privacy practices tells the individual how to revoke the authorization.
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
    • The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in 45 C.F.R. 164.508 (b)(4) applies; or
    • The consequences to the individual of a refusal to sign the authorization when, in accordance with 45 C.F.R. 164.508 (b)(4), the covered entity can condition treatment, enrollment in the health plan or eligibility for benefits on failure to obtain such authorization.
  • The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient.

Go to top

Disclosure to health, mental health and social service providers for treatment, payment or health care operations; reports of abuse and neglect
Disclosure is permitted without patient authorization to health, mental health and social service providers involved in caring for or providing services to the person for treatment, payment or health care operations as defined in the HIPAA Rule. These disclosures are typically made to primary care physicians, psychiatrists, psychologists, social workers (including DES and DDD) or other behavioral health professionals. Particular attention must be paid to 45 C.F.R. 164.506(c) and the definitions of treatment, payment and health care operations to determine the scope of disclosure. For example, a covered entity is allowed to disclose protected health information for its own treatment, payment or health care operations. See 45 C.F.R. 164.506(c)(1). A covered entity may disclose for treatment activities of a health care provider including providers not covered under the HIPAA Rule. See 45 C.F.R. 164.506(c)(2). A covered entity may disclose to both covered and non-covered health care providers for payment activities. See 45 C.F.R. 164.506(c)(3). A covered entity may disclose to another covered entity for the health care operations activities of the receiving entity if each entity has or had a direct treatment relationship with the individual and the disclosure is for certain specified purposes in the definition of health care operations. See 45 C.F.R. 164.506(c)(4).

If the disclosure is not for treatment, payment, or healthcare operations or required by law, patient authorization is required.

The HIPAA Rule does not modify a covered entity’s obligation under A.R.S. 13-3620 to report child abuse and neglect to Child Protective Services or disclose a child’s medical records to Child Protective Services for investigation of child abuse cases.

Similarly, a covered entity may have an obligation to report adult abuse and neglect to Adult Protective Services. See A.R.S. 46-454. The HIPAA Rule imposes other requirements in addition to those contained in A.R.S. 46-454, primarily that the individual be notified of the making of the report or a determination by the reporting person that it is not in the individual’s best interest to be notified. See 45 C.F.R. 164.512(c).

Disclosure to other persons including family members
A covered entity may disclose protected health information without authorization to other persons including family members actively participating in the patient's care, treatment or supervision. Prior to releasing information, an agency or non-agency treating professional or that person's designee must have a verbal discussion with the person to determine whether the person objects to the disclosure. If the person objects, the information cannot be disclosed. If the person does not object, or the person lacks capacity to object, the treating professional must perform an evaluation to determine whether disclosure is in that person's best interests. A decision to disclose or withhold information is subject to review pursuant to A.R.S. 36-517.01.

Go to top

An agency or non-agency treating professional may only release information relating to the person's diagnosis, prognosis, need for hospitalization, anticipated length of stay, discharge plan, medication, medication side effects and short-term and long-term treatment goals. See A.R.S. 36-509(7)

The HIPAA Rule imposes additional requirements when disclosing protected health information to other persons including family members. A covered entity may disclose to a family member or other relative the protected health information directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care. If the individual is present for a use or disclosure and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it obtains the individual’s agreement, provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. See 45 C.F.R. 164.510(b).

Disclosure to an agent under a health care directive
A covered entity may treat an agent appointed under a health care directive as a personal representative of the individual. See 45 C.F.R. 164.502(g). Examples of agents appointed to act on an individual’s behalf include an agent under a health care power of attorney, see A.R.S. 36-3221 et seq.; surrogate decision makers, see A.R.S. 36-3231; and an agent under a mental health care power of attorney, see A.R.S. 36-3281.

Disclosure to a personal representative

  • Unemancipated Minors. A covered entity may disclose protected health information to a personal representative, including the personal representative of an unemancipated minor, unless one or more of the exceptions described in 45 C.F.R. 164.502(g)(3)(i) or 164.502(g)(5) applies. See 45 C.F.R. 164.502(g)(1).

    The general rule is that if state law, including case law, requires or permits a parent, guardian or other person acting in loco parentis to obtain protected health information, then a covered entity may disclose the protected health information. See 45 C.F.R. 164.502(g)(3)(ii)(A).

    Similarly, if state law, including case law, prohibits a parent, guardian or other person acting in loco parentis from obtaining protected health information, then a covered entity may not disclose the protected health information. See 45 C.F.R. 164.502(g)(3)(ii)(B).

    When state law, including case law, is silent on whether protected health information can be disclosed to a parent, guardian or other person acting in loco parentis, a covered entity may provide or deny access under 45 C.F.R. 164.524 to a parent, guardian or other person acting in loco parentis if the action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional, in the exercise of professional judgment. See 45 C.F.R. 164.502(g)(3)(ii)(C).

    Go to top
     

  • Adults and Emancipated Minors. If under applicable law, a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such persons as a personal representative with respect to protected health information relevant to such personal representation. See 45 C.F.R. 164.502(g)(2). Simply stated, if there is a state law that permits the personal representative to obtain the adult or emancipated minor’s protected health information, the covered entity may disclose it. A covered entity may withhold protected health information if one or more of the exceptions in 45 C.F.R. 164.502(g)(5) applies.
  • Deceased persons. If under applicable law, an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such persons as a personal representative with respect to protected health information relevant to the personal representation. See 45 C.F.R. 164.502(g)(4). A covered entity may withhold protected health information if one or more of the exceptions in 45 C.F.R. 164.502(g)(5) applies. A.R.S. 12-2294 (D) provides certain persons with authority to act on behalf of a deceased person.

Disclosure for court ordered evaluation or treatment
An agency in which a person is receiving court ordered evaluation or treatment is required to immediately notify the person's guardian or agent or, if none, a member of the person's family that the person is being treated in the agency. See A.R.S. 36-504(B). The agency shall disclose any further information only after the treating professional or that person's designee interviews the person undergoing treatment or evaluation to determine whether the person objects to the disclosure and whether the disclosure is in the person's best interests. A decision to disclose or withhold information is subject to review pursuant to section A.R.S. 36-517.01.

If the individual or the individual’s guardian makes the request for review, the reviewing official must apply the standard in 45 C.F.R. 164.524(a)(3). If a family member makes the request for review, the reviewing official must apply the “best interest” standard in A.R.S. 36-517.01.

The reviewer’s decision may be appealed to the superior court. See A.R.S. 36-517.01(B). The agency or non-agency treating professional must not disclose any treatment information during the period an appeal may be filed or is pending.

Disclosure for health oversight agencies
A covered entity may disclose protected health information without patient authorization to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions or other activities necessary for appropriate oversight of entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards. See 45 C.F.R. 164.512(d).

Go to top

Disclosure for judicial and administrative proceedings including court ordered disclosures
A covered entity may disclose protected health information without patient authorization in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by the order. See 45 C.F.R. 164.512(e). In addition, a covered entity may disclose information in response to a subpoena, discovery request or other lawful process without a court order if the covered entity receives satisfactory assurances that the requesting party has made reasonable efforts to provide notice to the individual or has made reasonable efforts to secure a qualified protective order. See 45 C.F.R. 164.512(e)(1)(iii),(iv) and (v) for what constitutes satisfactory assurances.

Disclosure to persons doing research
A covered entity may disclose protected health information to persons doing research without patient authorization provided it meets the de-identification standards of 45 C.F.R. 164.514(b). If the covered entity wants to disclose protected health information that is not de-identified, patient authorization is required or an Institutional Review Board or a privacy board in accordance with the provisions of 45 C.F.R. 164.512(i)(1)(i) can waive it.

Disclosure to prevent harm threatened by patients
Mental health providers have a duty to protect others against the conduct of a patient. See A.R.S. 36-517.02. When a patient poses a serious danger of violence to another person, the provider has a duty to exercise reasonable care to protect the foreseeable victim of the danger. Little v. All Phoenix South Community Mental Health Center, Inc., 186 Ariz. 97, 919 P.2d 1368 (1996). A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information without patient authorization if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an individual. See 45 C.F.R. 164.512(j)(1)(ii); 164.512(f)(2) and (3) for rules that apply for disclosures made to law enforcement. See 45 C.F.R. 164.512(j)(4) for what constitutes a good faith belief.

Disclosures to human rights committees
Protected health information may be disclosed to a human rights committee without patient authorization provided personally identifiable information is redacted or de-identified from the record. See A.R.S. 36-509(10) and 41-3804. In redacting personally identifiable information, a covered entity must comply with the HIPAA Rule de-identification standards in 45 C.F.R. 164.514(b) and not state law. If a human rights committee wants non-redacted identifiable health information for official purposes, it must first demonstrate to ADHS/DBHS that the information is necessary to perform a function that is related to the oversight of the behavioral health system, and in that case, a covered entity may disclose protected health information to the human rights committee in its capacity as a health oversight agency. See 45 C.F.R. 164.512(d)(1).

Go to top

Disclosure to the Arizona Department of Corrections
Protected health information may be disclosed without patient authorization to the state department of corrections in cases where prisoners confined to the state prison are patients in the state hospital on authorized transfers either by voluntary admission or by order of the court. See A.R.S. 36-509(5) The HIPAA Rule limits disclosure to correctional institutions to certain categories of information that are contained in 45 C.F.R. 164.512(k)(5).

Disclosure to a governmental agency or law enforcement to secure return of a patient
Protected health information may be disclosed to governmental or law enforcement agencies if necessary to secure the return of a patient who is on unauthorized absence from any agency where the patient was undergoing court ordered evaluation or treatment. See A.R.S. 36-509 (6). A covered entity may disclose limited information without patient authorization to law enforcement to secure the return of a missing person. See 45 C.F.R. 164.512(f)(2)(i). In addition, a covered entity is permitted limited disclosure to governmental agencies to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. See 45 C.F.R. 164.512(j).

Disclosure to a Sexually Violent Persons (SVP) Program
Protected health information may be disclosed to a governmental agency or a competent professional, as defined in A.R.S. 36-3701, in order to comply with the SVP Program (Arizona Revised Statutes, Title 36, Chapter 37). See A.R.S. 36-509(9).

A "competent professional" is a person who may be a psychologist or psychiatrist, is approved by the Superior Court and is familiar with the state's sexually violent persons statutes and sexual offender treatment programs. A competent professional is either statutorily required or may be ordered by the court to perform an examination of a person involved in the sexually violent persons program and must be given reasonable access to the person in order to conduct the examination and must share access to all relevant medical and psychological records, test data, test results and reports. See A.R.S. 36-3701(2).

In most cases, the disclosure of protected health information to a competent professional or made in connection with the sexually violent persons program is required by law or ordered by the court. In either case, disclosure under the HIPAA Rule without patient authorization is permitted. See 45 C.F.R. 164.512(a) (disclosure permitted when required by law) and 45 C.F.R. 164.512(e) (disclosure permitted when ordered by the court). If the disclosure is not required by law or ordered by the court or is to a governmental agency other than the sexually violent persons program, the covered entity may have the authority to disclose if the protected health information is for treatment, payment or health care operations. See 45 C.F.R. 164.506(c) to determine rules for disclosure for treatment, payment or health care operations.

Go to top

Disclosure to third party payors
Disclosure is permitted to a third party payor to obtain reimbursement for health care, mental health care or behavioral health care provided to a patient. See A.R.S. 36-509(13).

Disclosure to Accreditation Organization
Disclosure is permissible to a private entity that accredits a health care provider and with whom the health care provider has an agreement that requires the agency to protect the confidentiality of patient information. See A.R.S. 36-509(14).

Disclosure of communicable disease information
A.R.S. 36-661 et seq., includes a number of provisions that address the disclosure of communicable disease information. The general rule is that a person who obtains communicable disease related information in the course of providing a health service or pursuant to a release of communicable disease related information must not disclose or be compelled to disclose that information. See A.R.S. 36-664(A). Certain exceptions for disclosure are permitted to:

  • The individual or the individual’s health care decision maker;
  • ADHS or a local health department for the purpose of notifying a Good Samaritan;
  • An agent or employee of a health facility or a health care provider;
  • A health facility or a health care provider;
  • A federal, state or local health officer;
  • Government agencies authorized by law to receive communicable disease information;
  • Persons authorized pursuant to a court order;
  • The Department of Economic Security for adoption purposes;
  • The Industrial Commission;
  • The Department of Health Services to conduct inspections;
  • Insurance entities;
  • A private entity that accredits a health care facility or a health care provider.

A.R.S. 36-664 also addresses issues with respect to the following:

Disclosures to the Department of Health Services or local health departments are also permissible under certain circumstances:

  • Authorizations;
  • Redisclosures;
  • Disclosures for supervision, monitoring and accreditation;
  • Listing information in death reports;
  • Reports to the Department; and
  • Applicability to insurance entities.

Go to top

An authorization for the release of communicable disease related information must be signed by the protected person or, if the protected person lacks capacity to consent, the person’s health care decision maker (see A.R.S. 36-664(F)). If an authorization for the release of communicable disease information is not signed, the information cannot be disclosed. An authorization must be dated and must specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the authorization is effective. A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV-related information unless the authorization specifically indicates its purpose as authorization for the release of HIV-related information and complies with the requirements of A.R.S. 36-664(F).

The HIPAA Rule does not preempt state law with respect to disclosures of communicable disease information; however, it may impose additional requirements depending upon the type, nature and scope of disclosure. It is advisable to consult with the HIPAA Compliance Officer and/ or legal counsel prior to disclosure of communicable disease information.

For example, if a disclosure of communicable disease information is made pursuant to an authorization, the disclosure must be accompanied by a statement in writing which warns that the information is from confidential records which are protected by state law that prohibits further disclosure of the information without the specific written consent of the person to whom it pertains or as otherwise permitted by law. A.R.S. 36-664(H) affords greater privacy protection than 45 C.F.R. 164.508(c)(2)(ii), which requires the authorization to contain a statement to place the individual on notice of the potential for redisclosure by the recipient and thus, is no longer protected. Therefore, any authorization for protected health information that includes communicable disease information must contain the statement that redisclosure of that information is prohibited.

Disclosure to business associates
The HIPAA Rule allows a covered entity to disclose protected health information to a business associate if the covered entity obtains satisfactory assurances that the business associate will safeguard the information in accordance with 45 C.F.R. 164.502(e) and the HITECH Act. See the definition of “business associate” in 45 C.F.R. 160.103. Also see 45 C.F.R. 164.504(e) and Section 13404 of the HITECH Act for requirements related to the documentation of satisfactory assurances through a written contract or other written agreement or arrangement.

Disclosure to the Arizona Center for Disability Law, acting in its capacity as the State Protection and Advocacy Agency pursuant to 42 U.S.C. 10805, is allowed when:

  • An enrolled person is mentally or physically unable to consent to a release of confidential information, and the person has no legal guardian or other legal representative authorized to provide consent; and
  • A complaint has been received by the Center or the Center asserts that the Center has probable cause to believe that the enrolled person has been abused or neglected.

Go to top

4.1.7-D. Disclosures of alcohol and drug information

  • T/RBHAs and their subcontracted providers that provide drug and alcohol screening, diagnosis or treatment services are federally assisted alcohol and drug programs and must ensure compliance with all provisions contained in the Federal statutes and regulations referenced in this section.
  • T/RBHAs and their subcontracted providers must notify persons seeking and/or receiving alcohol or drug abuse services of the existence of the federal confidentiality law and regulations and provide each person with a written summary of the confidentiality provisions. The notice and summary must be provided at admission or as soon as deemed clinically appropriate by the person responsible for clinical oversight of the person.
  • T/RBHAs or their subcontracted providers may require enrolled persons to carry identification cards while the person is on the premises of an agency. A T/RBHA or subcontracted provider may not require enrolled persons to carry cards or any other form of identification when off the T/RBHA’s or subcontractor’s premises that will identify the person as a recipient of drug or alcohol services.
  • T/RBHAs or their subcontracted providers may not acknowledge that a currently or previously enrolled person is receiving or has received alcohol or drug abuse services without the enrolled person’s authorization as provided in section 4.1.7-D. of this policy.
  • T/RBHAs or their subcontracted providers must respond to any request for a disclosure of the records of a currently or previously enrolled person that is not permissible under this policy or federal regulations in a way that will not reveal that an identified individual has been, or is being diagnosed or treated for alcohol or drug abuse.
  • The T/RBHA or subcontracted provider must advise the person or guardian of the special protection given to such information by federal law.
  • Release of information concerning diagnosis, treatment or referral from an alcohol or drug abuse program must be made only as follows:
    • The currently or previously enrolled person or their guardian authorizes the release of information. In this case, authorization must be documented on an authorization form which has not expired or been revoked by the patient. The proper authorization form must be in writing and must contain each of the following specified items:
      • The name or general designation of the program making the disclosure;
      • The name of the individual or organization that will receive the disclosure;
      • The name of the person who is the subject of the disclosure;
      • The purpose or need for the disclosure;
      • How much and what kind of information will be disclosed;
      • A statement that the person may revoke the authorization at any time, except to the extent that the program has already acted in reliance on it;
      • The date, event or condition upon which the authorization expires, if not revoked before
      • The signature of the person or guardian; and
      • The date on which the authorization is signed.
  • Redisclosure - Authorization as provided above, must be accompanied by the following written statement: “This information has been disclosed to you from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.”
  • If the person is a minor, authorization must be given by both the minor and his or her parent or legal guardian.
  • If the person is deceased, authorization may be given by:
    • A court appointed executor, administrator or other personal representative; or
    • If no such appointments have been made, by the person’s spouse; or
    • If there is no spouse, by any responsible member of the person’s family.
  • Authorization is not required under the following circumstances:
    • Medical Emergencies – information may be disclosed to medical personnel who need the information to treat a condition which poses an immediate threat to the health of any individual, not necessarily the currently or previously enrolled person, and which requires immediate medical intervention. The disclosure must be documented in the person’s medical record and must include the name of the medical person to whom disclosure is made and his or her affiliation with any health care facility, name of the person making the disclosure, date and time of the disclosure and the nature of the emergency. After emergency treatment is provided, written confirmation of the emergency must be secured from the requesting entity.
    • Research Activities – information may be disclosed for the purpose of conducting scientific research according to the provisions of 42 C.F.R. 2.52.
    • Audit and Evaluation Activities – information may be disclosed for the purposes of audit and evaluation activities according to the provisions of 42 C.F.R. 2.53.
    • Qualified Service Organizations – information may be provided to a qualified service organization when needed by the qualified service organization to provide services to a currently or previously enrolled person.
    • Internal Agency Communications - the staff of an agency providing alcohol and drug abuse services may disclose information regarding an enrolled person to other staff within the agency, or to the part of the organization having direct administrative control over the agency, when needed to perform duties related to the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment to a person. For example, an organization that provides several types of services might have an administrative office that has direct administrative control over each unit or agency that provides direct services.

Information concerning an enrolled person that does not include any information about the enrolled person’s receipt of alcohol or drug abuse diagnosis, treatment or referral for treatment is not restricted under this section. For example, information concerning an enrolled person’s receipt of medication for a psychiatric condition, unrelated to the person’s substance abuse, could be released as provided in section 4.1.7-C. of this policy.

  • Court-ordered disclosures – A state or federal court may issue an order that authorizes an agency to make a disclosure of identifying information that would otherwise be prohibited. A subpoena, search warrant or arrest warrant is not sufficient standing alone, to require or permit an agency to make a disclosure.

Crimes committed by a person on an agency’s premises or against program personnel. Agencies may disclose information to a law enforcement agency when a person who is receiving treatment in a substance abuse program has committed or threatened to commit a crime on agency premises or against agency personnel. In such instances, the agency must limit the information disclosed to the circumstances of the incident. It may only disclose the person’s name, address, last known whereabouts and status as a person receiving services at the agency.

  • Child abuse and neglect reporting – Federal law does not prohibit compliance with the child abuse reporting requirements contained in A.R.S. 13-3620.
  • A general medical release form or any authorization form that does not contain all of the elements listed in subsection 4.1.7-D. above is not acceptable.


4.1.7-E. Security Breach Notification
T/RBHAs and their subcontracted providers, in the event of an impermissible use/disclosure of unsecured PHI, must provide notification to any and all persons affected by the breach in accordance with Section 13402 of the HITECH Act.

4.1.7-F. Telemedicine
To ensure confidentiality of telemedicine sessions, providers must do the following when providing services via telemedicine:

  • The videoconferencing room door must remain closed at all times;
  • If the room is used for other purposes, a sign must be posted on the door, stating that a clinical session is in progress.


1 For purposes of uniformity and clarity, the term “authorization” is used throughout this policy to reference a person’s permission to disclose medical records and protected health information and has the same meaning as “consent” which is used in 42 C.F.R. Part 2.

Go to top

4.1 Disclosure of Behavioral Health Information
Last Revised: 10/25/2010
Effective Date:12/01/2010

Gila River Health Care Corporation address and phone