Confidentiality and Release of Information

Confidentiality refers to the practice of protecting and keeping private information that has been shared, used, or disclosed to health care providers by clients, their caregivers, or other sources\.

You must be very careful to maintain the confidentiality and privacy of everything that your client tells you and everything you learn about your client. There are laws and ethical professional standards that provide for the confidentiality of client information, especially patient and treatment records.

In most situations, the client will sign a Release of Information (ROI) to give information to a specific person or agency.The following is a list of exceptions that do not require an ROI:

• Parents or legal guardians request the information, unless a minor is legally emancipated .
• The client is at risk of causing harm to self or another person (e.g., suicidal or homicidal).
• You suspect that a child or elder is being abused or neglected. This includes a child being a witness to domestic violence.
• There is a court order requesting specific information from the record.
• A client commits a crime on the premises.
• There is a medical emergency.

For more information, see Chapter B-5: Mandatory Reporting and Duty to Warn or Chapter D-3: Abuse and Neglect.

A Release of Information (ROI) is an official document that your client fills out. It gives you permission to share, use, or disclose specific information with a specific person or agency. ROIs are usually time-limited (meaning they expire on a specific date) and should be updated periodically. ROIs include HIPAA authorization forms and other written documents that detail the proper use and/or disclosure of confidential information.

You will likely receive many requests to share or disclose information about your clients. General guidelines for obtaining an ROI:

• Follow your organization’s policies and procedures for ROIs and all record requests. Remember to only provide information that is consistent with the scope of the ROI and with your organization’s policies and procedures. If you have questions, consult with your clinical supervisor.
• ROI forms should be signed by clients and their providers before you share or disclose the information specified in the ROI.
• Separate ROIs must be completed for each person or agency that receives client information.
• Read the ROI carefully and pay attention to its limitations, including:
  • Its time limit. ROIs typically expire six months to a year after the original date.
  • What information can be shared. Some ROIs allow you to release only certain parts of the record.
  • Who can receive the information. ROIs typically specify which person or agency can get a copy of the record.
• Always keep the original signed ROI in the client’s record. Provide copies to the client or identified provider agency.

You may get a request from an organization or agency for medical records. This request will usually come in the form of a signed ROI and request for records on the requesting agency's letterhead. Unless the ROI is signed by the client or legal guardian, you cannot contact that agency or release any records. If you receive a request for records, it is often best to confirm with the client. Many THOs require that you check with your supervisor or records department before releasing information, even if there is a court order or a form signed by the client or guardian. If in doubt, call your clinical supervisor or consult with your organization's records department.

Anybody who wants to look at or receive a copy of the client’s record must have one of the following:

• ROI document signed by the client or legal guardian.
• Court order or search warrant signed by a judge or magistrate.

Keep an original or copy of the ROI, request for records document, and/or court order in the client's record.

Except in cases of mandatory reporting, information must be “released” by the client, the parent of a minor client, or the client's legal guardian before it can be shared with anyone else, including:

• Village Public Safety Officers (VPSOs).
• Village Police Officers (VPOs).
• State Troopers.
• Court reporters.
• Lawyers.
• Insurance companies.
• Other family members.

Client copy. Clients may want to have a copy of the records of their own treatment, or parents may want a copy of their child’s treatment.

• Be sure to check with your supervisor about applicable policies and procedures on releasing information pertaining to minors who are considered legally emancipated (some confidential information may not be disclosed to parents under limited circumstances).
• Many clients are not aware that they can request copies of their records and may need assistance. Most organizations will have a records request form and process for clients to go through to obtain their records. Help the client navigate the process and fill out the necessary documents. If you and your supervisor determine that releasing the records would be detrimental to the client, clearly explain to the client why you recommend a different solution, such as releasing a partial record or a summary of the client's notes, assessment, or treatment plan (rather than all of the session notes).

Avoid causing harm. Sometimes, releasing records can harm the client or jeopardize care.

• Clients may be too unstable to see their own records at a specific time. Consult with your supervisor on how to best communicate the clinical reasons for not releasing their records. This will likely be a rare and unique case.
• Sharing client information might sometimes put the client in harm’s way, such as if a child has disclosed that he is being abused or neglected by his parent or guardian. Contact your supervisor before releasing the record. See Chapter B-5: Mandatory Reporting and Duty to Warn.

Other agencies’ documents. Via an ROI, you may receive and review documents from another agency that help to inform your client's case or treatment. However, you may not release documents that were generated by other providers to other agencies; releasing this information may open up you and your organization to legal or regulatory action if doing so is not consistent with your organization’s policies and procedures.

For example, you cannot re-release assessments, treatment plans, or client notes created by a counselor from another agency that were sent to you when a client transferred care to you. This includes school records that have been shared with you. These must be released directly from the originating agency.

Partial file release. Even when clients sign an ROI, they may not want you to release their entire file. For example, a client might not want to release an assessment report to other providers or agencies, such as probation officers. In this case, you may only release the portion of the record the client agrees to, such as the treatment plan. Follow your organization’s policies and procedures related to the HIPAA “ minimum necessary ” rules.

Certificates of completion. Some clients may need a certificate or documentation of their treatment completion (sometimes called compliance documents).

• These are typically provided after clients are done with services, not when they are partially completed.
• Sometimes, however, a client may need a copy right away. For example, the client may need to obtain a driver’s license or report to probation officers.
• Your region may have a form that covers this situation. If so, fill out the required portions of the form, including a summary of how often the client attended scheduled sessions. Make sure you sign and date the form as well as having the client sign and date the form. Provide the client with a copy, and keep the signed original in the client's health record.
• Give the certificate directly to the client whenever possible, so the client can determine who receives the form. Make sure you document in the record what your role was and what information you provided the client.

42 CFR Part 2 applies to any program that involves substance abuse education, treatment, or prevention and is regulated or assisted by the federal government. Therefore, to be safe, all THO counselors and BHA/Ps need to observe these laws and regulations. This applies to all records relating to the identity, diagnosis, prognosis, or treatment of any patients who have ever mentioned their substance use or even non-use in an assessment or counseling situation.

In the substance abuse field, confidentiality is governed by federal law under what is called the Title 42 of the United States Code for Public Health and Social Welfare and under federal regulations called 42 Code of Federal Regulations, Part 2. Counselors refer to the shorthand “42 CFR Part 2” for the law and regulation protecting the confidentiality rights of clients dealing with any form of addiction. It is important for BHA/Ps to know that 42 CFR Part 2 legally restricts the ways that protected client information must be handled, used, or disclosed. It clarifies the limited circumstances under which information about the client’s treatment may be disclosed with and without the client’s consent.

According to 42 CFR Part 2, information can be shared if written consent is obtained. A written consent form requires the following ten elements:

1. The names or general designations of the programs making the disclosure.
2. The name of the individual or organization that will receive the disclosure.
3. The name of the patient who is the subject of the disclosure.
4. The specific purpose or need for the disclosure.
5. A description of how much and what kind of information will be disclosed.
6. The patient’s right to revoke the consent in writing and the exceptions to the right to revoke or, if the exceptions are included in the program’s notice, a reference to the notice.
7. The program’s ability to condition treatment, payment, enrollment, or eligibility of benefits on the patient agreeing to sign the consent, by stating (a) that the program may not condition these services on the patient signing the consent, or (b) the consequences of the patient refusing to sign the consent.
8. The date, event, or condition upon which the consent expires if not previously revoked.
9. The signature of the patient (and/or other authorized person).
10. The date on which the consent is signed.

When used in the criminal justice setting, expiration of the consent may be conditioned on the completion of, or termination from, a program instead of on a date.

By law, 42 CFR Part 2 allows for disclosure by counselors where the state mandates child abuse and neglect reporting, when cause of death is being reported, or with the existence of a valid court order (subpoenas are insufficient). Programs are permitted to disclose patient-identifying information in cases of medical emergency, in reporting crimes that occur on program premises or against staff, to entities having administrative control, to qualified service organizations, and to outside auditors, evaluators, central registries, and researchers.

Consult with your supervisor if you get a request from your client or someone else for records that include information about substance or alcohol abuse treatment.

The Health Insurance Portability and Accountability Act (HIPAA) requires providers to keep private what’s known as protected health information (PHI)

• If someone can identify the client based on the information in the record or communication, that record has PHI and must be protected and kept confidential.
• PHI is also called individually identifiable information. It includes records that have any information (such as name, address, birth date, identification number, etc.) that could be used to identify the client.
• When in doubt, treat all client records like they contain PHI.

Contact your supervisor if you are not sure what is allowed or if someone asks for information without meeting these requirements.

You may not share or disclose PHI unless one of the following applies:

• The patient agrees in writing (through a signed ROI or a HIPAA authorization).
• There is a court order mandating disclosure.
• You have a legitimate need to use the PHI to provide treatment, seek payment, or perform health care operations. Check your organization’s policies and procedures for any other applicable “permissible” uses under HIPAA (45 CFR 164.512) or the Federal Privacy Act of 1974, if applicable to your organization.

Release only the minimum necessary amount of PHI for “routine” and “recurring” uses. This means that when someone requests PHI, you should not release more information than is needed at that time. Examples of when to release a partial record:

• Coordinating treatment: providing services or coordinating with other health care providers to provide services to the same individual. For example, if a provider needs to see what medications a patient/client is currently taking, provide only the portion of the record that contains that information.
• Seeking payment: billing, coding, and submitting claims information to health care payers such as Medicaid/Medicare, Denali Kidcare, or private insurance companies. For example, if someone needs to see what services were provided on March 3, 2009, only give them the records related to those services, not the entire health record.
• Health care operations: the things you and your employer do to run the clinic, such as appointment scheduling, case review, quality assurance, accreditation, certification, and licensing.

Reasonable Safeguards. You are also required to make sure the records are safe from being viewed by other people. Follow your organization’s policies and procedures or consult with your clinical supervisor for additional guidance.

The Federal Privacy Act of 1974 is a federal law that governs how to handle personally identifiable information in client charts and anywhere funded, even in part, by the United States Government. The Privacy Act must be interpreted consistently with any State of Alaska law or Alaska Native Tribal Law. This refers to all BHA/Ps and all other employees working within a THO. There are no exceptions.

The Privacy Act bans the release of information from records without specific written consent from the individual getting services or as otherwise permitted as a routine use as defined in the Privacy Act regulations. The Privacy Act also ensures that clients have access to and the right to make amendments to their record where incorrect information is found within the record (similar to the HIPAA regulations regarding requests for amendments or requests to restrict use of protected health information). Recordkeeping standards arise out of the Privacy Act and HIPAA, such as security measures/safeguards, how records are to be maintained, and the limits on how they can be used or disclosed.

The Privacy Act also states who may access these confidential records, such as for:

• Statistical purposes by the Census Bureau and the Bureau of Labor Statistics.
• Routine uses as outlined in the Privacy Act regulations.
• Archival purposes “as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government.”
• Law enforcement purposes.
• Congressional investigations.
• Other administrative purposes.

The Privacy Act is similar to HIPAA. If you get a subpoena or other request from a court or agency, please consult with your clinical supervisor before disclosing the confidential records.