Confidentialiy of Substance Abuse Disorder Patient Records Rule

Question 1

Sector

Answer 1

Medical

Question 2

Year Passed/Amended

Answer 2

1970/1972

Question 3

Original Purpose

Answer 3

Protect the privacy of those seeking alcohol and substance abuse treatment (so, for instance, they wouldn’t refrain from disclosing crimes during treatment)

Question 4

Primary Requirements

Answer 4

Precludes disclosure of patient-identifying information concerning alcohol or substance abuse treatment

Question 5

Term for relevant PII or regulated data

Answer 5

Patient-identifying information

Question 6

Definition of relevant PII or regulated data

Answer 6

Information that could reasonably be used to identify, directly or indirectly, a person who has been diagnosed with a substance abuse issue or who has undergone treatment for the same

Question 7

Types of penalties

Answer 7

Criminal only

Question 8

Enforcing Authority - Criminal

Answer 8

U.S. Attorney’s office

Question 9

Penalties - Criminal

Answer 9

First violation up to $500

Subsequent violations: up to $5,000

Question 10

Preemption

Answer 10

Does not preempt stricter state laws

Question 11

Private Right of Action?

Answer 11

No

Question 12

FIP individual rights provided

Answer 12

Consent (no notice, no access–though both are likely provided under HIPAA)

Question 13

Consent requirements

Answer 13

Written opt-in consent. Must explicitly describe the type of information to be disclosed. May include a general designation for treating entities or individuals

Question 14

Exceptions to consent

Answer 14

(a) Medical emergencies;
(b) Scientific research;
(c) Communication with a Qualified Service Organization (QSO–similar to business associates or TPO exception in HIPAA);
(d) to report crimes on program premises or against program personnel;
(e) to report child abuse;
(f) to comply with a court order

Question 15

FIP controls provided

Answer 15

Information security (no information quality)

Question 16

Information security requirements

Answer 16

Must have formal policies in place to protect the security of the information

Question 17

FIP information lifecycle areas covered

Answer 17

Use and retention, disclosure (not collection/disposal)

Question 18

Use and retention requirements

Answer 18

Must have formal policies in place to protect the security of the information

Question 19

Disclosure requirements

Answer 19

Must have written (opt-in) patient consent. Must explicitly describe the type of information to be disclosed. May include a general designation for treating entities or individuals.
“Compassionate sharing” exception (Cures Act)

Question 20

Redisclosure requirements

Answer 20

Requires separate written consent

Question 21

Right to list of disclosures?

Answer 21

Yes (for general designation)

Question 22

FIP Management standards covered

Answer 22

Administration, but only to the extent that it requires information security controls (no monitoring and enforcement)