HIPAA vs. Part 2 Confidentiality Compliance: What You Should Know

Privacy is one of the key mainstays of healthcare, which is why confidentiality compliance has become such an important topic over the years. Doctors and medical professionals are required to maintain healthcare confidentiality with their patients as a way to build trust and ensure that care is not compromised. Beyond the legalities, confidentiality and privacy are part of the standard of ethics. Here’s what you should know about HIPAA and Part 2 Confidentiality Compliance.

What Is HIPAA?

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to address issues of patient privacy and security. Among other things, it outlines the patient information that is considered “protected health information” (PHI). Patients have rights and safeguards, which give them access to their medical records as well as the authority to share and update health information.

Who Is Required to Comply With HIPAA?

In general, healthcare and medical personnel are required to comply with HIPAA, but the covered entity provision also covers HMOs, PPOs, Medicare, and other health plans. Billing, accounting, data analysis, claims processing, and other services related to the healthcare field are required to comply with HIPAA as well. Defined as a health provider, health plan, or health care clearinghouse, a “covered entity” includes doctors, psychologists, chiropractors, clinics, dentists, pharmacies, and even nursing homes. Covered entities are required to comply if they transmit electronic information, which is covered by the U.S. Department of Health & Human Services (HHS) standard. For those organizations, departments, or companies that are not sure of how they must comply with HIPAA regulations, it’s usually best to proceed with absolute compliance.

What Information Does HIPAA Protect?

HIPAA protects information that is identifiable health information that can be linked to a person, whether it be in paper, electronic, or audible form. Medical and health facilities are not required to protect information that has been de-linked from identifiable information. So, if a facility tracks data separate from the individual’s health record, it would need to make sure that a reasonable person would not be able to identify the person based on the data in the record.

How Is HIPAA Enforced?

The HHS Office for Civil Rights (OCR) enforces the HIPAA privacy rules, but there are a lot of areas for them to cover. OCR can issue penalties in the form of fines, and they can even exclude a violator from the Medicare program. In most cases, the penalty would be more of a warning, but most medical facilities and doctor’s offices still handle the HIPAA regulation with proper care and oversight.

What Is 42 CFR Part 2?

The 42 CFR Part 2 highlights regulations related to the Confidentiality of Substance Use Disorder Patient Records, which protects patients and their health records regarding substance use disorder (SUD) treatment programs. Congress first put it in place in the 1970s, but the Substance Abuse and Mental Health Services Administration (SAMHSA) revised the regulations in 2017 and 2018. The purpose of 42 CFR Part 2 is to remove the stigma of seeking treatment by preventing private patient information from being shared. The scope is somewhat limited. It relates to SUD programs that receive federal assistance, which is not all that restrictive. Compliance can also apply to a “mixed-use facility,” where a hospital or general medical facility might include mental health and SUD treatment services, as well as other services. The U.S. Attorney General and SAMHSA can act on reports of compliance violators by issuing fines.

How to Comply With HIPAA and 42 CFR Part 2

If you are a medical and substance use disorder treatment facility, you are required to comply with both the HIPAA and 42 CFR Part 2 regulations, which means that you must be particularly careful about how you handle a patient’s health and treatment records while they are a patient of your facility and after they’ve left treatment. In general, protected information includes name, address, Social Security number, fingerprints, photographs, names of relatives or members of the household, the employer’s name, dates, telephone numbers, email addresses, a medical record number, health plan details, and vehicle information. You may be required to comply with additional restrictions depending on state regulations and requirements for health and privacy concerns. It’s all part of the effort to protect the privacy of patients so that confidentiality does not become a concern when they seek medical care. Patients need to know that their health concerns will not be made public.

Why Are Confidentiality and Privacy So Important?

Confidentiality is important because some patients may not be willing to seek medical attention if they believe their privacy will be compromised. That concern can relate directly to injuries, disease, disabilities, or other health concerns. Or it could just be that the patients don’t want anyone to know their business. It’s perfectly within a person’s rights, under HIPAA and 42 CFR Part 2 regulations, to expect that their protected health and medical information will not be shared. With a better understanding of what is protected, patients can advocate for themselves and ensure their medical and health information is not shared in ways that are inappropriate and potentially embarrassing.