Protecting Substance Addiction Data: The ChallengesRecent Breaches Call Attention to Complex Privacy Compliance Issues
Two organizations that provide treatment to patients with substance addictions have recently reported breaches of their patients' sensitive information.
Compliance experts point out that many organizations that provide treatment for substance abuse disorders must comply with HIPAA as well as the stricter privacy requirements under a regulation know as 42 Code of Federal Regulations Part 2, which can create challenges. As a result, some have called for harmonizing the two regulations.
The substance abuse treatment facilities recently reporting health data breaches as required under the HIPAA Breach Notification Rule are Riverplace Counseling Centers in Anoka, Minnesota, and Health Recovery Services of Athens, Ohio.
Riverplace Counseling Center on April 11 reported to the Department of Health and Human Services a hacking/IT incident affecting about 11,600 individuals. In a statement, Riverplace said it hired a computer technology firm to assist in removing malware and restoring its systems from backup, although the entity did not specifically say the attack involved ransomware.
"Although the investigation did not identify any evidence of access to your information, we unfortunately could not completely rule out the possibility that your personal information, including your name, address, date of birth, Social Security number, health insurance information and treatment information, may have been accessible," Riverplace's statement says.
The Minnesota organization did not immediately respond to an Information Security Media Group request for additional details.
Breach in Ohio
On April 5, Health Recovery Services reported to the HHS an unauthorized access/disclosure breach involving a network server and affecting more than 20,000 individuals.
In a statement, HRS says that it discovered in February that its computer network had been accessed by "an unauthorized IP address."
HRS says forensic experts determined the unauthorized access to the network started in November 2018. So far, there is no evidence that data was accessed or acquired, the organization says. Potentially exposed information includes patient name, address, birth dates, and in some cases, medical information, diagnosis and Social Security numbers, the statement notes.
HRS says it "rebuilt its entire computer network to ensure it was secure and free of any security threat."
The organization did not immediately respond to ISMG's request for additional details.
These two breaches of particularly sensitive information serve as a reminder of the extra precautions that certain substance addiction and mental health treatment facilities must take to protect their patients' privacy.
In general, entities must comply with HIPAA as well as a regulation known as 42 CFR Part 2 if they receive federal funding for providing substance use disorder treatment, says privacy attorney Iliana Peters of the law firm Polsinelli. It's not clear, however, whether both Riverplace and HRS are required to comply with 42 CFR Part 2.
"If a U.S. attorney believed it appropriate, the government could criminally prosecute a program subject to 42 CFR Part 2 for impermissibly disclosing substance use disorder information."
—Adam Greene, Davis Wright Tremaine
Federal funding can include payment for treating Medicare and Medicaid patients with substance abuse issues. In addition, entities registered to dispense controlled substances related to the treatment of substance abuse disorders also fall under the regulatory umbrella of 42 CFR Part 2, Peters notes.
Under 42 CFR Part 2, healthcare entities are prohibited from disclosing any information that would identify someone as having a substance use disorder unless that individual provides written consent, according to the Department of Health and Human Services' Substance Abuse and Mental Health Services Administration website.
"Part 2 specifies a set of requirements for consent forms, including but not limited to the name of the patient, the names of individuals/entities that are permitted to disclose or receive patient identifying information, the amount and kind of the information being disclosed, and the purpose of the disclosure," SAMHSA says.
HIPAA - unlike 42 CFR Part 2 - generally permits the disclosure of protected health information for certain purposes, including treatment, payment or healthcare operations, without patient authorization,
Information Sharing Push
In general, regulators expect healthcare entities to securely share patient's health information with other providers - and to not participate in so-called "information blocking" - to improve coordination of care and patient outcomes. But the extra hurdles of 42 CFR Part 2 can present extra challenges.
"Because 42 CFR Part 2 places greater restrictions on internal sharing and external disclosure of substance use disorder information, a program subject to the law generally must isolate the information beyond the safeguards for other types of protected health information," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "For example, the information may have special confidentiality restrictions in an electronic health records system."
Part 2 rules "are one of the most confusing elements of the current debate in healthcare privacy and security," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"The law and related rules were passed more than 30 years ago, before HIPAA existed, when the goal was to encourage individuals to seek substance abuse treatment without fear that this treatment would be used against them in criminal prosecutions," Nahra says. "While that is obviously an important goal, the entire system around these rules has changed. That's why there has been so much discussion about how to ensure that this information is both protected but also available for appropriate uses in a modern healthcare environment."
An assortment of past and current legislative efforts - as well as lobbying efforts by healthcare industry associations - have sought to better align 42 CFR Part 2 with HIPAA. That includes a lobbying effort focused on regulators and Congress by the Partnership to Amend 42 CFR Part 2. The coalition of nearly 50 national healthcare organizations supports efforts to align Part 2 with HIPAA "to allow appropriate access to patient information that is essential for providing whole-person care."
"I would like to see these rules completely harmonized with HIPAA, but that likely would involve a change to the statute - the statute may not let the regulators go as far as complete harmonization," Nahra says.
Greene says he would like to see substance use disorder information treated like any other protected health information, but with additional restrictions on disclosures to law enforcement or the courts. "This would allow the information to be shared more freely as necessary for treatment and remove operational challenges to segregating the data, while still restricting the information from leaving the healthcare system in a manner that could be harmful to the individual," the attorney says.
What about breaches involving patient information that falls under 42 CFR Part 2?
Criminal penalties apply to disclosures without consent of substance use disorder records by programs covered by Part 2, Peters notes.
"However, given that HIPAA would otherwise apply, the security and breach notification requirements would also apply, and would provide protections for this information beyond the privacy protections of Part 2," she says.
"If a U.S. attorney believed it appropriate, the government could criminally prosecute a program subject to 42 CFR Part 2 for impermissibly disclosing substance use disorder information," Greene notes. "That being said, we have not yet seen such a prosecution in the over 40 years that the regulation has been in effect."
Nahra offers a similar perspective. "One of the oddities about Part 2 has always been enforcement. I am unaware of any enforcement of these rules at any time. There is no clear path to enforcement, other than the possibility of criminal prosecution, which obviously is unlikely. So, a covered Part 2 entity would generally be dealing with the HIPAA breach notification rules and perhaps state laws, but not really about Part 2 for the breach itself."
Entities complying with 42 CFR Part 2 often face additional hurdles in times of crisis and in other situations, Peters notes. "Part 2 requirements make it extremely difficult to share information with family and friends of individuals in crisis and for research on substance use disorder issues," she notes.
"Given that HIPAA applies, it's not clear why the additional protections for this information are necessary, and these protections may, in fact, be hindering providing help to individuals with substance use disorders, particularly with regard to involving their family and friends if they do not object, and to research on this epidemic."