Perceptions of Protection

The Truth About Confidentiality

The Truth About Confidentiality

The first movie scene that pops into my head when I think of Truth is that emotional scene between Tom Cruise and Jack Nicholson in a Few Good Men.  Cruise, the Navy JAG lawyer says “I Want the Truth.”  The Commander replies “You Can’t Handle the Truth.”  Well, I disagree with the Commander.  We are not just a few good men, we are several hundred thousand clinicians, CEOs and advocates within the substance use disorder (“SUD”) field who are committed to helping the people who need hope and healing who can handle the truth, and who search for truth and higher purpose.

As many of you know, our SUD field has one of the most stringent confidentiality laws to protect the privacy of patient identifying information.  This law, now 42 U.S.C. 290dd-2was originally enacted in the early 1970s (the “SUD Confidentiality Law”). Congress passed the SUD Confidentiality Lawin order to encourage people to seek treatment.  This law and its detailed regulations, 42 C.F.R.Part 2, are intended to provide extra protection because for no other disease can you lose your liberty and be imprisoned. 

I have long been an advocate of updating the SUD ConfidentialityLaw and the 42 year-old regulations to address needed information sharing to better coordinate care, increase patient safety and improve health outcomes while simultaneously enhancing patient protections.  These updates are especially needed in an electronic health record environment where security and health privacy is priority for most Americans.  We need to be cognizant of the many data mandates imposed on the health care delivery systems as a result of HITECH and the Affordable Care Act as well as research and data provisions in the 21st Century Cures Act just passed in December 2016.  Just like we all have a credit rating score, we have reached a time in history where each of us has a health risk score that is used for many purposes.It is more important than ever we consider how to achieve balance between needed information sharing and patient protections, especially for patients and persons in recovery.

In the process of analyzing ways to improve and update these existing laws, I discovered something very troubling.  There is no enforcement of the law, it is only a perception of protection.  You are probably saying to yourself, what do you mean this is not enforceable?  Didn\'t the government just issue a new revised 42 C.F.R. Part 2 on January 18, 2017?  Yes.  Haven’t many lawyers, trade associations and advocacy groups provided updates on the new regulations?  Yes.  Why wouldn\'t anyone talk about the enforcement problem?  Because we are so busy focusing on the details of compliance with all the Part 2 requirements, most have not stepped back to see the big picture.  No one has taken the time to connect the dots.  You can’t believe that is true, how could it be?  How could this go on for so long and no one else has identified this problem?  The past has happened and you cannot change it, but you can wake up and create a new reality.Together, we have an opportunity to act; to fix a problem based ontruth that is revealed. Here are the facts:

Unlike the substantial penalties set forth in the HIPAA and HITECH statutes, Part 2 provided for criminal fines of not more than $500 for a first offense and not more than $5,000 for each subsequent offense.[1]  This penalty provision has been amended in the new 2017 final regulations to only reference Title 18.[2]  Conceivably, these fines could amount to substantial penalties for numerous disclosures in an electronic record system.  These original fines were set forth in 42 U.S.C. 290ee-3(f) and 42 U.S.C. 290dd-3(f).  However, both Sections 290ee-3 and 290dd-3 were eliminated in 1992 by Public Act 102-321.  These two statutes were rolled into a new statute 290dd-2 and renamed the Confidentiality of Records.[3]

The new 290dd-2 statute eliminated the stated fines and only reference Title 18.  Specifically, the penalties provision now reads, “Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined in accordance with Title 18.”  No specific mention of felony, misdemeanor or infraction, so no notice of amount of criminal penalty.  No mention of the SUD Confidentiality Law violation fines, penalties or offenses exist in Title 18.  In fact, the only federal criminal offenses relating to privacy in Title 18 are contained in Section 1510(e) pertaining to violations for disclosure under the Fair Credit Act and Privacy Act and 1801 relating to privacy offenses for video voyeurism. 

Strict rules of construction apply to criminal statutes because of due process protections.[4]Additionally, the new final rules clearly state “because there is a criminal penalty for violating the regulations, they are to be construed strictly in favor of the potential violator.”[5]Thus, without an express provision in Title 18 pertaining to the confidentiality of drug and alcohol treatment records, enforcement is not likely.  Simplicity and clarity are critically important to allow patients to understand their rights. However, a confidentiality protection no matter how simple or complicated is meaningless if it is unenforceable.[6]

There is no private right of action under the SUD Confidentiality Law.  United States Attorneys are responsible for prosecuting cases involving the unauthorized or improper disclosure of patient records.  The prosecutorial obligation is based on the Department’s responsibility to enforce all federal criminal statutes.[7]  The United States Department of Justice, United States Attorney Criminal Resource Manual (the “Manual”) contains a section addressing the Confidentiality of Patient Records.[8]  Section 1872 of the Manual specifically provides “The Attorney General may not provide legal representation solely to vindicate private rights or to redress private grievance in which the public has no vital interests.”  However, a United States Attorney may represent a non-government party in a civil case where the interests of the United States are meaningfully involved.  The Manual further provides “United States Attorneys appear to have no obligation to act as legal representatives for program personnel when requests are made of such personnel by law enforcement officers for patient records or other patient information.” The Manual continues by stating the United States Attorneys are responsible for prosecuting cases involving unauthorized or improper disclosure of patient records.  However, the Manual states “the sanctions for such violation are the fines set forth in 42 U.S.C. 290ee-3(f) and 42 U.S.C. 290dd-3(f)” both of which no longer exist.  The Manual advises that when a report of an alleged confidentiality violation is received by a United States Attorney, the matter should be carefully reviewed to determine whether the facts and the nature of the violation warrant prosecutorial action.  To date, no such prosecutions have occurred.

The Firm contacted SAMHSA to inquire about the penalty provision in the SUD Confidentiality Law.  The Public Health Advisor, responsible for Part 2 questions, could not identify the penalty section in Title 18 and referred us to the Department of Justice.  We also reached out to a couple of attorneys in the Department of Justice and two Assistant U.S. Attorneys and no one was able to identify the penalty amount or provide a citation to the provision in Title18 that could be used to enforce the SUD Confidentiality Law.  That is because it does not exist.

SAMHSA has promulgated the revised final Part 2 regulations on January 18, 2017[9]. Of significance, the new revised regulations removed the previous penalty language in Section 2.4 that stated “any person who violates these regulations shall be fined not more than $500 per offense, and not more than $5,000 in the case of each subsequent offense and included only a reference to Title 18.” 

This enforcement issue is of great interest to state and national advocacy organizations especially in light of all of the hurdles these Part 2 regulations pose for health care providers to follow meaningful use requirements, provide integrated, effective and coordinated care as mandated under the Affordable Care Act and implement electronic records as envisioned by HITECH.  A Partnership to Amend Part 2 has been formed and currently 22 national organizations participate. This group will be introducing legislation this spring.It is critically important for you to engage in this public policy debate.  It is not a matter of if, but when the statute will be amended. 

At a time when our nation is facing the greatest heroin crisis in history, we need to encourage treatment. There is no doubt in my mind we have a statutory drafting error that needs to be fixed. Perhaps a blessing in disguise, an opportunity to make the law better, to be clear on what information can and should be shared to better coordinate care and to be clear on how wecan better protect patients from discrimination and restrict use of their health information for non-health care purposes.  The patients whose information the statute was designed to protect deserve the truth about the perceptions of protection.

Just because a Truth is

not what we expect,

not what we want to hear,

or not what we want to believe,

it does not make it untrue.

Truth withstands all challenges and disbelief.

Truth raises our consciousness.

Truth inspires positive action.


[1] 42 C.F.R. 2.4, based on 42 U.S.C. 290ee-3(f) and 42 U.S.C. 290dd-3(f) (which were eliminated in 1992 via Public Act 102-321).

[2] 42 C.F.R. 2.3 (82 Fed. Reg. 6116, January 18, 2017).

[3]290dd-2 was included as Section 543 in Public Act 102-321.

[4] See also 42 C.F.R. 2.2(b)(3) which expressly states “because there is a criminal penalty for violating the regulations, they are to be construed strictly in favor of the potential violator in the same manner as a criminal statute.”

[5]42 C.F.R. 2.2(b)(3) (2017).

[6] R. Popovits comments on FR Doc #2016-01841 submitted April 11, 2016 to HHS (HHS-OS-2016-0005-0040).

[7]28 U.S.C. 516.


[9] See 82 Fed. Reg. 6052-6127 (January 18, 2017).

About Renée Popovits, J.D., the Author.

RENÉE POPOVITS, is the founder of Popovits Law Group. The Firm celebrates 20 years of service this year. Renée has devoted her 27 year legal career to policy issues that can have a positive impact on persons in recovery, rectifying health injustices, expanding treatment access for the underserved and providing ethical and legal guidance to providers in the addiction field. Renée has represented behavioral health providers across the country and is considered a national expert on confidentiality issues, ethics, managed care issues, contracting, behavioral health integration, corporate compliance, and variety of regulatory and public policy matters. Renée has co-authored Critical Incidents with Bill White, a comprehensive ethics book for addiction treatment staff in addition to numerous other chapters and articles. She is writing ethical manuscripts which will be released in 2017. She has trained thousands of front-line addiction treatment workers and developed corporate compliance programs and codes of ethics for treatment centers. We look forward to Renée’s unique perspective on ethics at a time when the field needs her most.

Facebook Google LinkedIn Twitter Email Print

Inviting Authors, Companies and Professionals working in Addiction Recovery

To submit their profiles, events, articles on our website, To know about our all membership plans and features

Click here »