US Pharm. 2012;37(12):HS-16-HS-18.

It is important for pharmacists to be familiar with the complex regulations regarding the privacy of certain data for patients who suffer from behavioral health disorders, including alcohol and drug abuse, since pharmacists may fill medications for these patients and may be otherwise involved as part of the health care team. Furthermore, pharmacists may participate in electronic data exchange concerning such patients, for example, through electronic prescribing networks.

According to the National Alliance for Mental Health, mental illnesses are medical conditions that disrupt a person’s thinking, feeling, mood, ability to relate to others, and daily functioning.1 Examples of behavioral health conditions include anxiety and depression, psychosis, bipolar disorder, post-traumatic stress disorder, panic attacks, and borderline personality disorder. In addition, patients may exhibit addictive behavior, including alcohol and substance dependency. Behavioral health conditions are usually treatable, and in many cases improvement in symptoms or recovery is possible. Treatment plans are individualized and offer a variety of modalities including medications.1

Privacy of behavioral health and alcohol and substance abuse records is of utmost importance to avoid stigma and discrimination. Some patients with behavioral health problems are underinsured and do not have adequate coverage for their mental illness. Hence, patients are at risk for fragmented and uncoordinated care. The problem is exacerbated in complex patients who have two or more chronic conditions, such as a behavioral health condition in concert with a distinct chronic medical issue such as diabetes. These patients are at great risk for uncoordinated care of both conditions.

One of the great promises of health information technology (HIT) is the ability to provide critical health care data to all members of the team of clinicians, including pharmacists, who are caring for a complex patient with multiple comorbid conditions, including a behavioral health condition. In caring for these complex patients, there must be communication and data exchange between clinicians who provide services for the physical health of the patient, as well as the clinicians who treat the client’s behavioral health and substance abuse issues. The emerging national and state infrastructure to promote health information exchange can facilitate communication between clinicians, but must be implemented in a manner that protects patient privacy.

HIPAA Rule and More

The foundation for protecting the privacy of behavioral health data lies in the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, as previously reviewed in one of the earlier columns in this series.2 The HIPAA Privacy Rule provides strong legal protection for health care information, but allows sharing of data for health care operations and treatment. In addition to HIPAA, there are applicable federal laws and regulations that are stricter than HIPAA, the most stringent of which are the Substance Abuse Part 2 laws and regulations (42 U.S.C. § 290dd-2 and 42 CFR Part 2).3  

These laws were enacted after Congress recognized that the significant stigma associated with substance abuse, coupled with fear of prosecution, deterred patients from seeking treatment.3 In the absence of assured confidentiality, many patients with behavioral health disorders might actively avoid or refuse treatment. Any drug and alcohol treatment program that receives federal assistance in any form (even if not directly paying for the drug and alcohol services) is subject to the provisions of the Substance Abuse Part 2 regulations. Private organizations that receive no federal assistance of any kind are exempt (the patients at these facilities have either private insurance or pay for care themselves). Hence, the majority of alcohol and substance abuse treatment programs must adhere to the federal rules.3 Any clinician who uses his or her Drug Enforcement Administration registration to prescribe controlled substances for treatment or maintenance in cases of alcohol and substance abuse is also automatically subject to the Substance Abuse Part 2 regulations. The major differences between the HIPAA Privacy Rule and the Substance Abuse Part 2 regulations have been summarized in a document from the Substance Abuse and Mental Health Services Administration (SAMHSA).4

It has been challenging to understand how electronic health information exchange can be configured in practice to comply with these stringent federal substance abuse regulations, particularly because explicit patient consent is required for most disclosures, as well as redisclosures, of certain substance abuse data. In 2010, SAMHSA and the Office of the National Coordinator for Health Information Technology issued guidance on how this goal can be legally accomplished.3  

In order for any protected information pertaining to alcohol and substance abuse to be exchanged electronically through a Health Information Organization (HIO), there must be either a record of patient consent or a Qualified Service Organization agreement in place in order for a covered entity to provide the information to the HIO. Then there must be another record of patient consent in order for the HIO to redisclose the information to other HIO-affiliated members. There are only a limited number of exceptions to these rules, such as a medical emergency. In addition, a general consent to release medical information is not applicable. The consent must specifically comply with the substance abuse regulations. A consent instrument in an appropriate electronic format with a legal electronic signature can be utilized. Any electronic transmission of protected alcohol and substance abuse data must also be accompanied by an electronic notice stating that this information is protected. By law, this statement must read3:

This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.

In addition to the federal laws and rules, there are various state laws that are, in many cases, more stringent than HIPAA. A 2009 report commissioned by the Agency for Healthcare Research and Quality reviews the common features and differences among these laws.5 In general, the state laws cover the areas of HIV, genetic information, alcohol and substance abuse, and mental health data. In some states the laws are very restrictive, and in other states more permissive. This intricate legal environment makes interoperable health care data exchange involving any of these data elements across state borders very complex, indeed. Efforts are under way to develop a road map to navigate through this array of state laws.  

One additional area requiring policy clarification is in the sharing of data with health plans and managed care organizations. There is a tension between payers and providers regarding what personal information should be shared for payment purposes for patients receiving mental health and substance abuse treatment. In some cases more stringent state laws will apply, and in other cases federal rules will set the minimum requirements. For example, it is clear that patient consent is required under the Part 2 rules for a payer to receive protected alcohol and substance abuse treatment data to support a disease management or care improvement program.3  

Mobile Devices and Privacy

In addition to considerations relating to legal and policy issues, the introduction of new technology offers both promise of improved care, and challenges to maintain patient privacy. For example, the introduction and widespread use of mobile devices affords patients the opportunity to transmit observations of daily living (ODLs) to health care practitioners. This category of patient-generated information can provide valuable insights into the status of a patient’s health. However, this technology also introduces many security and privacy risks.6 From a legal and policy perspective, HIPAA applies to health care practitioners, but it does not apply to patients. Hence, when patients generate their own data using applications on their mobile devices, the HIPAA security rule does not apply.  

In a study entitled Project HealthDesign, funded by the Robert Wood Johnson Foundation, patients received smartphones so that they could send ODLs to health care providers. The investigators attempted to define a security paradigm for data generated by patients on mobile devices and transmitted to health care practitioners.6 Major privacy and security threats related to mobile devices include loss, theft, unauthorized access, and cloning. Even though the HIPAA security rule does not apply to patient-generated data, it was used as a useful framework for analysis of the relevant risks.  

One major consideration was encryption of the data, specifically text messages.6 Some smartphones, such as BlackBerry, already provide encryption functionality. Other smartphones can accept third-party software for encryption of data. Without appropriate encryption algorithms in place, text messages can be intercepted by third parties and the contents revealed. Alternatives to use of encrypted text messages include the use of a secure Web portal. While passwords and automatic log-off functionality for the mobile device can add more layers of security, patients often view these as inconvenient and bypass these measures.6 Health care providers who encourage patients to transmit data from mobile devices should educate their patients about security measures and risk mitigation strategies, particularly if the patient opts not to implement the recommended security measures. The more sensitive the data (such as behavioral health data), the more important it is for the patient to consider implementing recommended security features on the mobile device.

Although originally designed for patient applications, these same security measures could be applied to mobile devices employed by clinicians—for example, e-prescribing applications on hand-held mobile devices. This would improve the security of data transmission between prescribers and pharmacists when mobile devices are employed, especially when sensitive behavioral health data, such as prescriptions for mental health pharmaceuticals, are being exchanged.


In addition to a knowledge of HIPAA rules, an understanding of state and federal laws concerning patient information about behavioral health and substance abuse can help pharmacists ensure privacy, help patients avoid the stigma associated with these conditions, and provide better coordination of care.


1. National Alliance on Mental Illness. What is mental illness: mental illness facts. Accessed November 7, 2012.
2. Figge H. HIPAA: privacy, security, and pharmacy information technology. US Pharm. 2011; 36(11):78-81.
3. U.S. Department of Health and Human Services. Legal Action Center for the Substance Abuse and Mental Health Services Administration. Frequently asked questions. Applying the substance abuse confidentiality regulations to health information exchange (HIE).1-17. Accessed November 17, 2012.
4. U.S. Department of Health and Human Services.   Substance Abuse and Mental Health Services Administration. The confidentiality of alcohol and drug abuse patient records regulation and the HIPAA privacy rule: implications for alcohol and substance abuse programs. June 2004. Accessed November 17, 2012.
5. RTI International; Agency for Healthcare Research and Quality; Office of the National Coordinator for Health IT; Health Policy Institute & O’Neill Institute for National and Global Health Law, Georgetown University. Privacy and security solutions for interoperable health information exchange. Report on state law requirements for patient permission to disclose health information. August, 2009. Accessed November 17, 2012.
6. McGraw D, Pfister HR, Ingargiola SR, Belfort RD. Lessons from Project HealthDesign. Health Inf Manage. 2012; 26(3):24-29.

To comment on this article, contact