Current State of Confidentiality Law
One expert has described the current law governing the confidentiality of health care information as a crazy quilt of Federal and state constitutional, statutory, regulatory and case law that erodes personal privacy and forms a serious barrier to administrative simplification (Waller, 1995, p. 44). This aptly describes the current legal framework for the confidentiality of mental health and substance abuse information as well.
There is at present no national standard for the confidentiality of health care information in general or mental health information in particular. Rather, each state has laws that establish confidentiality rules and exceptions. In response to a serious public policy concern that the criminal justice ramifications of use of illegal substances would significantly deter individuals from seeking substance abuse treatment, a national standard governing the confidentiality of substance abuse treatment information was codified. However, there often are significant differences among states and between the state and Federal requirements, which can create problems for the administrators of health care plans and for those providing treatment for people with co-occurring mental illness and substance abuse disorders.
As noted, nearly all states have discrete statutes addressing the confidentiality of mental health records and information. In a handful of states, a general law applicable to all health care information applies. In some states, the mental health confidentiality statute applies only to information gathered when a state facility provides treatment; in others, it applies to mental health treatment regardless of the auspice of care.
One common criticism of health care information laws generally is that they apply primarily to information gathered in the course of treatment and in the possession of the caregiver. This means that different standards apply to the distribution of information held by others not party to the treatment relationship. This observation fairly characterizes most state mental health laws as well. The focus of the laws tends to be upon the clinical relationship, and often what happens to information once it is disseminated beyond the clinical relationship is unaddressed. Many of the reform proposals advanced in recent years would apply confidentiality rules to other parties that come into possession of protected information, although the proposals vary regarding application of a national standard to employers, schools, correctional facilities, and other settings in which a significant volume of health care is provided. In addition, the proposals vary regarding the question of whether the individual has a legal right to consent to disclosures beyond the clinical relationship: How this question is resolved will determine in large measure whether individuals in the role of patient believe that confidentiality protections are strong enough to warrant seeking treatment.
While the various reform proposals differ in detail, few dispute the need to extend the obligation to protect confidentiality to other parties. In the early 1980s, one expert found that between 25 and 100 people had access to an individual inpatient record (Siegler, 1982), a number that has grown in recent years. In addition, as health care delivery and payment have become increasingly complex and as provider networks rather than individual practitioners increasingly provide care, the number of people who may come into possession of health care information continues to expand. One observer describes three zones of users of personal health care information. Zone one users are involved in direct patient care, while zone two users are involved in support and administrative activities like payment and quality of care reviews. Zone three users include public health agencies, social welfare agencies, researchers, and direct marketing firms (Westin, 1993). Some of these parties traditionally have had ready access to health care information; others, for example, utilization review managers and direct marketing firms, are comparatively new to health care. Whether a party that has access to information should have access to that information is a separate question that lies at the heart of much of the debate about confidentiality.
Each state law creates exceptions to confidentiality. While state laws vary regarding the number and type of exceptions permitted, the most common exceptions to confidentiality are discussed briefly below. As a prefatory note, many experts assume that client consent presumptively should be required prior to most if not all disclosures, and that any waiver of confidentiality by the client must be truly informed (Campbell, 2000). However, as the discussion below suggests, many state laws permit a variety of disclosures without client consent, raising questions regarding the adequacy of these laws in protecting client confidentiality in the current environment.
Consent by the Person in Treatment
Although each state provides for waiver of confidentiality by the person in treatment, few states spell out in statute the elements of a valid consent. This is in contrast to the Federal laws on substance and alcohol treatment information, discussed below, which provide explicit details regarding the content of a valid consent.
In addition, the various reform proposals that have been introduced in Congress and elsewhere each contain criteria for consent. These typically include requirements that consent be in writing, name the individual or entity to which disclosure of information is to be made, identify the purpose or need for disclosure and the type of information to be disclosed, and state the period for which the consent is effective. However, it should be noted that the proposals differ on the question of the degree to which a persons consent to disclosure would be truly voluntary. Many of the proposals suggest that a persons treatment, or reimbursement for treatment, may depend on whether the person consents to have his or her records disclosed. This may raise questions about how voluntary such consent is, in fact, given that access to the services sought may be contingent upon agreeing to the release of information divulged during treatment.
Disclosure to the Client
Disclosure to Other Providers
Some proposals before Congress would permit disclosure of information to other care providers without requiring consent. Others would require consent prior to any disclosure. At least one presumptively would permit disclosure, but give the individual the opportunity to opt out of a particular disclosure. As noted earlier, conditioning access to treatment (or to reimbursement) on a waiver of confidentiality calls into question the voluntariness of the waiver.
Disclosure to Payers
As noted, the proposals that have been made to date to create a national standard for the confidentiality of health care information differ in how they treat disclosures to other providers and payers. Some proposals would require patient consent prior to any disclosure. Others would presume consent. Still others would permit the individual to opt out of specific disclosures. The last would require that individuals be given the names of providers and payers that might be provided access to information; the individual could then decline permission to provide information to specific payers or providers.
The question of how much information should be made available to third-party reviewers is a contentious one. As the research described earlier suggests, the willingness to self-disclose, or to participate in treatment, appears to be contingent at least in part on the strength of confidentiality provisions. As the amount and sensitivity of information made available to third- party reviewers increases, a corresponding decrease on the part of some individuals to seek treatment is likely.
Disclosure of Information to Families
Some states provide that parents acting in the role of caregiver may be given information, usually limited to diagnosis, prognosis, and information regarding treatment, specifically medications. Of those states with these or similar provisions, some permit the disclosure of this information without the consent of the individual, while others require consent, with some providing for administrative review if consent is not given. All of the reform proposals that have been introduced before Congress provide for the disclosure of limited information regarding an individuals current health status to family or next of kin. Consent generally is not required, although most provide the patient with the opportunity to request that information not be provided in such circumstances. It should be noted that in the context of mental health treatment, there is disagreement regarding this issue, particularly on the issue of prior consent. Family advocates often take the position that a family in a caregiving role should have access to some types of information whether or not the individual specifically has consented to the disclosure, because it is necessary to play a caregiving role (Lefly, 2000). Advocates for consumer-recipients often argue that consent should be required, because the right to confidentiality belongs to the recipient of services, and because there may be intrafamily conflicts that could be exacerbated by the release of information to family members.
Oversight and Public Health Reporting
Disclosure to Law Enforcement Agencies
This is a controversial issue. Some professional and advocacy groups believe that broad access by law enforcement officials will lead to unwarranted invasions of privacy and encourage fishing expeditions in which material revealed during treatment becomes the basis of criminal prosecution. On the other hand, some have argued that broad access is necessary, particularly to investigate health care fraud in which the conduct of the provider rather than the client is at issue. The current Federal substance abuse laws provide for a stricter standard for access to information by law enforcement officials than is provided for in many of the proposals before Congress. This strict standard is based on the assumption that broader access would have a negative effect on the willingness of people to seek substance abuse treatment, if seeking treatment might lead to criminal prosecution. While these provisions seem to have met their intended goal of encouraging individuals to seek treatment, there is no evidence that stricter Federal standards for access to substance abuse information have impeded law enforcement efforts.
Disclosure to Protect Third Parties
The majority of states that have done so through statute provide that a mental health professional who concludes that his or her client represents an imminent danger to an identified third party may take steps, including notifying the individual or law enforcement officials, to protect the third party without becoming liable for a breach of confidentiality. These states also typically provide that the clinician will not be liable if he or she decides not to actrather, the statutes give the clinician discretion in deciding how to proceed.
In addition, all states permit or mandate disclosure in other situations where a third party might be at risk for harm. Child abuse and elder abuse reporting laws are examples. Most of the proposals to create a national standard permit disclosures necessary to protect an identifiable third party when the caregiver concludes that there is a risk of serious injury or death, or when disclosure is necessary to protect the patient from serious harm.
An individual who seeks treatment for mental illness runs the risk of discrimination and invasion of privacy if information disclosed during treatment becomes known to third parties. An individual who seeks treatment for a substance use problem may reveal information that if disclosed could become the basis for criminal prosecution. The prospect of prosecution as a price of entering treatment quite clearly may create disincentives to seek treatment.
In an effort to create incentives for people with substance use and alcohol problems to seek treatment, Congress enacted perhaps the strictest confidentiality law extant. As a result, Federal law governs the confidentiality of information, obtained by federally assisted, specialized substance abuse treatment pro- grams, which would identify a patient as receiving treatment services (42 U.S.C. 290dd-2; 42 C.F.R. 2.1, et seq.).
Disclosure of patient identifying information by federally assisted programs is permitted only in explicitly delineated circumstances. The person receiving services can waive confidentiality, but consent must be written; name the client, the program making the disclosure, and the intended recipient of the information; state the purpose of the disclosure and the information to be disclosed; be signed by the client or representative of the patient where appropriate; and state the duration of the consent and conditions under which it expires. In the absence of consent, disclosures may be made only in the circumstances permitted by the regulations. For example, information may be exchanged within the program providing services, but only to the extent necessary to provide services. In other words, information is to be exchanged even within the treatment program on a need to know basis. Disclosures may be made without consent to other service providers if providers have entered into a qualified service agreement with the treating program. This is to permit the treating program to obtain collateral services, for example, blood work, that are not performed by the program itself. Disclosures to other providers not part of a qualified service agreement can only occur with consent.
Disclosure also is permitted to law enforcement officials when there was a crime committed on the premises or against the personnel of the treatment program. Even in this case, information provided is to be limited initially to the name, address, and last known whereabouts of the individual who committed or threatened to commit a crime. Other circumstances in which disclosures are permitted without consent include medical emergencies as defined in the regulations; child abuse reports; court orders, when the court has followed procedures established in the regulations; and in criminal investigations of extremely serious crimes as defined in the regulations (Center for Substance Abuse Treatment, 1994). The statute and regulations do not address, and therefore do not permit, disclosures to families of clients or to payers without consent of the client.
The Federal law is generally much more detailed than any state mental health law in delineating the conditions that must be met before disclosures can occur. In addition, as this brief summary suggests, state mental health laws and the Federal alcohol and substance abuse laws differ substantively in many respects. This may create difficulties for providers caring for people with co-occurring mental illness and substance use disorders, because the provider may be operating under two quite different legal standards in considering requests for information regarding the same individual. This issue is discussed in more detail below.
Other Federal statutes have limited applicability to the confidentiality of health care information. The Privacy Act of 1974 prohibits disclosure of an individuals record without prior written consent and provides access to review, copy, and correct records. However, the Act applies only to federally operated hospitals and to research or health care institutions operated pursuant to Federal contracts, so it does not cover the vast majority of organizations and entities collecting health care information (Gostin, 1995). In addition, disclosure of personally identifiable information is permitted if necessary for the routine use of the receiving facility, a very broad exception.
Finally, the Americans With Disabilities Act (ADA) of 1990 requires employers to maintain medical information in separate files and on discrete forms. As the ADA is enforced, it may lead to increased protection of the privacy of medical records at the workplace. In relevant part, however, the ADA applies only to people with a disability as defined by the statute, and to actions taken by employers based on an individuals disability. Therefore, the ADA provides only limited confidential- ity protection; it does not create a general right to medical privacy within the workplace.
There is general consensus that the current legal framework for protecting the confidentiality of health care information is inadequate. There are significant differences among the states in addressing confidentiality issues. While a state-by-state approach may have been good policy before recent trends in the organization and financing of health care, the increasing dominance of the health care industry by providers and payers doing business on a national scale has caused many to advocate for a national confidentiality standard.
This lack of uniformity may be exacerbated in the context of mental health care. There are differences in standards not only among the states, but between the states and the Federal government. Separate state standards for mental health information and Federal standards for alcohol and substance use information may be problematic in an era in which it has become evident that many people with mental illnesses also have substance abuse or alcohol problems. In addition, there are often within the same state a number of statutory provisions that address the confidentiality of mental health information. These may include the state mental health law (which may apply to all mental health information or only information held by state-operated providers), judicial privilege statutes, laws applicable to licensed professionals, and various state oversight laws. This may make it difficult even within a particular state to articulate the state law on the confidentiality of mental health information.
Many state mental health laws also lack provisions that most reform proposals contain. For example, many states do not articulate standards for client consent to disclosure. In contrast, most reform proposals require that consent be in writing, be of definite rather than indefinite duration, and specify recipients of information rather than provide open-ended consent to disclose. Many state laws providing for disclosure of mental health information to payers without client consent were written before the increased demands for information common today. Access by other providers is variable as well. Many states provide for comparatively mild penalties for the breach of confidentiality. In contrast, most reform proposals would considerably strengthen penalties for violating confidentiality protections.
As the debate regarding a national standard proceeds, there are two additional issues of consequence for those considering the confidentiality of mental health information. The first is the question of preemption. Most reform proposals considered by Congress in recent years would establish a national standard that would become the minimum standard for health care information. The standard would preempt (or supercede) any state laws that provided less protection than that in the national standard. The Secretary of the Department of Health and Human Services recommended such an approach in a recent report to Congress entitled, Confidentiality of Individually Identifiable Health Information. Should a national standard be enacted, determining whether a states mental health law provides more or less protection than a national standard may be difficult in at least some cases. For example, in one state, the law permits disclosures without consent to some but not all types of providers. One of the proposals to establish a national standard would permit disclosures to be made to other providers without the consent of the individual, but would give the individual the opportunity to opt out of disclosures to specified providers. In this example, it is difficult to determine whether the state law in question is more or less protective than the proposed national standard. On the one hand, the state law in this example is more restrictive than the reform proposal because it limits the types of providers that can receive information without consent. On the other hand, it is weaker than the reform proposal because it does not provide the individual with an opportunity to decline permission to disclose to those providers. The problem is not insurmountable: in this example, one solution might be to apply the opt-out provision of the national standard to that part of the state law that permits some types of disclosures without consent. At the same time, the current condition of many state mental health laws may make application of the preemption principle difficult.
A second important question is whether there should continue to be separate legal standards for mental health confidentiality and for substance use and alcohol use confidentiality. The reform proposals advanced to date generally would leave the Federal substance use law intact. This would have the practical effect of locking in the disparate standards that currently exist for mental health information (governed by state laws) and substance and alcohol use information (governed by the Federal law). Some experts disagree with the notion of having discrete, disease-based standards, on the ground that there are other diseases that raise legitimate concerns regarding privacy that do not receive special protection (Gostin, 1995). Others would retain the strict protections currently available to substance and alcohol use data, while extending the same protections to mental health information. This report does not endorse either perspective. However, it would be useful to examine more closely whether disparate standards have an effect on clinical practice and on the privacy expectations of individuals in treatment, particularly those with both a mental illness and a substance abuse diagnosis.
There are many reasons why an individual with a mental illness might decide not to seek treatment. For example, some people might forego treatment for financial reasons. Others might decide that the risk of stigma and discrimination that people with mental illness still encounter is too high a price to bear. In the latter situation, being able to provide assurances that the principle of confidentiality receives strong protection may make the difference in the decision to enter and participate fully in treatment.
Confidentiality is a matter of both ethical and legal concern. As noted earlier, each of the health care professions endorses confidentiality as a core matter. However, it is the law that establishes the basic rules that govern confidentiality in practice. The law can expand confidentiality, as the U.S. Supreme Court did when it ruled that a psychotherapeutic privilege would apply in Federal court. The law also can decide that the principle of confidentiality must yield to other values, as the California Supreme Court did when it decided that mental health professionals had an obligation to protect third parties whom the professional reasonably concluded could be endangered by a client in treatment.
It is clear that confidentiality is not absolute. There are other competing values that require its breach in certain circumstances. However, it also seems clear that there are significant gaps in the current legal framework that protects the confidentiality of mental health information. Consideration of an appropriate level of legal protection for mental health information should acknowledge that mental illness continues to be a category of illness that may subject a person receiving a diagnosis to discrimination and other disadvantages.
In the absence of strong confidentiality protections, some individuals with mental illness may decide that the benefit of treatment is outweighed by the risk of public disclosure. This would be harmful not only to the individual, but to a public that has a stake in the mental health of its members. The U.S. Supreme Court summarized this public interest succinctly in the decision quoted at the beginning of this section:
It is to be hoped that this public good, as well as the private good represented by successful treatment for mental illness, governs the continuing debate regarding the protection of confidentiality.