Private Health Information and Prescription Drug Monitoring Programs (PDMPs)

December 10, 2018 Private Health Information and Prescription Drug Monitoring Programs (PDMPs) Prescription drug monitoring programs (PDMPs) maintain statewide electronic databases of prescriptions dispensed for controlled substances (i.e., prescription drugs of abuse that are subject to stricter government regulation). Information collected by PDMPs may be used to support access to and legitimate medical use of controlled substances; to identify or prevent drug abuse and diversion; to facilitate the identification of prescription drug-addicted individuals and enable intervention and treatment; to outline drug use and abuse trends to inform public health initiatives; or to educate individuals about prescription drug use, abuse, and diversion, as well as about PDMPs. For more information about PDMPs, see CRS Report R42593, Prescription Drug Monitoring Programs. while all uses and disclosures of PHI that are not expressly permitted under the rule require an individual’s prior written authorization. Generally, covered entities may share PHI between and among themselves for the purposes of treatment, payment, or health care operations, with few restrictions (and specifically, without the individual’s authorization) (45 C.F.R. §164.506). Health care operations include a number of activities as they relate to covered functions; for example, conducting quality assessment or improvement activities, reviewing the competence of health care professionals, and business planning and development. Express authorization is required for the use and disclosure of psychotherapy notes and for marketing or sale purposes (45 C.F.R. §164.508). PDMPs have elicited numerous concerns about patient privacy, including issues around the scope and breadth of authorized access—and specifically, by law enforcement agencies—as well as the potential for unauthorized access or breaches. While PDMPs are seen as a valuable source of information in the effort to address improper prescribing of controlled substances, concerns exist about the potential deterrent effect on timely access to needed medication due to fear that sensitive health information will be shared with PDMPs, and may be subsequently legally disclosed or illegally accessed through a breach. Certain other uses and disclosures (e.g., sharing PHI with family members and friends) are permitted, but they require the covered entity to give the individual the opportunity to object or agree to the PHI’s use or disclosure [45 C.F.R. §164.510). In two cases, covered entities are required to disclose PHI. They must disclose PHI to the individual who is the subject of the information in certain circumstances and they must disclose PHI to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining compliance with the rule [45 C.F.R. §164.502(a)(2)). PDMPs have varying requirements with respect to the security and authorized use and disclosure of their stored information. These are governed by state law. PDMPs receive protected health information (PHI) from pharmacists and other health care providers (HIPAA [Health Insurance Portability and Accountability Act] Privacy Rule-covered entities) who are subject to the federal HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E). In addition, individually identifiable health information that is generated pursuant to treatment at substance abuse facilities is subject to stricter privacy requirements established by the “Part 2” rule (PHSA Section 543 [42 U.S.C. §290dd-2]; 45 C.F.R. Part 2). Covered Entity Reporting of PHI to PDMPs Under the Rule The Privacy Rule also recognizes that PHI may be useful in other circumstances aside from health care treatment and payment for a given individual. For this reason, the rule lists a number of “national priority purposes” for which covered entities may disclose PHI without an individual’s authorization or opportunity to agree or object (45 C.F.R. §164.512). PDMPs may receive PHI from covered entities under authority of one or more of these exceptions. Relevant exceptions identified in the rule may include disclosures required by law—in this case, state PDMP laws, disclosures to a public health authority for public health activities, or disclosures to health oversight agencies for oversight activities, among others. The HIPAA Privacy Rule and PDMPs The HIPAA Privacy Rule governs covered entities’ (health care plans, providers, and clearinghouses) and their business associates’ use and disclosure of PHI. Protected health information is defined as individually identifiable health information created or received by a covered entity that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium (45 C.F.R. §160.103). Generally, the rule requires disclosures of PHI to be limited to only the minimum amount necessary to meet the purpose of the disclosure. With respect to disclosures to public officials to meet the national priority purposes (e.g., for public health activities), the covered entity may assume the requested information is the minimum necessary if the requesting official represents that it is (45 C.F.R. §164.514). The rule describes multiple situations in which covered entities may use or disclose PHI without authorization, https://crsreports.congress.gov Private Health Information and Prescription Drug Monitoring Programs (PDMPs) Some states expressly note that they rely on these exceptions to receive PHI from HIPAA-covered entities to populate the PDMP. Specifically, Virginia’s Department of Health Professions notes that the rule allows for disclosure of PHI by covered entities without authorization for specified public health activities and purposes and to health oversight agencies for oversight activities in law, and that these two exceptions allow for covered entities’ disclosure of PHI to their PDMP. In addition, the Department of Veterans Affairs (VA) published an interim final rule in 2013 implementing provisions of the Consolidated Appropriations Act, 2012 (P.L. 112-74), that together authorized the VA to report protected information to PDMPs. The rule notes that despite these authorizations in law, the authority is subject in addition to the HIPAA Privacy Rule, stating that “VA’s authority to disclose the information to PDMPs under the HIPAA Privacy Rule is contained in 45 C.F.R. 164.512(b), which allows disclosures to an agency or authority responsible for public health matters as part of its official mandate” (78 Federal Register 9589, February 11, 2013). Security, Use, and Disclosure of PHI Held by PDMPs A PDMP is not a HIPAA-covered entity, nor is it a business associate as defined by HIPAA, and therefore the requirements and standards for maintaining the security of the PHI—or for its redisclosure—that apply to HIPAA covered entities do not apply to PDMPs. A business associate under the rule must be providing services to or for a covered entity or an organized health care arrangement in which the covered entity participates, or must be creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity (45 C.F.R. §160.103). HHS’s National Committee on Vital and Health Statistics noted in a February 2018 report on health information privacy that “[w]hile PDMPs are not typically thought of as a big data resource, the databases collectively contain large amounts of personally identifiable health information not regulated by HIPAA because no covered entity maintains the data.” The requirements relating to securing stored information in PDMPs and for its subsequent use and disclosure are addressed in the individual state laws governing PDMPs. 42 C.F.R. Part 2 and PDMPs Stricter federal privacy requirements—commonly known as the “Part 2” rule—apply to individually identifiable patient information received or acquired by federally assisted substance abuse programs. Specifically, the Part 2 rule applies to any information that would identify a patient as having or having had a substance use disorder, and that is obtained or maintained by a federally assisted substance abuse program for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment (42 C.F.R. §2.12(a)). Part 2 applies to any individual or entity (other than a general medical facility) that is federally assisted and provides—and holds itself out as providing—diagnosis, treatment, or referral for treatment of substance use disorders (42 C.F.R. §2.12(b)). Most of the nation’s alcohol and drug treatment programs are covered by the Part 2 rule, comprising more than 12,000 hospitals, outpatient treatment centers, and residential treatment facilities. While Part 2 does not apply to general medical facilities or practices, it does cover specialized substance use disorder treatment units (and staff) within such facilities, and specifically those who hold themselves out as providing, and provide, substance use disorder diagnosis, treatment, or referral for treatment. “Federally assisted programs” include any program that is carried out in whole or in part by the federal government or supported by federal funds. One exception to this is that the Part 2 rule does not apply to information maintained in connection with care provided by the VA; those records are governed by 38 U.S.C. §7332. The Part 2 rule strictly regulates the disclosure and redisclosure of patient identifying information held by Part 2 entities. The Part 2 rule allows Part 2 programs to disclose this information only either (1) with patient consent or (2) pursuant to exceptions in regulation (e.g., for a medical emergency, in connection with a crime on a Part 2 premise, for research). A general authorization for the release of medical information does not satisfy the rule’s requirement for written consent. Further, it strictly prohibits the subsequent redisclosure of information received from a Part 2 program without consent from the patient, and a notification clearly prohibiting this redisclosure by the receiving entity travels with any disclosed Part 2 information. The requirement for patient consent for essentially all disclosures may be a logistical deterrent to the submission of patient identifying information held by Part 2 programs to PDMPs. In addition, since PDMPs are designed to share information with registered and authorized users, the Part 2 rule’s prohibition on redisclosure without patient consent discourages federally assisted substance abuse programs from contributing to PDMPs’ information about controlled substances dispensed for the treatment of opioid addiction (i.e., methadone or buprenorphine) due to concerns that authorized redisclosures of the data could not be prevented. Although submitting Part 2 information to a PDMP, with appropriate written consent and the required accompanying notice prohibiting redisclosure, would not violate the rule, SAMHSA in a 2011 guidance letter discouraged Opioid Treatment Programs (OTPs) from submitting information to PDMPs, stating that it would not be “feasible” to ensure that the information will not be subsequently redisclosed. Stakeholders note that this omission results in providers who access PDMPs not receiving all relevant information about a patient. Given the role OTPs play in dispensing controlled substances, many observers say the lack of this information in PDMPs affects the overall effectiveness of the programs. Privacy advocates note, on the other hand, that this is a necessary step to ensure patient privacy. Amanda K. Sarata, Specialist in Health Policy https://crsreports.congress.gov IF11042 Private Health Information and Prescription Drug Monitoring Programs (PDMPs) Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material. https://crsreports.congress.gov | IF11042 · VERSION 3 · NEW