HIPAA PRIVACY RULE PREEMPTION ANALYSIS · the HIPAA privacy law and regulations, it is necessary to first determine how HIPAA affects New York State laws and rules that govern the

NEW YORK STATE OFFICE OF MENTAL HEALTH

HIPAA PRIVACY RULEPREEMPTION ANALYSIS

Prepared by the Office of CounselJohn V. Tauriello

Deputy Commission and Counsel

JulieAnne RodakAssociate Counsel


HIPAA PRIVACY RULE PREEMPTION ANALYSIS

Prepared by the Office of Counsel

John V. Tauriello JulieAnne RodakDeputy Commissioner and Counsel Associate Counsel

Copyright 2002 New York State Office of Mental Health - All Rights Reserved

STATE OF NEW YORKOFFICE OF MENTAL HEALTH

COUNSEL

44 HOLLAND AVENUEJAMES L. STONE, MSW ALBANY, NEW YORK 12229 JOHN V TAURIELLO

Commissioner (518) 474-1331 • FAX (518) 473-7863 • TDD (518) 473-2714 Deputy Commissioner and Counsel

August 28, 2002

Dear Reader:

Thank you for your interest in the New York State Office of Mental Health HIPAA Preemption Analysis.Please be advised that this document is intended for internal use by the Office of Mental Health and itsemployees, and is not intended to serve as legal advice to anyone outside this Office. While we are hopeful thatit will provide you with general guidance, please consult your own attorney for specific legal advice concerningyour own HIPAA compliance.

As noted in Introduction, please do not further distribute this document without our express permission. Wewelcome your comments and feedback, and thank you again for your interest.

Sincerely,

JulieAnne RodakAssociate Counsel

AN EQUAL OPPORTUNITY/AFFIRMATIVE ACTION EMPLOYER

OMH 26.05 (11-95)


Health Care Portability and Accountability Act (HIPAA)

Preemption Analysis

The New York State Office of Mental Health HIPAA Preemption Analysis is designed toexamine the interplay between the HIPAA Privacy Regulations (45 CFR Parts 160 and 164) anda variety of New York State statutes, regulations, and other precedent most commonly referredto when using and disclosing mental health treatment information. Readers are cautioned thatwhile comprehensive in scope, the Analysis does not represent a complete overview of all legalprecedent that may impact such uses and disclosures, but it does attempt to address those mostoften utilized. Furthermore, this Analysis is not intended to substitute as legal advice, andreaders are urged to consult with their attorneys when developing HIPAA compliance strategiesor if considering specific legal questions.

This Analysis reflects New York State and federal laws and regulations as of August 14,2002, and does reflect amendments adopted by the Department of Health and Human Servicesand published on that date. However, as both federal and state law are constantly changing, andthe body of knowledge and interpretive guidance around these regulations are continuallyevolving, this Analysis remains subject to modification by the New York State Office of MentalHealth.

Every page of this Analysis has been copyrighted by the New York State Office ofMental Health, and may not be transferred, sold, sublicensed, or otherwise distributed to anythird party except upon the express authorization of the New York State Office of Mental HealthCounsel’s Office.

HIPAA Privacy RuleNYS Office of Mental Health Preemption Analysis

Background:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal statutethat includes provisions which govern the development of uniform health information datastandards and privacy standards. This federal statute will “preempt,” or take precedence over,any contrary state law unless the state law is more stringent than federal law or a specificexception applies. Therefore, in order for entities in New York State to be able to comply withthe HIPAA privacy law and regulations, it is necessary to first determine how HIPAA affectsNew York State laws and rules that govern the privacy of health information.

Scope of Analysis:

This analysis compares various sections of New York State law, most significantly the NewYork State Mental Hygiene Law, that relate to the use or disclosure of health information. It isnot, however, intended to be a comprehensive review of all statutes in New York State thatgovern the use or disclosure of health information. Instead, it reflects the authority mostcommonly consulted by providers of mental health services. This analysis also does notexamine a variety of other sources that may have the “force and effect” of law and which alsorequire a preemption analysis, such as the NYS Constitution, NYS Attorney General Opinions,or case law. It is important to note that the analysis presented here was drafted for internal useby New York StateOffice of Mental Health employees, and is intended to provide initialguidance to others undertaking an examination of New York State law.

Comments:

The New York State Office of Mental Health encourages individuals and entities that review thisdocument to provide us with your feedback. There may be instances where others have adiffering opinion or interpretation with regard to the application of the laws analyzed here andhow they may be affected by HIPAA; if so, we are interested in reviewing your analysis. Please submit your comments in writing to: NYS Office of Mental Health Counsel’s Office;ATTN: HIPAA Preemption Analysis; 44 Holland Avenue; Albany, NY 12229.

Disclaimer:

The information provided here is for reference only and does not constitute the rendering oflegal, financial, or other professional advice by the New York State Office of Mental Health. Any links or references in these materials are not endorsements by this Office. Users arecautioned to review and update application and implementation of federal and New York Stateprivacy laws when these laws are amended or new law is created.

New York State Office of Mental HealthHIPAA Preemption Analysis

TABLE OF CONTENTS

I. New York State Law

A. Mental Hygiene Law Page

§7.09 - Access to Criminal History Information . . . . . . . . . . . . . . . 1§7.21 - Directors of Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1§7.33 - Board of Visitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2§7.38 - Transitional Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2,3§9.13 - Voluntary Admission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4§9.25 - Voluntary/Informal Admissions; Review of Status . . . . . . 4§9.27 - Involuntary Admission on Medical Certification . . . . . . . . 5§9.29 - Involuntary Admission:

Notice of Admission to Patients & Others . . . . . . . . . . . . . . 5§9.31 - Involuntary Admission: Patient’s Right to a Hearing . . . . . 6§9.33 - Court Authorization to Retain

An Involuntary Patient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6,7§9.37 - Involuntary Admission on Certificate of

Director of Community Services . . . . . . . . . . . . . . . . . . . . . 7,8§9.39 - Emergency Admissions for Immediate

Observation, Care & Treatment . . . . . . . . . . . . . . . . . . . . . . 8,9§9.40 - Emergency Admissions for Immediate

Observation, Care & Treatment in CPEPs . . . . . . . . . . . . . . 9,10§9.41 - Emergency Admissions for Immediate

Observation, Care & Treatment: Powers of Peace/Police Officers . . . . . . . . . . . . . . . . . . . . . 10

§9.45 - Emergency Admissions for ImmediateObservation, Care & Treatment:Powers of Directors of Community Services . . . . . . . . . . . . 10,11

§9.47 - Duties of Local Officers . . . . . . . . . . . . . . . . . . . . . . . . . . . 12,13§9.48 - Duties of Directors of AOT Programs . . . . . . . . . . . . . . . . . 13,14§9.51 - Residential Treatment Facilities for

Children & Youth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14,15§9.57 - Emergency Admissions for Immediate

Observation, Care & Treatment:Powers of Emergency Room Physicians . . . . . . . . . . . . . . . 15,16

A. Mental Hygiene Law (continued)

§9.58 - Transport for Evaluation: Powers of Mobile Crisis Outreach Teams . . . . . . . . . . . . . . 17§9.60 - “Kendra’s Law” - Assisted Outpatient Treatment . . . . . . . . 17-20§29.29 - Incident Reporting Procedures . . . . . . . . . . . . . . . . . . . . . 20-24§31.06 - Child Abuse Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . 24§33.13 - Clinical Records; Confidentiality . . . . . . . . . . . . . . . . . . . 24-39§33.16 - Access to Clinical Records . . . . . . . . . . . . . . . . . . . . . . . . 39-55§33.21- Consent for Mental Health Treatment Of Minors . . . . . . . 55§43.05 - Investigations/Patient Resources . . . . . . . . . . . . . . . . . . . . 55 §45.09 - Procedures of the Commission on Quality

Of Care for the Mentally Disabled . . . . . . . . . . . . . . . . . . 56-58 §45.17 - Functions, Powers, & Duties of the Mental Hygiene

Medical Review Board . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Article 80 - Surrogate Decision-Making &Article 81 - Guardianship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58-62

B. Criminal Procedure Law

§330.20 - Procedure/Not Guilty by Reason of Mental Disease/Defect . . . . . . . . . . . . . . . . . . 62-65

§730.20 - Fitness to Proceed; generally . . . . . . . . . . . . . . . . . . . . . . 65,66§730.40 - Fitness to Proceed; local criminal court

Accusatory Instrument . . . . . . . . . . . . . . . . . . . . . . . . . . 66,67§730.50 - Fitness to Proceed; Indictment . . . . . . . . . . . . . . . . . . . . 67§730.60 - Fitness to Proceed; Procedure following

Custody by Commissioner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67,68

C. Civil Practice Law and Rules

§2302 - Subpoenas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

D. Penal Law

§400 - Firearms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69,70

E. Labor Law

§458, 459 - Explosives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70,71

II. Federal Law/Regulations

A. Federal Protection&Advocacy for the Mentally Ill Act

42 USCA §10806 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71,72

B. Confidentiality of Alcohol & Drug Abuse Patient Records - 42 CFR Part 2

§2.4 - Criminal Penalty for Violation . . . . . . . . . . . . . . . . . . . . . . . 72§2.11 - Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72-74§2.12(c)(1) - Applicability/Veterans Administration . . . . . . . . . . . . . . . . . 74,75§2.12(c)(2) - Applicability/Armed Forces . . . . . . . . . . . . . . . . . . . . 75§2.12(c)(3) - Communication within program . . . . . . . . . . . . . . . . . 75§2.12(c)(4) - QSOA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74§2.12(c)(5) - Crime/Program Premises . . . . . . . . . . . . . . . . . . . . . . 75,76§2.12(c)(6) - Child Abuse Reports . . . . . . . . . . . . . . . . . . . . . . . . . 76§2.12(d)(1) - Restrictions on Use . . . . . . . . . . . . . . . . . . . . . . . . . . 76

§2.12(d)(2) - Restrictions on Disclosures . . . . . . . . . . . . . . . . . . . . 76,77§2.12(e)(1) - Explanation of Applicability/Coverage . . . . . . . . . . . 77§2.12(e)(2) - Explanation of Applicability/Federal

Assistance to Program Required . . . . . . . . . . . . . . . . 77,78§2.12(e)(3) - Explanation of Applicability/Information

To which restrictions applicable . . . . . . . . . . . . . . . . 78§2.12(e)(4) - Explanation of Applicability/Diagnosis . . . . . . . . . . 78§2.13 (a) - Confidentiality Restrictions/General . . . . . . . . . . . . . . . 79§2.13 (b) - Confidentiality Restrictions/Compliance . . . . . . . . . . . . 79§2.13 (c) - Confidentiality Restrictions/Acknowledgment . . . . . . . 79,80§2.14 - Minor patients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80-81§2.15 - Incompetent/Deceased patients . . . . . . . . . . . . . . . . . . . . . . 81,82§2.16 - Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83§2.17 - Undercover Agents/Informants . . . . . . . . . . . . . . . . . . . . . . 83§2.18 - Identification Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83§2.19 - Disposition of Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84§2.21 - Relationship to Federal Statutes . . . . . . . . . . . . . . . . . . . . . 84-86§2.22 - Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86,87§2.23 - Patient Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87§2.31 - Form of written consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87-89§2.32 - Prohibition on redisclosure . . . . . . . . . . . . . . . . . . . . . . . . . 90§2.34 - Disclosures/Multiple enrollment . . . . . . . . . . . . . . . . . . . . . 90-92§2.35 - Disclosures/Criminal Justice . . . . . . . . . . . . . . . . . . . . . . . . 92-94

B. Confidentiality of Alcohol & Drug Abuse Patient Records - 42 CFR Part 2(continued)

§2.51 - Medical Emergencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94§2.52 - Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95§2.53 - Audit/Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95-97§2.61 - Legal Effect of Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97,98§2.62 - Order Not Applicable/Researchers et al. . . . . . . . . . . . . . . 98,99§2.63 - Confidential Communications . . . . . . . . . . . . . . . . . . . . . . . 99§2.64 - Procedures for Orders/Noncriminal . . . . . . . . . . . . . . . . . . 99-101§2.66 - Procedures for Orders/Prosecuting Program . . . . . . . . . . . . 101,102§2.67 - Orders/Use of Undercover Agents . . . . . . . . . . . . . . . . . . . 102-106

©2002 New York State Office of Mental Health-All Rights Reserved 1

New York State Office of Mental Health HIPAA Preemption Analysis

NYS Statute HIPAA Regulation (45 CFR Parts 160, 164) Preemption AnalysisMHL ARTICLE 7 - OFFICE OF MENTAL HEALTH

Access to Criminal History Information:

MHL §7.09(j): The Commissioner of OMH isauthorized to have access to criminal historyinformation contained in the central data facilityestablished by DCJS; summary reports can beincluded in patient records for purposes ofmaking decisions regarding care andtreatment, health and safety, privileges anddischarge planning for patients admittedto/retained in hospitals operated by OMH.

§160.103: Covered entity means: (1) a health plan; (2) a health careclearinghouse; (3) a health care provider who transmits any health information inelectronic form in connection with a transaction covered by this subchapter. §164.501: Required by law means a mandate contained in law that compels acovered entity to make a use or disclosure of protected health information and thatis enforceable in a court of law. Required by law includes, but is not limited to,court orders and court ordered warrants, subpoenas or summons issued by acourt, grand jury, a governmental or tribal inspector general, or an administrativebody authorized to require the production of information; a civil or an authorizedinvestigative demand; Medicare conditions of participation with respect to healthcare providers participating in the program; and statutes or regulations that requirethe production of information, including statutes or regulations that require suchinformation if payment is sought under a government program providing publicbenefits.

§164.512(a): A covered entity may use or disclose PHI to the extent that such useor disclosure is required by law and the use or disclosure complies with and islimited to the relevant requirements of such law.

No preemption: Assuming DCJS is nota covered entity under HIPAA, thereare no HIPAA restrictions on itsdisclosures to OMH. OMH is authorizedto receive criminal justice informationby State law.

Directors of Facilities: Subpoena Authority:

MHL §7.21 (c): In any investigation intotreatment and care of patients or the conduct,performance, or neglect of duty of officers oremployees, the director of a departmenthospital shall be authorized to subpoenawitnesses, compel their attendance, administeroaths to witnesses, examine witnesses underoath, and require the production of any booksor papers deemed relevant to the inquiry orinvestigation. A subpoena issued under thissection shall be regulated by the civil practicelaw and rules.

§164.501: Health oversight agency means an agency or authority of the UnitedStates, a State, a territory, a political subdivision of a State or territory...or a personor entity operating under a grant of authority from or contract with such publicagency....that is authorized by law to oversee the health care system (whetherpublic or private) or government programs in which health information is necessaryto determine eligibility or compliance, or to enforce civil rights laws for which healthinformation is relevant.

§164.512(d) A covered entity may disclose PHI to a health oversight agency foroversight activities authorized by law.

§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorizedin the order; or(2) in response to a subpoena, discovery request, or other lawfulprocess if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order.

No Preemption. Disclosures to facilitydirectors under these circumstances can be made consistent with the “healthoversight agency” and “in the course ofadministrative proceedings” exceptionsto the HIPAA regulations. As such, theState law is not contrary to the Federalregulations and State law applies.

NYS Statute HIPAA Regulation (45 CFR Parts 160, 164) Preemption Analysis

©2002 New York State Office of Mental Health-All Rights Reserved

Board of Visitors:

MHL §7.33 (h): Any member of the Board ofVisitors of an OMH facility may visit andinspect such facility at any time ....the boardshall have the power to investigate all chargesagainst the director and all cases of allegedpatient abuse or mistreatment.....in conductingsuch an investigation, the board shall have thepower, in accordance with the civil practice lawand rules, to subpoena witnesses, compel theirtestimony,....and require the production of anybooks or records deemed relevant to theinvestigation.


§164.501: Required by law means a mandate contained in law that compels acovered entity to make a use or disclosure of protected health information and thatis enforceable in a court of law. Required by law includes, but is not limited to,court orders and court ordered warrants, subpoenas or summons issued by acourt, grand jury, a governmental or tribal inspector general, or an administrativebody authorized to require the production of information; a civil or an authorizedinvestigative demand; Medicare conditions of participation with respect to healthcare providers participating in the program; and statutes or regulations that requirethe production of information, including statutes or regulations that require suchinformation if payment is sought under a government program providing publicbenefits.



No Preemption. Disclosures to theBoard of Visitors can be madeconsistent with the “health oversightagency” and “required by law”exceptions to the HIPAA regulations. As such, the State law is not contrary tothe Federal regulations and State lawapplies.

Transitional Care:MHL §7.38 (c),(f)

(c) The Office shall enter into a memorandumof understanding with the department of socialservices to facilitate access by the office tochild care facilities providing transitional care toyoung adults as may be necessary by theoffice to meet its responsibilities for monitoringthe care of young adults.

re: (c): §164.501: Health oversight agency means an agency or authority of theUnited States, a State, a territory, a political subdivision of a State or territory...or aperson or entity operating under a grant of authority from or contract with suchpublic agency....that is authorized by law to oversee the health care system(whether public or private) or government programs in which health information isnecessary to determine eligibility or compliance, or to enforce civil rights laws forwhich health information is relevant.

re: (f): §164.501: Required by law means a mandate contained in law thatcompels a covered entity to make a use or disclosure of protected healthinformation and that is enforceable in a court of law. Required by law includes, but

re: (c):

No Preemption. Access to PHI byOMH can be obtained consistent withthe “health oversight agency” exceptionto the HIPAA regulations. As such, theState law is not contrary to the Federalregulations and State law applies.



(f) In any case where an individual receivingtransitional funding is about to be transferredfrom one facility to another, a transfer planshall be prepared by the sending facility andforwarded to the receiving facility and theindividual, and unless the individualobjects,parents, guardians or other personsinterested in the care of such person prior tothe transfer. The transfer plan shall includeany information necessary to facilitate a safetransfer, such as specific problems, a schedulefor administering medications and behaviorunique to the individual.

is not limited to, court orders and court ordered warrants, subpoenas or summonsissued by a court, grand jury, a governmental or tribal inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation with respectto health care providers participating in the program; and statutes or regulationsthat require the production of information, including statutes or regulations thatrequire such information if payment is sought under a government programproviding public benefits.


§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02

§164.510(b)(1): A covered entity may disclose to a family member, other relative,close personal friend of the individual or any other person identified by theindividual, the PHI directly relevant to such persons involvement with theindividual’s care or payment related to the individual’s care, if the individual isgiven the opportunity to agree, prohibit, or restrict the disclosure.

re: (f): No Preemption: The state lawrequirement mandating that a transferplan be submitted from a sendingfacility to both a receiving facility andthe individual is permitted via the“required by law” exception in HIPAAand hence this part of the State law isnot preempted. Furthermore, adoptionof the proposed amendments toHIPAA, which eliminated therequirement for obtaining patientconsent to use/disclose PHI fortreatment purposes, render thisprovision consistent with HIPAA.

With regard to notifications of parents,guardians, and other interestedpersons, the State law provision whichaffords an opportunity for the patient toobject to such notifications is consistentwith HIPAA. As such, State lawapplies.

MHL ARTICLE 9 - HOSPITALIZATION OF MENTALLY ILL



Voluntary Admissions:

MHL §9.13(b): ...if there are reasonablegrounds for belief that the patient may be inneed of involuntary care and treatment, thedirector may retain the need for the patient fora period not to exceed 72 hours... Before theexpiration of such 72 hour period, the directorshall either release the patient or apply to thesupreme court or the county court in the countywhere the hospital is located for an orderauthorizing the involuntary retention of suchpatient.

§164.506(a)(3)(i)(B) :If the covered health care provider is required by law to treatthe individual, and the covered health care provider attempts to obtain suchconsent but is unable to obtain such consent, a covered health care provider mayuse/disclose PHI to carry out treatment, payment, or health care operations withoutpatient consent.


No preemption: If a person meets thestatutory criteria for involuntarytreatment, a court will issue an orderrequiring that such treatment beprovided (i.e., the treatment is “requiredby law.”) Inasmuch as the disclosuresnecessary to initiate an action to obtainsuch order must be made, the“treatment required by law” exceptioncan be reasonably be deemed toextend back to the information thatforms the foundation of the order Note: Under State law, there is norequirement that an attempt be made toobtain patient consent, which wouldhave required a change in currentpractice; however 8/02 adoption ofamendments removing the requirementto obtain patient consent touse/disclose PHI for treatment,payment, or health careoperations purposes removes this as aconcern.

Voluntary/Informal Admissions; Review ofStatus:

MHL §9.25: ...The director shall review thesuitability of such patient to remain in suchstatus, and the mental hygiene legal serviceshall review the willingness of such patient toremain in such status. Notice of thedetermination of the patient’s suitability madeby the director shall be given to the mentalhygiene legal service.....

§164.501: Required by law means a mandate contained in law that compels acovered entity to make a use or disclosure of protected health information and thatis enforceable in a court of law. Required by law includes, but is not limited to,court orders and court ordered warrants, subpoenas or summons issued by acourt, grand jury, a governmental or tribal inspector general, or an administrativebody authorized to require the production of information; a civil or an authorizedinvestigative demand; Medicare conditions of participation with respect to healthcare providers participating in the program; and statutes or regulations that requirethe production of information, including statutes or regulations that require suchinformation if payment is sought under a government program providing publicbenefits. §164.512(a): A covered entity may use or disclose PHI to the extent that such useor disclosure is required by law and the use or disclosure complies with and islimited to the relevant requirements of such law.

No preemption: State law applies; theuse/disclosure of PHI is required bylaw; provided it complies with that law,it is not preempted, though thedisclosure must be limited to therelevant requirements of the law.



Involuntary Admission on MedicalCertification:

MHL §9.27(f): Following admission to ahospital, no patient may be sent to anotherhospital by any form of involuntary admissionunless the mental hygiene legal service hasbeen given notice thereof.



Involuntary Admission on MedicalCertification: Notice of Admission toPatients and Others

MHL §9.29: (a) The director shall cause writtennotice of a person’s involuntary admission onan application supported by medicalcertification to be given forthwith to the MentalHygiene Legal Services.(b) The director shall cause written notice ofthe admission of such person....after suchadmission to the following:1. The nearest relative of the person alleged tobe mentally ill other than the applicant, if therebe any such person known to the director; 2. As many as 3 additional persons, ifdesignated in writing to receive such notice bythe person admitted.


§164.510(b)(1): A covered entity may disclose to a family member, other relative,close personal friend of the individual or any other person identified by theindividual, the PHI directly relevant to such persons involvement with theindividual’s care or payment related to the individual’s care, if the individual isgiven the opportunity to agree, prohibit, or restrict the disclosure.

No preemption: State law applies; theuse/disclosure of PHI to the MHLS andthe nearest relative of the patient isrequired by law; provided it complieswith that law, it is not preempted,though the disclosure must be limited tothe relevant requirements of the law.Further, the ability afforded a patient byState law to designate other persons toreceive notice of the patient’shospitalization is consistent with HIPAAprovisions that permit suchnotifications, provided patients haveagreed to them.



Involuntary Admission on MedicalCertification: Patient’s Right to a Hearing

MHL §9.31(a),(b),(f)

(a) If....a patient or any relative or friend onbehalf of a patient or the Mental Hygiene LegalServices gives notice of a request for ahearing, a hearing shall be held... (b): It shall be the duty of the director uponreceiving notice of such request for hearing toforward forthwith a copy of such notice with arecord of the patient to the supreme court orthe county court....A copy of such notice shallalso be given to the Mental Hygiene LegalService. (f) The papers in any proceeding under thisarticle which are filed with the county clerkshall be sealed and shall be exhibited only tothe parties to the proceeding or someoneproperly interested, upon order of the court.



With regard to MHL §9.31(f), there is nocorresponding provision in HIPAA;hence State law provides moreprotection to PHI in this instance andprevails.

Court Authorization to Retain an InvoluntaryPatient

MHL §9.33(a),(d):(a): If the director determines that a patientadmitted upon an application supported bymedical certification , for whom there is nocourt order authorizing retention for a specificperiod, is in need of retention and if suchpatient does not agree to remain in the hospitalas a voluntary patient, the director shall applyto the supreme court or the county court...foran order authorizing continued retention....Thedirector shall cause written notice of theapplication to be given to the patient and acopy thereof...to the persons required by thisarticle to be served with notice of such patient’sinitial application and to the mental hygienelegal service.

(d): If the director shall determine that thecondition of such patient requires his further





retention in a hospital, he shall, if such patientdoes not agree to remain in such hospital as avoluntary patient, apply during the period ofretention authorized by the last order of thecourt to the supreme court or the countycourt...for an order authorizing continuedretention of such patient...

Involuntary admission on Certificate ofDirector of Community Services or hisdesignee

MHL §9.37(a),(d):

(a): [Effective until 7/01/04]: The director of ahospital, upon application by a director ofcommunity services or an examining physicianduly designated by him or her,may receive andcare for in such hospital as a patient anyperson who, in the opinion of the director ofcommunity services or the director’s designee,has a mental illness for which immediateinpatient care and treatment in a hospital isappropriate....

(a): [Effective 7/01/04]: The director of ahospital, upon application by a director ofcommunity services or an examining physicianduly designated by him may receive and carefor in such hospital as a patient any personwho, in the opinion of the director of communityservices or the director’s designee, has amental illness for which immediate inpatientcare and treatment in a hospital is appropriateand which is likely to result in serious harm tohimself or others...

(d) After signing the application, the director ofcommunity services or the director’s designeeshall be authorized and empowered to take intocustody, detain, transport, and providetemporary care to any such person. Upon thewritten request of such director or the director’sdesignee, it shall be the duty of peace officers,


§164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the coveredhealth care provider is required by law to treat the individual, or if a covered healthcare provider is unable to obtain consent due to substantial barriers tocommunication and the covered health provider determines, in its professionaljudgment, that the patient’s consent is inferred by the circumstances, and thecovered health care provider attempts to obtain such consent but is unable toobtain such consent, a covered health care provider may use/disclose PHI to carryout treatment, payment, or health care operations without patient consent.



Under HIPAA, such consent is also not required via the “required to treat,”emergency, or “substantial barriers tocommunicate” exceptions, although anattempt must be made to obtain patientconsent. This would have required achange in current practice; however the8/02 adoption of amendments removingthe requirement to obtain patientconsent to use/disclose PHI fortreatment, payment, or health careoperations purposes remove this as aconcern.



when acting pursuant to their special duties, orpolice officers who are members of the statepolice or of an authorized police department orforce or of a sheriff’s department to take intocustody and transport any such person asrequested and directed by such director or hisdesignee. Upon the written request of suchdirector or designee, an ambulanceservice,....is authorized to transport any suchperson.

Emergency admissions for immediateobservation, care, and treatment: MHL §9.39

(a) The director of any hospital maintainingadequate staff and facilities for the observation,examination, care, and treatment of personsalleged to be mentally ill and approved by thecommissioner to receive and retainpatients....may receive and retain therein as apatient for a period of 15 days any personalleged to have a mental illness for whichimmediate observation, care, and treatment ina hospital is appropriate and which is likely toresult in serious harm to himself or others...Such person shall be served, at the time ofadmission, with written notice of his status andrights as a patient under this section. Suchnotice shall contain the patient’s name. At thesame time, such notice shall also be given tothe mental hygiene legal service andpersonally or by mail to such person orpersons, not to exceed three in number, asmay be designated in writing to receive suchnotice by the person alleged to be mentally ill. If at any time after admission, the patient, anyrelative, friend, or the mental hygiene legalservice gives notice to the director in writing ofrequest for court hearing on the question ofneed for immediate observation, care andtreatment, a hearing shall be held asherein.....It shall be the duty of the director

§164.501:Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI & that is enforceable in a court oflaw...includes, but is not limited to, court orders/court ordered warrants,subpoenas/ summons issued by a court, grand jury, ..inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; ... and statutes or regulations that require theproduction of information, including statutes/ regulations that require suchinformation if payment is sought under a government program providing publicbenefits.§164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the coveredhealth care provider is required by law to treat the individual, or if a covered healthcare provider is unable to obtain consent due to substantial barriers tocommunication and the covered health provider determines, in its professionaljudgment, that the patient’s consent is inferred by the circumstances, and thecovered health care provider attempts to obtain such consent but is unable toobtain such consent, a covered health care provider may use/disclose PHI to carryout treatment, payment, or health care operations w/out patient consent. §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02 §164.512(a): A covered entity may use/ disclose PHI to the extent that such use/disclosure is required by law and the use/disclosure complies with/ is limited to therelevant requirements of such law. §164.510(b)(1): A covered entity may disclose to a family member, other relative,close personal friend of the individual or any other person identified by theindividual, the PHI directly relevant to such persons involvement with theindividual’s care or payment related to the individual’s care, if the individual isgiven the opportunity to agree/ prohibit, restrict the disclosure§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorized


Note: Under State law, there is norequirement that patient consent beobtained to use/disclose patientinformation in order to treat the patient.Under HIPAA, such consent is also not required via the “required to treat,”emergency, or “substantial barriers tocommunicate” exceptions, although anattempt must be made to obtain patientconsent. This would have required achange in current practice; however,the 8/02 amendments removing therequirement to obtain patient consent touse/disclose PHI for treatment,payment, or health careoperations purposes remove this as aconcern.



upon receiving notice of such request forhearing to forward forthwith a copy of suchnotice with a record of the patient to thesupreme court or county court...A copy of suchnotice and record shall also be given to themental hygiene legal services.

in the order; or(2) in response to a subpoena, discovery request, or other lawfulprocess if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order.

Emergency admissions for immediateobservation, care, and treatment incomprehensive psychiatric emergencyprograms

MHL §9.40 [Effective 7/1/04]

(a) The director of any comprehensiveemergency program may receive and retainpatients....may receive and retain therein as apatient for a period not to exceed 72 hours anyperson alleged to have a mental illness forwhich immediate observation, care, andtreatment in a hospital is appropriate and whichis likely to result in serious harm to himself orothers...(b) The director shall cause examination ofsuch persons to be intiated by a staff physicianof the program as soon as practicable.....(c) ....At the time of admission to an extendedobservation bed, such person shall be servedwith written notice of his status and rights as apatient under this section. Such notice shallcontain the patient’s name. The notice shall beprovided to the same persons and in themanner as if provided pursuant to subdivision(a) of section 9.39 of this article.(e) If at any time....it is determined that suchperson continues to require immediateobservation, care and treatment in accordancewith this section...such person shall beremoved within a reasonable period of time toan appropriate hospital authorized to receiveand retain patients pursuant to section 9.39 ofthis article and such person shall be evaluatedfor admission and, if appropriate, shall beadmitted to such hospital in accordance with

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing public benefits.§164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the coveredhealth care provider is required by law to treat the individual, or if a covered healthcare provider is unable to obtain consent due to substantial barriers tocommunication and the covered health provider determines, in its professionaljudgment, that the patient’s consent is inferred by the circumstances, and thecovered health care provider attempts to obtain such consent but is unable toobtain such consent, a covered health care provider may use/disclose PHI to carryout treatment, payment, or health care operations without patient consent. §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02 §164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited tothe relevant requirements of such law. §164.510(b)(1): A covered entity may disclose to a family member, other relative,close personal friend of the individual or any other person identified by theindividual, the PHI directly relevant to such persons involvement with theindividual’s care or payment related to the individual’s care, if the individual isgiven the opportunity to agree, prohibit, or restrict the disclosure§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly to asubpoena, discovery request, or other lawful process if the covered entity hasmade reasonable efforts to give the patient notice of the request or the coveredentity is assured that reasonable efforts have been made to secure a qualifiedprotective order.


Note: Under State law, there is norequirement that patient consent beobtained to use/disclose patientinformation in order to treat the patient.Under HIPAA, such consent is also not required via the “required to treat,”emergency, or “substantial barriers tocommunicate” exceptions, although anattempt must be made to obtain patientconsent.This would have required achange in current practice; however,the 8/02 amendments removing therequirement to obtain patient consent touse/disclose PHI for treatment,payment, or health careoperations purposes remove this as aconcern.



section 9.39 of this article.....(f) Nothing in this section shall preclude theinvoluntary admission of a person to anappropriate hospital pursuant to the provisionsof this article......efforts shall be made to assurethat any arrangements for such involuntaryadmission shall be made within a reasonableperiod of time.

Emergency admissions for immediateobservation, care, and treatment; powers ofcertain peace officers and police officers

MHL §9.41 [Effective until 7/1/04]

Any peace officer, when acting pursuant to hisor her special duties, or police officer who is amember of the state police......Such officer maydirect the removal of suchperson....or...temporarily detain any suchperson in another safe and comfortableplace....in which event, such officer shallimmediately notify the director of communityservices or, if there be none, the health officerof the city of county of such action.

MHL §9.41 [Effective 7/1/04]

Any peace officer, when acting pursuant to hisor her special duties, or police officer who is amember of the state police......Such officer maydirect the removal of suchperson....or...temporarily detain any suchperson in another safe and comfortableplace....in which event, such officer shallimmediately notify the director of communityservices or, if there be none, the health officerof the city of county of such action.

§160.103: Covered entity means: (1) a health plan; (2) a health careclearinghouse; (3) a health care provider who transmits any health information inelectronic form in connection with a transaction covered by this subchapter.

No preemption: Peace/police officersare not covered entities under HIPAA;hence it does not apply. State lawapplies.

Emergency admissions for immediateobservation, care, and treatment; powersofdirectors of community services

MHL §9.45 [Effective until 7/1/04]

§164.501: Health oversight agency means an agency or authority of the UnitedStates, a State, a territory, a political subdivision of a State or territory...or a personor entity operating under a grant of authority from or contract with such publicagency....that is authorized by law to oversee the health care system (whetherpublic or private) or government programs in which health information is necessary

No preemption: State law applies; the use/disclosure of PHI by the director ofcommunity services is required by lawand is otherwise authorized pursuant tothe DCS’ health oversight authority.



The director of community services or thedirector’s designee shall have the power todirect the removal of any person, within hisjurisdiction, to a hospital......if the parent, adult,sibling, spouse, or child of the person, acommittee of the person, a licensedpsychologist......currently responsible forproviding treatment services...reports to himthat such person has a mental illness for whichimmediate care and treatment in a hospital isappropriate and which is likely to result inserious harm to him/herself or others. It shallbe the duty of peace officers....or policeofficers....to take into custody and transport anysuch person. Upon the request of a director ofcommunity services...an ambulance service...isauthorized to transport any such person. Suchperson may then be retained in a hospitalpursuant...to section 9.39 or 9.40 of thisarticle.

MHL §9.45 [Effective 7/1/04]The director of community services or thedirector’s designee shall have the power todirect the removal of any person, within hisjurisdiction, to a hospital......if the parent, adult,sibling, spouse, or child of the person, acommittee of the person, a licensedpsychologist......currently responsible forproviding treatment services...reports to himthat such person has a mental illness for whichimmediate care and treatment in a hospital isappropriate and which is likely to result inserious harm to him/herself or others..... Itshall be the duty of peace officers....or policeofficers....to take into custody and transport anysuch person. Upon the request of a director ofcommunity services...an ambulance service...isauthorized to transport any such person. Suchperson may then be retained in a hospitalpursuant...to section 9.39 of this article.

to determine eligibility or compliance, or to enforce civil rights laws for which healthinformation is relevant.§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing public benefits. §164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the coveredhealth care provider is required by law to treat the individual, or if a covered healthcare provider is unable to obtain consent due to substantial barriers tocommunication and the covered health provider determines, in its professionaljudgment, that the patient’s consent is inferred by the circumstances, and thecovered health care provider attempts to obtain such consent but is unable toobtain such consent, a covered health care provider may use/disclose PHI to carryout treatment, payment, or health care operations without patient consent. §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02 §164.512(d)(3) PHI may be disclosed to health oversight agencies for oversightactivities authorized by law, including licensure or disciplinary actions. (p. 82814:2)§164.512(j): A covered entity may, consistent with applicable law and standards ofethical conduct, use/disclose PHI if it believes, in good faith, that theuse/disclosure (i)(A) is necessary to prevent or lessen a serious and imminentthreat to the health or safety of a person or the public; and (B) is to a person(s)reasonably able to prevent/lessen the threat.

Disclosures/use made by peace andpolice officers are not governed byHIPAA, since these are not coveredentities. Finally, disclosures by healthprofessionals pursuant to this section oflaw are authorized to lessen or preventa serious threat to the health/safety ofthe person with mental illness, due tothe “likelihood of serious harm tohim/herself or others” criterion withinthe State statute. Hence, State lawapplies.

Duties of local officers in regard to theirmentally ill §164.501: Health oversight agency means an agency or authority of the United



MHL §9.47 [Effective until 6/30/05]: (a) Alldirectors of community services, healthofficers, and social services officials, asdefined by the social services law, are chargedwith the duty of seeing that all mentally illpersons within their respective communitieswho are in need of care and treatment at ahospital are admitted to a hospital pursuant tothe provisions of this article. Social servicesofficials and health officers shall notify thedirector of community services of any suchperson coming to their attention. Pending thedetermination of the condition of an allegedmentally ill person, it shall be the duty of thedirector of community services and, if there beno such director, of the local health officer toprovide for the proper care of such person in asuitable facility.

(b) [Effective until 6/30/05]: All directors ofcommunity services shall be responsible forthe filing of petitions for assisted outpatienttreatment (AOT) .....and for coordinating thedelivery of court ordered services with withprogram coordinators....In discharge of theduties imposed by...section 9.60 of this article,directors of community services may provideservices directly, or may coordinate serviceswith the offices of the department or maycontract with any public or private provider toprovide services for such programs as may benecessary to carry out the duties imposedpursuant to this subdivision.

States, a State, a territory, a political subdivision of a State or territory...or a personor entity operating under a grant of authority from or contract with such publicagency....that is authorized by law to oversee the health care system (whetherpublic or private) or government programs in which health information is necessaryto determine eligibility or compliance, or to enforce civil rights laws for which healthinformation is relevant.

§164.512(d)(3) PHI may be disclosed to health oversight agencies for oversightactivities authorized by law, including licensure or disciplinary actions. (p. 82814:2)



No preemption: Disclosures to thedirector of community services arepermitted by HIPAA without patientconsent due to the establishment in this statute of the directors ofcommunity services, health officers,and social services officials, as healthoversight agencies. Furthermore,some of the express oversight activitiesauthorized by law are set forth in thisstatute, including the filing of AOTpetitions and coordination of thedelivery of court ordered care by thedirector of community services. Uses/disclosures for treatmentpurposes are permitted since thetreatment is required by law, and alsobecause recent amendments to theHIPAA regulations permituses/disclosures of PHI for treatmentpurposes without patient consent.

Note 1: Under State law, there is norequirement that patient consent beobtained to use/disclose patientinformation in order to treat the patient.Originally, the HIPAA final rulesprovided that such consent would notbe required via the “required to treat,”exception, although an attempt must bemade to obtain patient consent, which would have required a change incurrent practice. The 8/02amendments removing the requirementto obtain patient consent touse/disclose PHI for treatment,payment, or health careoperations purposes remove this as aconcern.

Note 2: To the extent that Directors ofCommunity Services coordinate theirhealth oversight services with otherDepartment offices or contract with



public or private providers to provideAOT services to assist in theperformance of their statutory duties,Business Associate Agreements mayneed to be executed.

Duties of directors of assisted outpatienttreatment (AOT) programs

MHL §9.48 [Effective until 6/30/05]: (a)(1)Directors of AOT programs ...shall provide awritten report to the program coordinators,appointed by the commissioner of mentalhealth pursuant to ...section 7.17 of thischapter.....The report shall...include, but not belimited to...(i) a copy of the court order; (ii) acopy of the written treatment plan; (iii) theidentity of the case manager or assertivecommunity treatment team...(iv) the identity ofthe provider of services; and (v) the date onwhich services commence(d). (2) TheDirectors of AOT programs shall ensure thetimely delivery of services ...pursuant to courtorder. (b) Directors of AOT programs shall submitquarterly reports to the program directorsregarding the AOT program...the report shallinclude...(i) the names of individuals served bythe program; (ii) the percentage of petitions forAOT granted by the court; (iii) any change instatus of assisted outpatient..(iv) a descriptionof material changes in the treatment plans..(v)any change in case managers; (vi) adescription of categories of services ordered bythe court; (vii) living arrangements ofindividuals served by the program...(viii) anyother information as required by theCommissioner of OMH; and (ix) anyrecommendations to improve the program.


§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law...itincludes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation ...; andstatutes or regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing public benefits.

§164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited tothe relevant requirements of such law.


No preemption: State law applies, as alldisclosures without patientconsent/authorization are permitted byHIPAA. As a designee of theCommissioner of the Office of MentalHealth, reports to directors of AOTprograms are permitted consistent withits health oversight function. Otherdisclosures, to the extent incorporatedwithin the AOT court order, are requiredby law and are therefore permittedunder HIPAA without patientconsent/authorization.

All reports required by theCommissioner of OMH are authorizedconsistent with its health oversightresponsibilities. Hence, State lawapplies.

Residential treatment facilities for children §164.501: Health oversight agency means an agency or authority of the United No preemption: State law applies, as all



& youthMHL §9.51 (also see 14 NYCRR Part 583)(a) The director of a residential treatmentfacility for children & youth may receive as apatient a person in need of care and treatmentin such a facility who has been certified asneeding such care by the pre-admissioncertification committee serving the facility....(b) Persons admitted as inpatients to hospitalsoperated by the OMH upon the application ofthe director for the Division for Youth pursuantto section 509 of the Executive law or section353.4 of the Family Court Act ....may, ifappropriate..be transferred to a residentialfacility fo children & youth. The director of thedivision for youth shall be notified of any suchtransfer....(c) The commissioner of OMH shall designatepre-admission certification committees...toevaluate each person proposed for admissionor transfer to a residential treatment facility forchildren & youth. ..Each pre-admissioncertification committee shall designate fivepersons...who shall serve as an advisory boardto the committee. Such board shall have theright to visit residential treatment facilities forchildren & youth served by the committee andshall have the right to review clinical recordsobtained by the pre-admission certificationcommittee and shall be bound by theconfidentiality requirements of section 33.13 ofthis chapter. (d) All applications for admission ortransfer.....shall be referred to a pre-admissioncertification committee for evaluation of theneeds of the individual..(g) Notwithstanding any other provision of law,pre-admission certification committees shall beentitled to review clinical records maintained byany person or entity which pertain to anindividual on whose behalf an application ismade for admission to a residential treatmentfacility for children & youth. Any clinicalrecords received by a pre-admission

States, a State, a territory, a political subdivision of a State or territory...or a personor entity operating under a grant of authority from or contract with such publicagency....that is authorized by law to oversee the health care system (whetherpublic or private) or government programs in which health information is necessaryto determine eligibility or compliance, or to enforce civil rights laws for which healthinformation is relevant.

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law...itincludes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation ...; andstatutes or regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing public benefits.



disclosures without patientconsent/authorization are permitted byHIPAA. The Pre-Admissioncertification are designated under lawto implement the health oversightresponsibilities of the Commissioner ofthe Office of Mental Health. Therefore, reports made to them are permittedconsistent with their health oversightfunction. Other disclosures under thisstatute are required by law and aretherefore permitted under HIPAAwithout patient consent/authorization.

The provisions of State law which giveadditional confidentiality protections tomedical portions of a clinical record aremore stringent than HIPAA, and hence,State law prevails. Provisions of Statelaw requiring production of informationpursuant to the Family Court Act and/orSocial Services Law are permittedunder the “required by law” exceptionsof HIPAA.

Note : Business Associate Agreementsbetween OMH and the the pre-admission certification committees maybe required, as they are providing ahealth oversight service on behalf ofOMH and PHI is necessary in order toprovide this service.



certification committee and all assessmentssubmitted to the committee shall be keptconfidential in accordance with the provisionsof section 33.13 of the mental hygiene law,provided, however, that the commissioner mayhave access to and receive copies of suchrecords for the purpose of evaluating theoperation and effectiveness of the committee. Confidentiality of clinical records of treatmentof a person in a residential treatment facilityrequired in section 33.13 of this chapter. Thatportion of the clinical record maintained by aresidential treatment facility for children &youth operated by an authorized agencyspecifically related to medical care andtreatment shall not be considered part of therecord required to be maintained by suchauthorized agency pursuant to section 372 ofthe social services law and shall not bediscoverable in a proceeding under section358-a of the social services law except uponorder of the family court; provided, howeverthat all other information required by a socialservices district or the state department ofsocial services for purposes of sections 358-a,392, 409-e and 409-f of the social services lawshall be furnished on request, and theconfidentiality of such information shall besafeguarded as provided in section 460-e ofthe social services law. for children & youthshall be maintained as

Emergency admissions for immediateobservation, care, and treatment; powers ofemergency room physicians

MHL §9.57 [Effective until 7/1/04]A physician who has examined a person in anemergency room or provided emergencymedical services at a general hospital .... shall

§164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the coveredhealth care provider is required by law to treat the individual, or if a covered healthcare provider is unable to obtain consent due to substantial barriers tocommunication and the covered health provider determines, in its professionaljudgment, that the patient’s consent is inferred by the circumstances, and thecovered health care provider attempts to obtain such consent but is unable toobtain such consent, a covered health care provider may use/disclose PHI to carry

No preemption: State law applies; the use/disclosure by health professionalspursuant to this section of law areauthorized to lessen or prevent aserious threat to the health/safety of theperson with mental illness, due to the“likelihood of serious harm tohim/herself or others” criterion within



be authorized to request that the director of thehospital, or his designee, direct the removal ofany person, within his jurisdiction, to a hospitalif the physician determines upon examinationof such person that such person appears tohave a mental illness for which immediate careand treatment in a hospital is appropriate andwhich is likely result in serious harm to himselfor others, as defined in section 9.39 of thisarticle...... Upon the request of the physician,the director of the hospital or his designee isauthorized to direct peace officers, ....or policeofficers....to take into custody and transport anysuch person. Upon the request of anemergency room physician or the director ofthe hospital......an ambulance service...isauthorized to transport any such person. Suchperson may then be retained in a hospitalpursuant...to section 9.39 or 9.40 of thisarticle.

MHL §9.57 [Effective 7/1/04]A physician who has examined a person in anemergency room or provided emergencymedical services at a general hospital .... shallbe authorized to request that the director of thehospital, or his designee, direct the removal ofany person, within his jurisdiction, to a hospitalif the physician determines upon examinationof such person that such person appears tohave a mental illness for which immediate careand treatment in a hospital is appropriate andwhich is likely result in serious harm to himselfor others, as defined in section 9.39 of thisarticle...... Upon the request of the physician,the director of the hospital or his designee isauthorized to direct peace officers, ....or policeofficers....to take into custody and transport anysuch person. Upon the request of anemergency room physician or the director ofthe hospital......an ambulance service...isauthorized to transport any such person. Suchperson may then be retained in a hospitalpursuant...to section 9.39 of this article.

out treatment, payment, or health care operations without patient consent.


§164.512(j): A covered entity may, consistent with applicable law and standards ofethical conduct, use/disclose PHI if it believes, in good faith, that theuse/disclosure (i)(A) is necessary to prevent or lessen a serious and imminentthreat to the health or safety of a person or the public; and (B) is to a person(s)reasonably able to prevent/lessen the threat.

the State statute. Hence, State lawapplies.

In some cases, communication with theindividual may be substantiallyimpaired, or there may be emergencymedical circumstances, which, underthe original HIPAA final rules, wouldpermit use/disclosure of PHI fortreatment purposes without patientconsent/authorization, if an attempt toobtain such consent was made. Thiswould have required a change incurrent practice. The 8/02amendments, however, remove therequirement to obtain patient consent touse/disclose PHI for treatment,payment, or health careoperations purposes, so this is nolonger a concern, and theuse/disclosure is permitted withoutpatient consent for treatment purposes.



Transport for evaluation; powers ofapproved mobile crisis outreach teams MHL §9.58 (a) A physician or qualified mental healthprofessional who is a member of an approvedmobile crisis outreach team shall have thepower to remove, or pursuant to subdivision (b)of this section, to direct the removal of anyperson to a hospital.....pursuant to subdivision(a) of section 9.39 or section 31.27 of thischapter for purpose of evaluation for admissionif such person appears to be mentally ill and isconducting him/herself in a manner which islikely to result in serious harm to the person orothers. (b) If the team physician or qualified mentalhealth professional determines that it isnecessary to effectuate transport, he or shallshall direct peace officers, ....or policeofficers....to take into custody and transport anysuch person. Upon the request of suchphysician or qualified mental healthprofessional......an ambulance service...isauthorized to transport any such person. Suchperson may then be evaluated for admission inaccordance with the provisions of section 9.27,9.39, 9.40, or other sections of this article....



No preemption: State law applies; the use/disclosure by health professionalspursuant to this section of law areauthorized to lessen or prevent aserious threat to the health/safety of theperson with mental illness, due to the“likely to result in serious harm to theperson or others” criterion within theState statute. Hence, State law applies

“Kendra’s Law” - Assisted OutpatientTreatmentMHL §9.60(a)(1): “assisted outpatient treatment” (AOT)means categories of outpatient services whichhave been ordered by the court pursuant to thissection. Such treatment shall include casemanagement services or assertive communitytreatment team services to provide carecoordination, and may also include any of thefollowing categories of services: medication,periodic blood tests or urinalysis to determinecompliance with prescribed medications;individual/ group therapy; day/partial day

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing public benefits.§164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the coveredhealth care provider is required by law to treat the individual, or if a covered healthcare provider is unable to obtain consent due to substantial barriers tocommunication and the covered health provider determines, in its professionaljudgment, that the patient’s consent is inferred by the circumstances, and the

No preemption: State law applies to allof the uses/disclosures of PHI providedfor in this statute:

1. Because the uses/disclosuresrequired to develop a petition for AOTare necessary in order to become thefoundation for a court order (ordismissal of the petition),suchuses/disclosures without patientconsent or authorization are permittedby HIPAA under the “required by law”and “in the course of a judicialproceeding” exceptions to



programming activities; educational/ vocationaltraining/ activities; chemical dependencetreatment/counseling and periodic tests for thepresence of alcohol/ illegal drugs for personswith a history of chemical dependence;supervision of living arrangements; and anyother services within a local/unified servicesplan developed pursuant to article 41...,prescribed to treat the person’s mental illnessand to assist the person in living andfunctioning in the community, or to attempt toprevent a relapse or deterioration that mayreasonably be predicted to result in suicide orthe need for hospitalization. (c) Criteria for AOT. A patient may be orderedto obtain AOT if a court finds that: (1) thepatient is 18 years of age or older; (2) thepatient is suffering from a mental illness; and(3) the patient is unlikely to survive safely in thecommunity without supervision, based on aclinical determination; and (4) the patient has ahistory of lack of compliance with treatment formental illness that has: (i) at least twice withinthe last 36 months been a significant factor innecessitating hospitalization in a hospital, orreceipt of services in a forensic or other mentalhealth unit of a correctional facility....notincluding any period during which the personwas hospitalized or incarcerated immediatelypreceding the filing of the petition; (5) thepatient is, as a result of his/her mental illness,unlikely to voluntarily participate in therecommended treatment pursuant to thetreatment plan; and (6) in view of the patient’streatment history and current behavior, he/sheis in need of AOT in order to prevent a relapseor deterioration which would be likely to resultin serious harm to the patient or others...and(7) it is likely that the patient will benefit fromAOT; and (8) if the patient has executed a health careproxy, the terms of the proxy will be taken intoconsideration by the court in determining thewritten treatment plan.

covered health care provider attempts to obtain such consent but is unable toobtain such consent, a covered health care provider may use/disclose PHI to carryout treatment, payment, or health care operations without patient consent. §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02 §164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited tothe relevant requirements of such law. §164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly to asubpoena, discovery request, or other lawful process if the covered entity hasmade reasonable efforts to give the patient notice of the request or the coveredentity is assured that reasonable efforts have been made to secure a qualifiedprotective order. §164.512(j):A covered entity may use/disclose PHI (consistent with law &professional conduct) if it believes in good faith that the disclosure is necessary toprevent or lessen a serious & imminent threat to the health or safety of a person(per preamble, consistent with Tarasoff) or the public and is being made to aperson or persons reasonably able to prevent or lessen the threat or is necessaryfor law enforcement authorities to identify/apprehend an individual. If disclosure isto be made to one other than the target, the information cannot have beenobtained in the course of treatment to affect the propensity to commit the criminalconduct or through a request by the person to initiate or be referred to treatment.

consent/authorization.

2. Uses/disclosures by physicians inthe course of providing requiredtestimony are authorized by “in thecourse of a judicial proceeding”exception to consent/authorization. The requirements set forth to notify andinvolve the subject of the petition in thehearing are consistent with the requirements set forth in§164.512(e)(1)(ii) which mandatesatisfactory assurances of theindividual’s notification of the requestfor the use/disclosure of his/her PHIinthe course of the judicial proceeding.

3. Under the original final HIPAA rule,uses/disclosures back to the court orbetween and among providers of courtordered services are permitted withoutpatient consent/authorization under the“treament required by law,” and“use/disclosure of PHI required by law”exceptions to HIPAA; furthermore, therecent amendments to HIPAA eliminatethe need to attempt to obtain consent,since patient consent is not be requiredto use/disclose PHI for treatmentpurposes.

4. Because of the essential criteriarequired to initiate and sustain an AOTpetition, uses/disclosures by healthprofessionals pursuant to this section oflaw are authorized to lessen or preventa serious threat to the health/safety ofthe person with mental illness, due tothe “likely to result in serious harm tothe person or others” criterion within theState statute. Hence, State law applies



(e) Petition to the court. (1) A petition for anorder authorizing AOT may be filed in thesupreme court or county court.....A petition...may only be authorized by the followingpersons: (i) any person over age 18 with whomthe subject of the petition resides; (ii) theparent, spouse, sibling or child of the patient 18years of age or older; (iii) the director of ahospital in which the subject is hospitalized; (iv)the director of any public or charitableorganization, agency, or home providingmental health services to the subject...; (v) aqualified psychiatrist who is either treating thesubject; (vi) the director of communityservices/designee...; (vii) a parole/probationofficer assigned to supervise the subject. (2)The petition shall state: (i) each of the criteriafor AOT; (ii) facts which support the belief thatthe criteria have been met; (iii) the subject isreasonably believed to be present in the countywhere the petition is filed. (3) The petition shallbe accompanied by an affidavit/affirmation of aphysician that states either the patient hasbeen examined by him/her and AOT isrecommended; or the subject refuses to submitto the examination.(f) Service. The petitioner shall cause writtennotice of the petition to the subject and also tothe mental hygiene legal service, health agent(if known), the appropriate program coordinatorand the director of community services...(h)Hearing.(1)....the court shall hear testimonyand, if advisable, examine the subject in or outof court. (2) The court shall not order AOTunless an examining physician testifies inperson at the hearing...(4) a physician whotestifies....shall state the facts which supportthe allegation that the person requires AOT. ...(i). Written treatment plan. (1) The court shallnor order AOT unless an examining physicianprovides to the court a written treatmentplan...In developing such plan, the physicianshall provide the subject, the treatingphysician, and an individual designated by the



patient, at the patient’s request, to participate indeveloping the plan. (2) The court shall notorder AOT unless a physician testifies toexplain the written treatment plan. (j) Disposition. (1) ...if the court finds by clearand convincing evidence the subject meets thecriteria for AOT.....the court is authorized toorder the subject to receive AOT.....the ordershall state the categories of AOT and may alsoorder treatment included in the writtentreatment plan.....(5) If the petitioner is thedirector of a hospital, the court order shalldirect the hospital to provide/arrange for allcategories of AOT. For all other persons, theorder shall require the director of communityservices....to provide/arrange for all categoriesof AOT. (n) Failure to comply with AOT. Where in theclinical judgment of a physician, the patient hasfailed to comply with the court orderedAOT.....and in the physician’s clinical judgmentthe person may be in need of involuntarycommitment....such physician may request.....to direct the removal of such person to anappropriate hospital to determine if suchperson is in need of involuntarycommitment......if such person refuses to takemedications as required by the court order.... orfails to take court ordered tests....suchphysician may take such information intoconsideration when determining if theinvoluntary commitment examination isnecessary. Peace/police officers may bedirected to take into custody/transport suchperson to a hospital for such examination.

MHL SECTION 29.29 INCIDENT REPORTING PROCEDURES

MHL §29.29 The commissioners of OMH andOMRDD shall establish policies and uniformprocedures for their offices for the compilationand analysis of incident reports.

§164.501: Health oversight agency means an agency or authority of the UnitedStates, a State, a territory, a political subdivision of a State or territory...or a personor entity operating under a grant of authority from or contract with such publicagency....that is authorized by law to oversee the health care system (whetherpublic or private) or government programs in which health information is necessary

No Preemption: OMH Policy QA-510and 14 NYCRR Part 524 are consistentwith HIPAA, due in part to the adoptionof proposed amendments to HIPAA:1. The Facility and Central Office are



OMH Official Policy Directive QA-510D)4)c)iii) External Reporting:(1) The Executive Director or the administratoron duty is responsible for the timely notificationof appropriate persons or organizations ofcertain incidents in accordance with theprovisions of this Policy Directive.(2) Each facility shall have procedures toassure that appropriate notifications occur. Such procedures must generally identify who,within the facility, bears responsibility formaking each type of required notification. Copies of all external reports must beconcurrently sent to the Bureau of QualityManagement in Central Office. The followingnotifications are required:(A) Commission on Quality of Care for theMentally Disabled (CQC).

1.The CQC and its Mental Hygiene MedicalReview Board must be notified of all patientdeaths within 3 working days, using formCQC-100.2. The CQC must be notified inwriting of all allegations of patient or childabuse or neglect within 72 hours.B) Food and Drug Administration (FDA).

1. An Adverse Drug Reaction should bereported to the Food and Drug Administration(FDA), following FDA specifications and inaccordance with FDA requirements, when thepatient outcome is death, life-threatening;hospitalization;disability; congenitalanomaly;required intervention to preventpermanent impairment; or reaction. related toto the use of a newly marketed drug as part ofpost-marketing surveillance. 2. Incidentsresulting in serious injury or death through theuse of medical devices shall be reported to theFDA in accordance with the Safe MedicalDevices Act.

C) Persons Who May Be Endangered. Anyperson or persons who are known to bepotentially endangered by a patient placed on

to determine eligibility or compliance, or to enforce civil rights laws for which healthinformation is relevant.





§164.512(g) PHI about decedents can be released to a coroner or medicalexaminer for the purpose of identifying a deceased person, determining a cause ofdeath, or other duties as authorized by law. PHI may also be released to funeraldirectors to carry out their duties with respect to a decedent. §164.512(b): Acovered entity may disclose PHI for the public health activities and purposesdescribed in this paragraph to: (ii) a public health authority or other appropriategovernment authority authorized by law to receive reports of child abuse orneglect.,,,(iii) a person subject to the jurisdiction of the FDA (A) to report adverseevents....

§164.512(j):A covered entity may use/disclose PHI (consistent with law &professional conduct) if it believes in good faith that the disclosure is necessary toprevent or lessen a serious & imminent threat to the health or safety of a person(per preamble, consistent with Tarasoff) or the public and is being made to a

legally divisions within the samecovered entity. As a result of newamendments to the privacy regulations(8/02), HIPAA permits the use of PHIby a covered entity without patientconsent for health care operationspurposes (e.g., quality assuranceactivities). As OMH Policy QA-510 and14 NYCRR Part 524 permit use of PHIfor incident management purposes w/out patient consent; and HIPAA nolonger requires such consent, there is no preemption: State policy/ regulationsand HIPAA are consistent.2. Disclosures by OMH to CQC arepermitted under the health oversightagency and required by law exceptions. 3. Disclosures by OMH to MHLS arepermitted under the required by lawexception to HIPAA.4.Disclosures by OMH to the FDA are permitted under the required by lawexception to HIPAA and thedisclosures for public health activitiesexception.5. Disclosures by OMH to medicalexaminers/coroners, provided they aredisclosures necessary for such entitiesto perform their statutory duties, areconsistent withe HIPAA and arepermitted. 6.Disclosures by OMH to lawenforcement authorities and endangered persons in the case ofpatients placed on missing/escapestatus are permitted under the expressexception to HIPAA to lessen a seriousand imminent threat to the health andsafety of a person.

7 . The provisions of OMH policyrequiring the reporting of crimes onprogram premises is consistent with theexception to use/disclosures under



missing patient-escape status must be notifiedimmediately.

(D) Local Law Enforcement Authorities

1. Local law enforcement authorities must benotified in a timely manner of any incidentwhen it appears that a crime may haveoccurred.

2. Local law enforcement authorities shall alsobe notified as soon as possible when a patienthas been placed on missing patient-escapestatus.

(E) Medical Examiner/Coroner. When a patientdies while an inpatient of a State-operatedfacility, the County Medical Examiner orCoroner must be notified immediately inaccordance with applicable OMH Policy.

(F) Board of Visitors and the Mental HygieneLegal Service (MHLS). The Board of Visitorsand the Mental Hygiene Legal Service mustboth be notified within 3 working days of anyincident of alleged child or patient abuse orneglect. The Board of Visitors and MHLS mustalso both be notified of the results of theinvestigation of such allegations.

(G) New York Statewide Central Register ofChild Abuse and treatment (SCR).

1. The New York Statewide Central Register ofChild Abuse and Maltreatment (SCR) must benotified immediately, by telephone, of anyincident of alleged child abuse or neglect. TheSocial Services Law mandates the reporting tothe SCR of allegations of abuse or neglect asdefined in C)3) of this policy directive, as well (abuse/ neglect of children, including suspectedse or neglect of a child by a parent. 2. If afamily member/ visitor harms a child/adolescent on the property of a State-operatedfacility or program, such an event would beidentified as an incident using applicableincident terminology and would also be

person or persons reasonably able to prevent or lessen the threat or is necessaryfor law enforcement authorities to identify/apprehend an individual. If disclosure isto be made to one other than the target, the information cannot have beenobtained in the course of treatment to affect the propensity to commit the criminalconduct or through a request by the person to initiate or be referred to treatment.

§164.512(f)(5): Crime on program premises. A covered entity may disclose to alaw enforcement official PHI that the covered entity believes in good faithconstitutes evidence of criminal conduct that occurred on the premises of thecovered entity. §164.510(b)(1): A covered entity may disclose to a family member,other relative, close personal friend of the individual or any other person identifiedby the individual, the PHI directly relevant to such persons involvement with theindividual’s care or payment related to the individual’s care, if the individual isgiven the opportunity to agree, prohibit, or restrict the disclosure.

§164.501 Treatment means the provision, coordination, or management of healthcare and related services by one or more health care providers, including thecoordination or management of health care by a health care provider with a thirdparty, consultation between health care providers relating to a patient, or thereferral of a patient for health care from one health care provider to another.

§164.506 A covered entity must obtain the consent of a patient to use or disclosePHI for treatment, payment, or health care operations purposes (p.82810:1)

OCR HIPAA Implementation Guidance: (7/01) “Q: Will the consent requirementrestrict the ability of providers to consult with other providers about a patient'scondition?A: No. A provider with a direct treatment relationship with a patientwould have to have initially obtained consent to use that patient's healthinformation for treatment purposes. Consulting with another health care providerabout the patient's case falls within the definition of "treatment" and, therefore, ispermissible. If the provider being consulted does not otherwise have a directtreatment relationship with the patient, that provider does not need to obtain thepatient's consent to engage in the consultation. But Note: Recent amendmentseliminate this requirement: §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02 §164.512(f)(2): ...A covered entity may disclose PHI in response to a lawenforcement official’s request for such information for the purpose of identifying orlocating a suspect, fugitive, material witness, or missing person, provided that: (i)the covered entity may disclose only the following information: (A) Name/address;(B) Date/place of birth; (C) SS#; (D) ABO blood type and rh factor; (E) type of

HIPAA for reporting same.8 Disclosures by OMH to the Board ofVisitors are permitted under therequired by law and health oversightexceptions to HIPAA.9. Disclosures to the NYS CentralRegister of Child Abuse are permittedunder the HIPAA exception permittingsuch reports for public health purposesand as authorized by law.10. Disclosures to next of kin areauthorized, provided the patient haspreviously been given the opportunityto agree or object to such notifications;OMH policy is generally consistent withthis requirement. 11. Disclosures to contact persons arepermitted if authorized by the patient.12. Disclosures to other treatmentproviders, with a direct treatmentrelationship with the patient, arepermitted without patient consent as aresult of the adoption of the 8/02amendments to HIPAA allowinguse/disclosure of PHI for treatmentpurposes without patient consent. 13. Disclosures to the Department ofLabor, Department of Education,Department of Health, and NationalPractitioner Data Bank are probablypermitted under the required by lawand/or health oversight agencyexceptions to HIPAA; Counsel’s Officewill need to advise in individualcircumstances. Also note that in somecases, it might be possible to utilize de-identified information to some extent.



reported to the SCR as abuse.

(H) Next of Kin. Unless the patient involved inan incident is an adult who objects to suchnotification, the patient's next of kin orguardians shall be notified immediately ofallegations of abuse or neglect, incidentsinvolving missing patients or incidents involvingpatient death or injury. In such cases, next ofkin or guardians shall also be notified of theoutcomes of the investigation and reviewprocess for the most serious incidents.

(I) Contact Persons and Other Mental HealthPrograms. When an inpatient of aState-operated psychiatric facility is consideredmissing, any contact person identified in themissing person's case record ... shall benotified. In addition, any mental healthprogram, including a case managementprogram, which recently provided services tothe person or is likely to encounter the missingperson, shall be notified.

(J) New York State Education Department,New York State Health Department, andNational Practitioner Data Bank. In caseswhere possible misconduct of licensedpractitioners or physicians is related to anincident, Counsel’s Office must be contactedfor advice regarding notification of the NYSEducation Department, NYS Department ofHealth, and the National Practitioner DataBank, as applicable.

(K) New York State Department of Labor. Incases where an incident results in the fatalityor inpatient hospitalization of an employee ofOMH, Counsel’s Office and the Bureau ofHuman Resources must be contacted foradvice regarding notification of the New YorkState Department of Labor, Division of Safety and Health.

Note: These requirements are also includedin 14 NYCRR Section 524.7, and are

injury; (F) date/time of treatment; (G)date/time of death, if applicable; and (H)description of distinguishing physical characteristics...

§164.512(f)(3): ...a covered entity may disclose PHI in response to a lawenforcement official’s request for such information about an individual who is or issuspected to be a victim of a crime, ....if (ii) the individual agrees to the disclosure,or (ii) the covered entity is unable to obtain the individual’s agreement because ofincapacity or other emergency, provided that (A) the law enforcement officialrepresents that such information is needed to determine whether a violation of lawby a person other than the victim has occurred, and such information is notintended to be used against the individual; (B) the law enforcement officialrepresents that immediate law enforcement activity that depends upon thedisclosure would be materially and adversely affected by waiting until the individualis able to agree to the disclosure; and (C) the disclosure is in the best interests ofthe individual as determined by the covered entity, in the exercise of itsprofessional judgment.



referenced, as applicable, in OMH OfficialPolicy Manual ## QA-515, QA-520, QA-530,and PC-450.

MHL SECTION 31.06 CHILD ABUSE PREVENTION

MHL §31.06: All facilities described insubdivision (a) of section 31.02 of this articleshall, pursuant to regulations of theCommissioner of OMH: (i) develop, maintainand disseminate written policies andprocedures pursuant to title 6 of article 6 of theSocial Services Law and applicable provisionsof Article 10 of the Family Court Act, regardingthe mandatory reporting of child abuse orneglect, reporting procedures and obligationsof persons required to report, provisions fortaking a child into protective custody,mandatory reporting of all deaths, immunityfrom liability, penalties for failure to report, andobligations for the provision of services andprocedures necessary to safeguard the life orhealth of the child; and (ii) establish, andimplement on an ongoing basis, a trainingprogram for all current and new employeesregarding the policies and proceduresestablished pursuant to this section.

Also see: OMH Official Policy Manual QA-515

§164.512(b): A covered entity may disclose PHI for the public health activitiesand purposes described in this paragraph to: (ii) a public health authority or otherappropriate government authority authorized by law to receive reports of childabuse or neglect.

No preemption: HIPAA specificallyauthorizes the reporting of child abuseas required in State law; State andFederal laws are consistent; thereforeState law applies.

MHL SECTION 33.13: CLINICAL RECORDS; CONFIDENTIALITY

Definitions §164.501: Individual means the person who is the subject of protected health No preemption; State law applies and is



MHL §33.13(a): Patient or client (definedMHL §33.16(5)): means an individualconcerning whom a clinical record ismaintained or possessed by a facility asdefined in §33.16(3).

14 NYCRR §505.4(k): Protected individualsmeans a person who is the subject of an HIV-related test or who has been diagnosed ashaving HIV infection, AIDS or HIV-relatedillness.

information. not preempted because the Federal lawis not contrary to State law; the twolaws are similar.

With regard to the regulatory term“protected individuals,” again, State lawapplies and is not preempted becausethe Federal law is not contrary to Statelaw; the term “individual” in Federal lawincludes the term “protected individual”as HIV related information is within thedefinition of PHI.

Definitions

MHL §33.13(a): Clinical record containsinformation on all matters relating to theadmission, legal status, care, and treatment ofthe patient or client and shall include allpertinent documents relating to the patient orclient.

§160.103: Health Information means any information, whether oral or recorded inany medium, that: (1) is created or received by a health care provider, health plan,public health authority, employer, life insurer, school or university, or health careclearinghouse; and (2) relates to the past, present, or future physical or mentalhealth or condition of an individual, the provision of health care to an individual, orthe past, present, or future payment for the provision of health care to anindividual.

No preemption; State law applies and isnot preempted because the Federal lawis not contrary to State law; the twolaws are generally similar, sincebreadth of State law would encompass the types of information included in theHIPAA definition of “health information.”

Incident Reports:

OMH Guidebook(Appendix J): Clinicalrecords do not include incident reports.

Education Law §6527: Neither theproceedings nor the records relating toperformance of a medical or dental malpracticeprevention program nor any report required byDOH pursuant to section 2805-l of the PHL,including the investigation of an incidentpursuant to section 29.29 of the MHL shall besubject to disclosure under Article 31 of theCPLR except as provided by any otherprovision of law.

Case Law: (1) Reports contained in psychiatrichospital’s investigation file...including two


No preemption; State law applies and isnot preempted because the Federal lawis not contrary to State law. State caselaw provides that incident reports donot relate to the health care of apatient, but rather to the methodologyand manner in which services wererendered; hence, they are properlyexcluded from the Federal lawdefinition of “health information,” whichdoes not expressly include this type ofinformation.



incident reports by designated staff persons,and incident or investigation report prepared bystate agency, related to investigation ofallegations....which were required to bereported to the Department of Health, and thuswere incident reports exempt from disclosure in action brought by patient against hospital. Katherine F. ex rel. Perez v. State, 94 N.Y.2d200, 700 N.Y.S.2d 231, 723 N.E.2d 1016(1999).

(2) Incident reports made by employees atstate mental health facility in connection withtreatment of severely retarded patient and ofother residents at facility, were part ofprocedure intended to reduce patient andemployee injuries,and thus were obtained ormaintained pursuant to review procedure andwere privileged from discovery underEducation Law in action brought byadministrator of estate of patient for injuriessustained by patient while at facility. Finneganv. State, 179 Misc. 2d 694, 686 N.Y.S. 2d 589(1999)

(3) Investigation report prepared on behalf ofOMH by consultant did not relate to patient’scare and treatment, a requirement in order toconsider it part of the clinical record, but ratherfound that it revealed the methodology andmanner in which the patient receivedtreatment. This characterized it as a qualityassurance document, rather than part of theclinical record releaseable to patient under theFreedom of Information Act. Zabielski v. Stone(2002)

Educational Records:

OMH Guidebook(Appendix J): Clinicalrecords do not include educational records

MHL §33.16(f): Applicability of federal law.

§164.501: Protected Health Information ...excludes individually identifiable healthinformation in:(i) Educational records covered by the Family Education Right andPrivacy Act, 20 U.S.C. 1232g....

No preemption: State and Federal lawsare consistent.



Whenever federal law or applicable federalregulations restrict, or as a condition for thereceipt of federal aid require, that the release ofclinical records or information be morerestrictive than is provided under this section,the provisions of federal law or federalregulations shall be controlling.

20 U.S.C. §1232g (FERPA): provides parentsof students and eligible students with privacyprotections and rights for the records ofstudents maintained by federally fundededucational agencies or institutions or personsacting for these agencies or institutions.

Statistical Information

MHL §33.13(b): (Effective until June 30, 2005)The Commissioners may require that statisticalinformation about patient or clients be reportedto the offices.

(Effective June 30, 2005) The Commissionersmay require that statistical information aboutpatient or clients be reported to the offices. Names of patients treated at outpatient ornonresidential facilities, at hospitals licensed byOMH and at general hospitals shall not berequired as part of any such reports.




No preemption: State law applies; theuse/disclosure of PHI is required bylaw; provided it complies with that law,it is not preempted, though thedisclosure must be limited to therelevant requirements of the law. Notethat even post June 2005, eliminationof patient names does not necessarilymake the information de-identified, butnonetheless, the use/disclosure ispermitted.

As health oversight agencies, theCommissioners of OMH and OMRDDcan request statistical information thatis PHI as part of its regulatory andlicensing oversight function.



Court Orders

MHL §33.13(c)(1): Clinical records shall be released w/out patient consent pursuant toa court order after a finding that the interests ofjustice significantly outweigh the need forconfidentiality

CPLR§4507: “privilege” or exempt certainpatient information held by physicians, RNs,LPNs, registered psychologists, and registeredsocial workers, from testimonial disclosure

§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorizedin the order; or(2) in response to a subpoena, discovery request, or other lawfulprocess if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order. (p.82814: 3)

No preemption State law applies, sinceit is more strict by requiring a courtorder after specific findings have beenmade, or prevents testimony.



Mental Hygiene Legal Services (MHLS)

MHL §33.13(c)(2):Clinical records shall bereleased w/out patient consent to MentalHygiene Legal Services

MHL §47.03: MHLS has authority to be grantedaccess to all books, records, and datanecessary for it to carry out its functions,provided that where federal regulations restricta facility re: release of info in the clinical recordof a patient or restrict disclosure of identity ofpatient or access to the patient to a greaterextent than allowed under this law, the federalregulations shall be controlling.

MHL §9.11: (effective until 7/1/04): Except asto informal patients and patients admittedpursuant to section 9.39 or 9.40, the director ofa hospital shall, within 5 days.....after theadmission of any patient, forward to MHLS arecord of such patient and shall simultaneouslyforward to the department such informationfrom the record as the commissioner byregulation shall require. Such information fromthe record in the department shall only beaccessible in the manner set forth in section33.13.

MHL §9.11: (effective 7/1/04): Except as toinformal patients and patients admittedpursuant to section 9.39, the director of ahospital shall, within 5 days.....after theadmission of any patient, forward to MHLS arecord of such patient and shall simultaneouslyforward to the department such informationfrom the record as the commissioner byregulation shall require. Such information fromthe record in the department shall only beaccessible in the

§164.502(a): A covered entity may not use or disclose PHI except as permitted orrequired by this subpart or subpart C of part 160 of this subchapter.

§164.502(g):A “personal representative” can fulfill the role of the individual aboutwhom PHI pertains if the representative has authority to act on behalf of theindividual in making decisions about health care.

§164.508(a)(1): Except as otherwise permitted or required by this subchapter, acovered entity may not use or disclose PHI without an authorization that is validunder this section. (p. 82811:1)

Fact Dependent;

In cases where MHLS is a patient’s“personal representative,” i.e., MHLShas legal authority to make decisionsregarding a patient’s health care,information can be disclosed withoutspecific patient consent orauthorization. To the degree, however,that MHL §47.03 (f) indicates thatfederal regulations that place greaterrestrictions on release of informationabout patients shall prevail. Therefore,in most cases, patient authorization willbe necessary for release of informationto MHLS.

Other notifications, such as therequirement in MHL §29.29 for facilitiesto notify the MHLS of all reportedallegations of patient abuse or neglectwithin 3 working days, and disclosuresrequired throughout Article 9 (e.g.MHL§9.09,9.11,9.25, 9.31, 9.33), are notpreempted and are therefore permittedunder the “required by law” exemptionto HIPAA since the use or disclosure isrequired by law. This, however, is not ageneral rule under MHL §47.03.



AttorneysMHL §33.13(c)(3) An attorney representing apatient on the matter of his involuntaryhospitalization can be provided access to thepatient’s clinical record.


No preemption; should generallyoperate together, provided satisfactoryassurances have been provided by theattorney per the HIPAA regulations. (p.82815:1)

CQCMHL §33.13(c)(4): Records can be released toCQC or other person/agency under contractwith CQC to provide protection and advocacyservices as provided for by federal law,irrespective of patient consent.

MHL §45.09:(a) The commission, any memberor any employee designated by thecommission, must be granted access at anyand all times to any mental hygiene facility oradult home or residence for adults in which 25% of more residents have at any time receivedor are receiving services from a mental hygieneprovider which is licensed, operated, or fundedby OMH or OMRDD in order to carry out thefunctions of the commission as provided for insection 45.10 of this article....ad to all books,records and data pertaining to any such facilitydeemed necessary for carrying out thecommission’s functions, powers and duties.


§164.512(d)(3) PHI may be disclosed to health oversight agencies for oversightactivities authorized by law, including licensure or disciplinary actions, ...or otheractivities necessary for the oversight of the health care system... (p. 82814:2)

No Preemption: Federal statute (42USCA §10805) provides for theestablishment of a system of protectionand advocacy services for psychiatricpatients who may be the subject ofabuse or neglect. In New York, thisfunction is vested in CQC. Coupledwith its New York State statutoruauthority, CQC meets the HIPAAdefinition of a health oversight agency,and as such they are permitted toreceive PHI without patientauthorization/consent. Hence, the lawsare not inconsistent and State lawapplies.

Medical Review Board/State Commission ofCorrections

MHL §33.13(c)5): Records can be released tothe Medical Review Board of the StateCommission of Corrections, when requested inconnection with a patient death, or with patientconsent and in exercise of its statutory duties.



§164.508(a)(1): Except as otherwise permitted or required by this subchapter, acovered entity may not use or disclose PHI without an authorization that is valid

No preemption: State law applies, inthat patient “consent” (will need to fulfillrequirements of HIPAA authorization) isnecessary to disclose information. Incases of decedent information, theHIPAA health oversight exceptionshould apply.



under this section. (p. 82811:1)

§164.512(g) PHI about decedents can be released to a coroner or medicalexaminer for the purpose of identifying a deceased person, determining a cause ofdeath, or other duties as authorized by law. PHI may also be released to funeraldirectors to carry out their duties with respect to a decedent.

§164.512(d): PHI can be released to health oversight agencies for oversightactivities authorized by law, including administrative investigations.

Endangered individuals (Tarasoff)

MHL §33.13(c)(6)::Patient information can bereleased to an endangered individual and a lawenforcement official when a treating psychatristor psychologist has determined that a patientpresents a “serious & imminent” danger to thatindividual.

§164.512(j):A covered entity may use/disclose PHI (consistent with law &professional conduct) if it believes in good faith that the disclosure is necessary toprevent or lessen a serious & imminent threat to the health or safety of a person(per preamble, consistent with Tarasoff) or the public and is being made to aperson or persons reasonably able to prevent or lessen the threat or is necessaryfor law enforcement authorities to identify/apprehend an individual. If disclosure isto be made to one other than the target, the information cannot have beenobtained in the course of treatment to affect the propensity to commit the criminalconduct or through a request by the person to initiate or be referred to treatment.

No preemption: State and Federal lawsare consistent; State law applies.

Consent

MHL §33.13(c)(7) Patient information can bereleased, with consent of the patient or ofsomeone authorized to act on patient’s behalf,to persons/entities who have a demonstrableneed for such information provided suchdisclosure will not reasonably be expected tobe detrimental to the patient or others.

§164.502(a)(1): A covered entity is permitted to use/disclose PHI to the patient(including a patient’s personal representative, i.e., someone authorized to act onpatient’s behalf to make health care decisions).

No preemption: State law prevails, inthat it offers greater restrictions ondisclosure to patient information, i.e.there must be a demonstrable need toknow and no detrimental impact.

State Board for Professional MedicalConduct/Office of Professional Discipline:

MHL §33.13(c)(8): Patient information can bedisclosed (irrespective of patient consent) tothe State Board for Professional MedicalConduct, the Office of Professional Discipline,or their respective representatives when theBoard or Office has requested such informationin the exercise of its statutory function, powersand duties (provided, however, that no such

§164.512(d) PHI may be disclosed to health oversight agencies for oversightactivities authorized by law, including licensure or disciplinary actions. (p. 82814:2)


No preemption: State and Federal lawsare consistent; State law applies.



information may be released when the patientis also the subject of the Board’s inquiry,except pursuant to a court order).

Payment

MHL §33.13(c)(9)(i):With consent ofappropriate Commissioner, Patient informationmay be disclosed w/out patient consent togovernmental agencies, insurance companies,and other third parties requiring informationnecessary for payment. Such information shallbe limited to the information required.


Note: Recent amendments eliminate this requirement.


No Preemption: NY law permitsdisclosure of PHI for payment purposes without patient consent; the newlyadopted amendments to HIPAA also donot require such consent.

Missing persons/criminal investigations:

MHL §33.13(c)(9)(ii) With consent ofappropriate Commissioner, patient informationmay be disclosed to persons and agenciesneeding information to locate missing personsor to governmental agencies in connection withcriminal investigations, such information to belimited to identifying data concerninghospitalization.

§164.512(f)(1),(2): A covered entity may use/disclose PHI for law enforcementpurposes, including in response to a law enforcement official’s request for suchinfo to identify and locate a suspect, fugitive, material witness, or missing person,provided that the info disclosed is limited as prescribed. (P.82815:2,3)

Fact Dependent: State and Federallaws are generally consistent, providedrequestor of PHI fits the definition of“law enforcement official” in HIPAA.

Qualified researchers:

MHL §33.13(c)(9)(iii)With consent ofappropriate Commissioner, patient informationcan be released to “qualified researchers”(certain persons licensed under the EducationLaw or other persons deemedcompetent/qualified by IRB or other humanresearch committee constituted by OMH) whenapproved by the IRB or other committeeconstituted by OMH under certaincircumstances.

§164.512(i): A covered entity may disclose PHI w/out patient consent for researchpurposes with IRB or privacy board approved waiver.(p.82816:2,3)

Note: recent amendments modify this requirement to streamline reviews, butdo not remove requirement for IRB approval.

Preempted in Part; Language of NYSstatute is broadly drafted so that it canbe interpreted, to a large part, asconsistent with HIPAA. However, IRBreview and waiver under HIPAAcontains specific requirements thatmust be satisfied before PHI can beused/disclosed for research w/outpatient consent. Otherwise, patientauthorization is required. Theseprovisions preempt State law.

Note: current OMH/RFMH practice isto obtain specific patient “consent”(really an authorization).

Coroners, county medical examiners: §164.512(g): A covered entity may disclose PHI to a coroner or medical examiner No preemption: State and Federal laws



MHL §33.13(c)(9)(iv) With consent ofappropriate Commissioner, patient informationmay be disclosed w/out patient consent to acoroner, a county medical examiner, or thechief medical examiner for NYC upon therequest of a facility director that aninvestigation be conducted into the death of apatient about whom the facility maintains suchinformation. Disclosure limited to necessaryinformation.

for the purpose of identifying a deceased person, determining cause of death, orother duties as authorized by law. (P. 82816: 1)

are consistent; State law applies.

Endangered patient or public at large:

MHL §33.13(c)(9)(v): With consent ofappropriate Commissioner, patient informationmay be released to appropriate persons &entities when necessary to prevent imminentserious harm to the patient or another person

§164.512(j)(1),(2):A covered entity may use or disclose PHI (consistent with law &professional conduct) if it believes in good faith that the disclosure is necessary toprevent or lessen a serious & imminent threat to the health or safety of a person(per preamble, consistent with Tarasoff) or the public and is being made to aperson or persons reasonably able to prevent or lessen the threat or is necessaryfor law enforcement authorities to identify/apprehend an individual. If disclosure isto be made to one other than the target, the info cannot have been obtained in thecourse of treatment to affect the propensity to commit the criminal conduct orthrough a request by the person to initiate or be referred to treatment. (p. 82817:2)

No preemption: While the State lawapplies to disclosures and HIPAAapplies to both uses and disclosures; adistinction between “use” and“disclosure” has never been made inState law; such term is undefined. Therefore, it is reasonable to assumethat in general, State law and HIPAAare consistent in intent. State law,however, is more stringent in thatdisclosure is permitted “whennecessary” to prevent serious andimminent harm, while a “good faith”belief is the standard in HIPAA. Hence,State law applies.

Note: It should be noted that HIPAAwould limit uses/disclosures tosomeone other than the target of thethreat if the information was learned inthe course of treatment to affect thepropensity to commit the criminalconduct forming the basis for thedisclosure, e.g. sex offender treatment.

District Attorneys

MHL §33.13(c)(9)(vi): With consent ofappropriate Commissioner, patient informationmay be released to a district attorney whensuch request is in connection with andnecessary to the furtherance of a criminal

§160.501:Law enforcement official means an officer or employee of any agencyor authority, of the United States, a State, a territory, a political subdivision of aState or territory, or an Indian tribe, who is empowered by law to: (1) investigate orconduct an official inquiry into a potential violation of law; or (2) prosecute orotherwise conduct a criminal, civil, or administrative proceeding arising from analleged violation of law.

Fact Dependent: State and Federallaws are generally consistent in intent,provided that the requisite conditionslisted in the HIPAA exceptions are met. State law is more stringent by relatingonly to crime victims who are victims ofpatient or client abuse. For all other



investigation of patient/client abuse. §164.512(f)(1): A covered entity may disclose PHI for a law enforcement purposeto a law enforcement official...(i) in compliance with and as limited by the relevantrequirements of:(A) a court order or court-ordered subpoena or summons issuedby a judicial officer; (B) a grand jury subpoena; or(C) an administrative request,including an administrative subpoena or summons, a civil or an authorizedinvestigative demand, or similar process authorized under law, provided that:(1)the information sought is relevant and material to a legitimate law enforcementinquiry;(2)the request is specific and limited in scope to the extent reasonablypracticable in light of the purpose for which the information is sought; and(3)de-identified information could not reasonably be used.

§164.512(f)(3): ....a covered entity may disclose PHI in response to a lawenforcement official’s request for such information about an individual who is or issuspected to be a victim of a crime, other than disclosures subject to paragraphs(b)and(c) of this section, if: (i) the individual agrees to the disclosure; or (ii)thecovered entity is unable to obtain the individual’s agreement because of incapacityor other emergency circumstance, provided that (A) the law enforcement officialrepresents that such information is needed to determine whether a violation of lawby a person other than the victim has occurred; and such information is notintended to be used against the victim; (B) the law enforcement official representsthat immediate law enforcement activity that depends upon the disclosure wouldmaterially and adversely be affected by waiting until the individual is able to agreeto the disclosure; and (C) the disclosure is in the best interests of the individual asdetermined by the covered entity, in the exercise of professional judgment.

crimes, HIPAA would apply (subject toprovisions requiring the person that isthe subject of the PHI to agree to thedisclosure unless it cannot be obtained,in accordance with the rule). Furthermore, under State law,information re: patient abuse may onlybe disclosed to a district attorney, whileHIPAA allows disclosures for othercrimes to a law enforcement official,which is more broadly defined.

Note: Other disclosures to districtattorneys may be authorized ifotherwise required by law.

Correctional Facilities:

MHL §33.13(c)(10): Patient informationnecessary for making a determinationregarding a current inmate’s health care,security, safety or ability to participate inprograms may be disclosed to a correctionalfacility when the chief administrative officer hasrequested same. Information released may belimited to a summary of the record.

Division of Parole: Patient information can bedisclosed to DoP when it has requested samewith respect to a person under its jurisdiction orwhen the inmate is within 2 weeks of releasefrom a state correctional facility.

§164.512(k)(5): A covered entity may disclose PHI about an inmate or individual inlawful custody to a correctional institution or a law enforcement official havinglawful custody of such individual about such inmate or individual if the PHI isnecessary for(1) the provision of health care to the person; (2) the health andsafety of the person or other inmates; (3) the health and safety ofofficers/employees; (4) the health and safety of those transporting/transferring theperson; (5) law enforcement on the premises of the correctional institution; (6)administration and good order of the institution.

It is noted that an individual is no longer considered an “inmate” when released onparole, probation, supervised release, or is no longer in lawful custody.( p.82818:1,2)

Preempted in Part: For disclosures tocorrectional institutions and to DoP forpersons about to be released from acorrectional facility, the laws areconsistent, and there is no preemption. State law applies.

However, for disclosures to DoP withregard to persons who have beenreleased to parole, the NYS Statute ispreempted and consent orauthorization for release of PHI isrequired.



Qualified persons

MHL §33.13(c)(11)MHL §33.16(a)(6)

Patient information can be released,irrespective of patient consent, to a patient,guardian appointed pursuant to Section 17-A ofthe Surrogate’s Court Procedure Act, orcommittee for an incompetent, orparent/guardian of an infant or other legallyappointed guardian of an infant, or a parent,spouse or adult child of an adult patient whomay be entitled to request access to a recordpursuant to Section 33.16 of the MHL.

§164.502(a)(1)(i): A covered entity can release PHI w/out consent to the individual. “Individual” is defined in §164.501 as the person who is the subject of the healthinformation.

§164.502(g) Requires covered entities to treat “personal representatives” as theindividual for purposes of HIPAA rights (e.g.signing consents ,authorizations,access, copying, and correction). Personal representatives include: (1) withrespect to adults and emancipated minors, personal representatives who haveunder applicable law authority to act on behalf of an adult or emancipated minor inmaking decisions relating to health care; (2) with respect to unemancipated minors,a parent, guardian, or other person acting in loco parentis provided that when aminor lawfully obtains a health care service without the consent of or notification toa parent, guardian or other person acting in loco parentis, the minor shall have theexclusive right to exercise the rights of an individual with respect to the PHI relatingto such care; (3) with respect to deceased persons, an executor, administrator, orother person authorized under applicable law to act on behalf of the decedent’sestate. (p. 82492:3)

No Preemption: State law and HIPAAare generally consistent. State law isnot contrary to HIPAA; State lawapplies.

Director of Community Services:

MHL §33.13(c)(12): Patient information can bedisclosed to a Director of Community Serviceswhen in connection with “the exercise of hisstatutory functions, powers and duties pursuantto MHL §41.13" which authorizes the provisionof local services to the mentally disabled inorder to assure appropriateness and continuityof services for those in need of such services.



§164.512(k): A covered entity that is a government agency administering agovernment program providing public benefits may disclose PHI relating to theprogram to another covered entity that is a government agency administering agovernment program providing public benefits if the programs serve the same orsimilar populations and the disclosure of PHI is necessary to coordinate thecovered functions of such programs or to improve administration and managementrelating to the covered functions of such programs.

No preemption: To the extent that a useor disclosure is made to a DCS in theexercise of its statutory health oversightduties and/or specialized governmentfunctions (i.e., as administrators of theMedicaid program), it is not preempted.

Note: for supporting referenceregarding a determination that theDirector of Community Servicesconstitutes a health oversight agency,see Mental Hygiene Law Article 41 and14 NYCRR §102.7.

NYS Division of Criminal Justice Services

MHL §33.13(c)(13): Patient information can bereleased to DCJS for the sole purpose ofproviding, facilitating, evaluating or auditingaccess by the Commissioner of OMH to


§164.501: Required by law means a mandate contained in law that compels acovered entity to make a use or disclosure of protected health information and that

No preemption: Assuming DCJS is nota covered entity under HIPAA, thereare no HIPAA restrictions on itsdisclosures to OMH. OMH is authorizedto receive criminal justice informationby State law.



criminal history information pursuant to MHL§7.09.

MHL §7.09(j): The Commissioner of OMH isauthorized to have access to criminal historyinformation contained in the central data facilityestablished by DCJS; summary reports can beincluded in patient records for purposes ofmaking decisions regarding care andtreatment, health and safety, privileges anddischarge planning for patients admittedto/retained in hospitals operated by OMH.

is enforceable in a court of law. Required by law includes, but is not limited to,court orders and court ordered warrants, subpoenas or summons issued by acourt, grand jury, a governmental or tribal inspector general, or an administrativebody authorized to require the production of information; a civil or an authorizedinvestigative demand; Medicare conditions of participation with respect to healthcare providers participating in the program; and statutes or regulations that requirethe production of information, including statutes or regulations that require suchinformation if payment is sought under a government program providing publicbenefits.


§164.512(k)(5): A covered entity may disclose PHI about an inmate or individual inlawful custody to a correctional institution or a law enforcement official havinglawful custody of such individual about such inmate or individual if the PHI isnecessary for(1) the provision of health care to the person; (2) the health andsafety of the person or other inmates; (3) the health and safety ofofficers/employees; (4) the health and safety of those transporting/transferring theperson; (5) law enforcement on the premises of the correctional institution; (6)administration and good order of the institution.

§164.501: Correctional institution: means any penal or correctional facility, jail,reformatory, detention center, or residential community program ...for theconfinement or rehabilitation of persons charged with or convicted of criminaloffense or other persons held in lawful custody. Other persons held in lawfulcustody includes juvenile offenders adjuducated delinquent, aliens detainedawaiting deportation, persons committed to mental institutions through the criminaljustice system, witnesses, or others awaiting charges or trial.

To the extent the information disclosedby OMH is information regarding aninmate, and the disclosures to DCJSare necessary in order for theadministration and good order of thefacility (e.g. to evaluate and auditOMH’s access to the information,HIPAA would permit OMH to disclosePHI about inmates back to DCJS.

Note: A government agency to-government agency MOU may need tobe executed and/or amended , asapplicable, to reflect BusinessAssociate requirements of HIPAA.

Other Service Providers:MHL §33.13(d) Patient information can beshared among facilities or others providingservices for such patients pursuant to anapproved local or unified services plan, orpursuant to agreement with Department ofMental Hygiene. Hospital. Emergency rooms(Article 28) can exchange, electronically orotherwise, information with other Article 28hospital emergency rooms and/or hospitals

§164.501 Treatment means the provision, coordination, or management of healthcare and related services by one or more health care providers, including thecoordination or management of health care by a health care provider with a thirdparty, consultation between health care providers relating to a patient, or thereferral of a patient for health care from one health care provider to another.


OCR HIPAA Implementation Guidance: (7/01) “Q: Will the consent requirement

No Preemption: NY law permits disclosure of PHI with other treatmentproviders for treatment purposes without obtaining patient consent;newly adopted amendments to HIPAAalso permit uses/disclosures of PHI fortreatment purposes without generalconsent.



licensed/operated by OMH. Informationdisclosed must continue to be treated asconfidential and any limitations imposed on theparty giving the information shall apply to theparty receiving the information.

restrict the ability of providers to consult with other providers about a patient'scondition?

A: No. A provider with a direct treatment relationship with a patient would have tohave initially obtained consent to use that patient's health information for treatmentpurposes. Consulting with another health care provider about the patient's casefalls within the definition of "treatment" and, therefore, is permissible. If the providerbeing consulted does not otherwise have a direct treatment relationship with thepatient, that provider does not need to obtain the patient's consent to engage in theconsultation.



Licensed Providers

MHL §33.13(e): Clinical information tending toidentify patients and clinical records maintainedat a facility not operated by OMH shall not be apublic record and shall not be released to anyperson or facility outside of such facility exceptpursuant to subdivisions (b),(c) or (d) of thissection (see analysis for each of thesesubdivisions, infra) . The director of such afacility may consent to the release of suchinformation and records, subject to regulationby the Commissioner, pursuant to theexceptions stated in subdivision (c) of thissection (infra), provided that, for the purpose ofthis subdivision, such consent shall be deemedto be the consent otherwise required of theCommissioner pursuant to subdivision (c) ofthis section. Nothing in this subdivision shallbe construed to limit, restrict, or otherwiseaffect access to such clinical information orrecords by the mental hygiene legal service,the commission on quality of care for thementally disabled or the offices when such


§164.502(a): A covered entity may not use or disclose PHI except as permitted orrequired by this subpart or subpart C of part 160 of this subchapter.


Note: Recent amendments eliminate this requirement. §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02


No Preemption: State law extends theconfidentiality provisions of MHL§33.13 to licensed providers, in additionto those directly operated by the State. To the extent they are covered entities,they must be in compliance withHIPAA. In these cases, the preemptionanalysis infra on the various provisionof MHL§ 33.13 will likewise apply.



access is authorized elsewhere in law.

Minimum Necessary

MHL §33.13(f): Any disclosure made pursuantto this section shall be limited to thatinformation necessary in light of the reason fordisclosure. Information so disclosed shall bekept confidential by the party receiving suchinformation and the limitations on disclosure inthis section shall apply to such party. Exceptfor disclosures made to the mental hygienelegal service, to persons reviewing informationor records in the ordinary course of insuringthat a facility is in compliance with applicablequality of care standards, or to governmentalagencies requiring information necessary forpayments to be made to or on behalf ofpatients pursuant to contract or in accordancewith law, a notation of all such disclosures shallbe placed in the clinical record of that individualwho shall be informed of all such disclosuresupon request; provided, however, that fordisclosures made to insurance companieslicensed pursuant to the insurance law, such anotation need only be entered at the time thedisclosure is first made.

§164.502(b) Minimum Necessary: (1)When using or disclosing PHI or whenrequesting PHI from another covered entity, a covered entity must makereasonable efforts to limit PHI to the minimum necessary to accomplish thepurpose of the use, disclosure, or request. (2) This does not apply to: (i)Disclosures to/ requests by a health care provider for treatment; (ii) Uses ordisclosures made to the individual, as required by paragraph (a)(2)(i) of thissection, or pursuant to an authorization; (iii) Disclosures made to the Secretary ofHHS; (iv) Uses or disclosures that are required by law, and (v) Uses or disclosuresthat are required for compliance with applicable requirements of this Subchapter. (p. 82805,82806)

§164.528: Accounting of disclosures of PHI(a)(1): An individual has a right to receive an accounting of disclosures of PHImade by a covered entity in the 6 years prior to the date on which the accounting isrequired, except for disclosures: (i) to carry out treatment, payment, and healthcare operations; (ii) to individuals of PHI about them; (iii) for the facility’s directoryor to persons involved in the individual’s care or other notification purposes; (iv) fornational security or intelligence purposes; (v) to correctional institutions or lawenforcement officials; or (vi) which occurred prior to the compliance date for thecovered entity. (b)(2) Content of the accounting: For each disclosure, the accounting must include:(i) date of disclosure; (ii) name and, if known, address of the recipient of the PHI;(iii) brief description of the PHI disclosed; (iv) brief statement of the purpose of thedisclosure that reasonably informs the individual of the basis for the disclosure. If,during the period of the accounting, the covered entity has made multipledisclosures of PHI to the same person or entity for a single purpose pursuant toand in compliance with a valid consent under HIPAA or where a consent,authorization, or an opportunity to agree or object is not required, the accountingmay provide: (i) the information required to be included in the accounting for thefirst disclosure during the accounting period; (ii) the frequency, periodicity ornumber of the disclosures made during the accounting period and (iii) the date ofthe last disclosure during such accounting period.

Preempted in Part: With regard tolimitations on disclosures, State law ismore restrictive and therefore applies.

State law requires a notation be madeof disclosures in the patient record,except for disclosures that can becharacterized as those for treatment,payment, or health care operationspurposes. This is consistent withHIPAA, and thus State law applies. State law also requires that patients beinformed of disclosures upon request,which is also consistent with HIPAA. However, HIPAA preempts someaspects of State law with regard to thenecessary content in accountings ofdisclosures, since the Federalregulations go further in specifying theinformation that must be included in theaccounting.

Facility Directories

May be addressed in individual NYS OMHfacility policies.

§164.510(a): A health care provider that is a covered entity may, if the patient hasbeen given advance notice of the use/disclosure and has been given theopportunity to agree/object to the disclosure, use/disclose the following PHI tomaintain a directory of patients: (A) name; (B) location in the facility;(C)condition,described in general terms; (D) religious affiliation...and may disclose suchinformation; (A) to members of the clergy; or (B) except for religious affiliation, toothers who ask for the patient by name.

If such disclosures are consistent withState policy, HIPAA would permitdisclosures for facility directories;HIPAA opportunity to agree and objectrequirements prevail.

Disaster Relief §164.510(b)(4): A covered entity may use/disclose PHI to a public/private entity If such disclosures are consistent with



Not specifically addressed in NYS MentalHygiene Law

authorized by law or by its charter to assist in disaster relief effort. State policy, HIPAA would permitdisclosures for disaster relief purposes.

Cadaveric, Organ, Eye or Tissue Donation


(Note: will be addressed in pending OMHOfficial Policy PC-450; Patient Death, butdisclosures will be required to be in concertwith state and federal law and regulations)

§164.512(h): A covered entity may use/disclose PHI to organ procurementorganizations or other entities engaged in the procurement, banking, ortransplantation of cadaveric organs, eyes, or tissue for the purpose of facilitiatingorgan, eye, or tissue donation and transplantation.

If such disclosures are consistent withState policy, HIPAA will govern thesedisclosures as there is not comparableprovision of State law.

Military and Veteran Activities


§164.512(k)(1): Requirements for uses/disclosures by covered entities regardingArmed Forces personnel, discharge or separation from military service, veterans,and foreign military personnel are detailed in this section.


National Security and Intelligence Activities


§164.512(k)(2) A covered entity may disclose PHI to authorized federal officials forthe conduct of lawful intelligence, counter-intelligence, and other authorizedsecurity activities.


Protective Services for the President andOthersNot specifically addressed in NYS MentalHygiene Law

§164.512(k)(3) A covered entity may disclose PHI to authorized federal officials forthe provision of protective sevices to the President or other authorized persons.


Medical Suitability Determination


§164.512(k)(4): A covered entity that is a component of the State may use PHI forthis purpose, as governed by this section.

If such disclosures are consistent withState policy HIPAA will govern thesedisclosures as there is not comparableprovision of State law.

Workers’ Compensation Not specifically addressed in NYS MentalHygiene Law

§164.512(k)(7): A covered entity may disclose PHI as authorized by and to theextent necessary to comply with laws relating to workers’ compensation or othersimilar programs, established by law, that provide benefits for work-related injuriesor illness without regard to fault.

No Preemption: As disclosures underthis section are to be “as authorized bylaw,” HIPAA and any governing Statelaw will, by operation, be consistent.

MHL SECTION 33.16 - ACCESS TO CLINICAL RECORDS

Definitions §164.501: "Designated Record Set" means: (1) A group of records maintained by No Preemption: State law and Federal



MHL §33.16(a)(1): Clinical record means anyinformation concerning or relating to theexamination or treatment of an identifiablepatient or client maintained or possessed by afacility which has treated or is treating suchpatient or client, except data disclosed to apractitioner in confidence by other persons onthe express condition that such data wouldnever be disclosed to the patient or client orother persons, provided that such data hasnever been disclosed by the practitioner or afacility to any other person. If at any time suchdata is disclosed (unless the disclosure ismade pursuant to MHL §33.13, to practitionersas part of consultation or referral, to thestatewide planning and research cooperativesystem, or to the committee or a court pursuantto MHL §33.16, or to an insurance carrierinsuring, or an attorney consulted by, a facility)it is considered clinical records.

or for a covered entity that is:(i) The medical records and billing records aboutindividuals maintained by or for a covered health care provider;(ii) The enrollment, payment, claims adjudication, and case or medicalmanagement record systems maintained by or for a health plan; or(iii) Used, in whole or in part, by or for the covered entity to make decisions aboutindividuals.(2) ...the term record means any item, collection, or grouping of information thatincludes protected health information and is maintained, collected, used, ordisseminated by or for a covered entity.

§164.524(a)(2)(v): an individual's access may be denied if the PHI was obtainedfrom someone other than a health care provider under a promise ofconfidentiality...."§164.524(a)(1) excludes the following from access by an individual:(i) Psychotherapy notes;(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal,or administrative action or proceeding; and(iii) Protected health information maintained by a covered entity that is:(A) Subject to the Clinical Laboratory Improvements Amendments of 1988 to theextent the provision of access to the individual would be prohibited by law; or(B) Exempt from the Clinical Laboratory Improvements Amendments of 1988.65 Fed. Reg. 82605, 82606 (December 28, 2000): peer review or other qualityassurance files which are used only to improve patient care at the facility, and notto make decisions about individuals, are not part of that facility's "designatedrecord set."

law are generally consistent.

DefinitionsMHL §33.16(a)(5): Patient or client means anindividual concerning whom a clinical record ismaintained or possessed by a facility asdefined in paragraph 3 of this subdivision.

§164.501: “Individual” means the person who is the subject of protected healthinformation

No preemption: State law is notcontrary to HIPAA; laws are similar;State law prevails.

DefinitionsMHL §33.16(a)(6): Qualified person means(1) any properly identified patient or client; (2)guardian of a mentally retarded ordevelopmentall disabled person; (3) committeefor an incompetent; (4) parent of an infant; (5)guardian of an infant; or (6) a prent, spouse, oradult child of an adult patient or client who maybe entitled to request access to a clinicalrecord pursuant to MHL §33.16(b)(4).

§164.501: “Individual” means the person who is the subject of protected healthinformation.

§164.502(g) (1) :A “personal representative” can fulfill the role of the individualabout whom PHI pertains; (2) If, under applicable law, a person has authority to acton behalf of an individual who is an adult or an emancipated minor im makingdecisions related to health care, a covered entity must treat such person as apersonal representative with respect to PHI relevant to such personalrepresentation.

No preemption: State law is notcontrary to HIPAA; laws are similar;State law prevails.



Access by Qualified PersonsMHL §33.16(b)(1): Upon the written request ofany patient/client (or other qualified person) afacility shall provide an opportunity within 10days for that individual to inspect any clinicalrecord concerning or relating to theexamination or treatment of that individual inthe possession of such facility (subject toapplicable access conditions or limitations)

§164.524(b)(1): The covered entity must permit an individual to request accessto inspect or obtain a copy of the PHI about the individual that is maintained in adesignated record set. The covered entity may require individuals to makerequests for access in writing, provided that it informs individuals of such arequirement.

§164.524(b)(2): The covered entity must act on a request for access no later than30 days after receipt of the request.

Preempted in Part:1. With regard to the type ofinformation for which a patient canrequest access, State law and HIPAAare similar.

2. State law prevails with regard totimelines in which a covered entity mustact on a request for access; State lawrequires that such action within a 10day period and HIPAA permits 30 days;thus, State law prevails here.

3. State law does not include arequirement for patients to be advisedof the need to make written requests foraccess; HIPAA prevails in this regard.

4. State law is more stringent thanHIPAA in that it does not limit access topsychotherapy notes; however, it mustbe noted, that in the State operated andlicensed NYS mental health system,the presence of any information thatwould constitute “psychotherapy notes”does not, as a practical matter, existsince by regulation, all information fromwhich decisions are to be made about apatient must be included in the patient’sclinical record.

Access by Qualified PersonsMHL §33.16(b)(2): Upon the written request ofa committee for an incompetent or guardian ofthe person of a mentally retarded ordevelopmentally disabled person .... a facilityshall provide an opportunity within 10 days forthat individual to inspect any clinical recordconcerning or relating to the examination ortreatment of that individual in the possession ofsuch facility. Provided, however, in the case ofany guardian to inspect the clinical recordconcerning a client 18 years of age or older,the facility shall notify the client of such



Preempted in Part:

1. With regard to the type ofinformation for which acommittee/guardian can requestaccess, State law and HIPAA aresimilar.

2. State law prevails with regard totimelines in which a covered entity mustact on a request for access; State lawrequires that such action within a 10day period and HIPAA permits 30 days;



request. thus, State law prevails here.


4. HIPAA does not require anindividual be notified if a personalrepresentative requests access tohis/her record; State law does. In thisregard, State law is more stringent andthus prevails.


Access by Qualified PersonsMHL §33.16(b)(3): Upon the written request ofa parent of an infant or guardian of an infant.... a facility shall provide an opportunity within 10days for that individual to inspect any clinicalrecord concerning or relating to theexamination or treatment of that individual inthe possession of such facility. Provided,however,that such parent or guardian shall notbe entitled to inspect or make copies of anyclinical record concerning the care andtreatment of an infant where the treatingpractitioner determines that access to theinformation requested by such person wouldhave a detrimental effect on the practitioner’sprofessional relationship with the infant, or thecare and treatment of the infant or on the



§164.524(a)(3)(iii) A covered entity may deny an individual access, provided thatthe individual is given a right to have such denials reviewed in the followingcircumstances: (iii) The request for access is made by the individual’s personalrepresentative and a licensed health care professional has determined, in theexercise of professional judgment, that the provision of access to such personalrepresentative is reasonably likely to cause substantial harm to the individual oranother person.

Preempted in Part: 1. With regard to the type ofinformation for which a parent/guardianof an infant can request access, Statelaw and HIPAA are similar.

2. State law prevails with regard totimelines in which a covered entity mustact on a request for access; State lawrequires that such action within a 10day period and HIPAA permits 30 days;thus, State law prevails here.




infant’s relationship with his/her parent orguardian.

4. State law and HIPAA are consistentin that both permit denial of access inthe case of likelihood to cause harm tothe individual or another person. Statelaw permits review of such denials viaMHL §33.16 (c)(4). Hence, State law isnot contrary to HIPAA and State lawprevails.


Access by Qualified PersonsMHL §33.16(b)(4): Upon the written request ofa parent of an adult patient, or spouse or adultchild of a patient,.... a facility shall provide anopportunity within 10 days for that individual toinspect any clinical record concerning orrelating to the examination or treatment of thatindividual, which the parent, spouse or child isauthorized by law to provide consent or isbeing requested to provide such consent, in thepossession of such facility. Provided, however,that such parent, spouse, or child shall not beentitled to inspect or make copies of anyclinical record concerning the care andtreatment of an individual where the treatingpractitioner determines that access to theinformation requested by such person wouldhave a detrimental effect on the practitioner’sprofessional relationship with the individual, orthe care and treatment of the individual or onthe individual’s relationship with his/her parent,spouse, or child. Any inspection shall be

§164.502(g) (1) :A “personal representative” can fulfill the role of the individualabout whom PHI pertains; (2) If, under applicable law, a person has authority to acton behalf of an individual who is an adult or an emancipated minor im makingdecisions related to health care, a covered entity must treat such person as apersonal representative with respect to PHI relevant to such personalrepresentation.



§164.524(a)(3)(iii) A covered entity may deny an individual access, provided thatthe individual is given a right to have such denials reviewed in the followingcircumstances: (iii) The request for access is made by the individual’s personalrepresentative and a licensed health care professional has determined, in theexercise of professional judgment, that the provision of access to such personalrepresentative is reasonably likely to cause substantial harm to the individual or

Preempted in Part: 1. With regard to the type ofinformation for which a parent, spouse,child can request access, State law andHIPAA are similar.2. State law prevails with regard totimelines in which a covered entity mustact on a request for access; State lawrequires that such action within a 10day period and HIPAA permits 30 days;thus, State law prevails here.3. HIPAA and State law are consistentin terms of permitting parents of adultpatients, or their spouse or adult childto request access in that State law onlypermits such access if such person isauthorized by law to consent totreatment (i.e., is authorized to makehealth care decisions for the individual,as is required by HIPAA).4. State law and HIPAA are consistentin that both permit denial of access in



limited to that information which is relevant inlight of the reason for such inspection.

another person. the case of likelihood to cause harm tothe individual or another person. Statelaw permits review of such denials viaMHL §33.16 (c)(4). Hence, State law isnot contrary to HIPAA and State lawprevails.5. HIPAA does not limit access torecords by personal representatives tothat which is relevant in light of thereason for inspection, as does Statelaw in this subdivision. HIPAAindicates that for purposes of access,personal representatives “stand in theshoes” of individuals; therefore, it isreasonable to conclude that to theextent that a personal representative isrequesting disclosure of information onbehalf of a patient, and for the samepurpose and to the same extent thatthe patient would do so, State law andHIPAA are consistent and State lawprevails. 6. State law is more stringent thanHIPAA in that it does not limit access topsychotherapy notes; however, it mustbe noted, that in the State operated andlicensed NYS mental health system,the presence of any information thatwould constitute “psychotherapy notes”does not, as a practical matter, existsince by regulation, all information fromwhich decisions are to be made about apatient must be included in the patient’sclinical record.

Access by Qualified PersonsMHL §33.16(b)(5)A facility shall furnish, upon the written requestof a qualified person, within a reasonable time,a copy of any clinical record requested whichthe person is authorized to inspect.


§164.524(c)(1): The covered entity must provide the access requested byindividuals, including inspection or obtaining a copy, or both, of the PHI about themin designated record sets.

Preempted in Part:

1. As a technical matter, State law isactually more stringent on its face sinceit does not limit access topsychotherapy notes; however, it mustbe noted, that in the State operated andlicensed NYS mental health system,the presence of any information that



(c)(2)(i): The covered entity must provide the individual with access to the PHI inthe form or format requested by the individual, if it is readily producible in suchform or format; if not, a readable hard copy form or such other form or format asagreed to by the covered entity and the individual.

would constitute “psychotherapy notes”does not, as a practical matter, existsince by regulation, all information fromwhich decisions are to be made about apatient must be included in the patient’sclinical record.

2. Unless the facility has previouslynotified the qualified person that his/herrequest for access must be in writing,restricting actionable requests to writtenones is contrary to HIPAA; hence thisprovision of State law would bepreempted.

3. State law provisions which leave asthe only option for providing access as via a copy of the information isinconsistent with HIPAA’s provisions authorizing individuals to dictate theform or format of their PHI, if readilyproducible as such. Therefore, thisprovision of HIPAA also prevails.

Access by Qualified PersonsMHL §33.16(b)(6) (a) The facility may imposea reasonable charge for all inspections andcopies; i.e., a maximum of 75 ¢ per page. Aqualified person shall not be denied access tothe clinical record solely because of inability topay.(b) ...for copies requested by an attorney oranother person or insurer representing oracting on behalf of the patient or his/her estate,the provider may impose a reasonable chargefor all inspections and copies, not to exceedthe costs incurred by such provider, however,the reasonable charge for paper copies shallnot exceed Z1 per page for paper copies andZ2 per page for microfilm or microfiche copies.

§164.524(c)(4): The covered entity may impose a reasonable, cost based fee,provided that the fee only includes the cost of: (i) copying, cost of supplies andlabor of copying; (ii) postage, when requested by the individual to be mailed tohim/her; (iii) preparing an explanation or summary of the PHI, if agreed to by theindividual.

No Preemption: State law is morestringent than HIPAA; first, the feeimposed by State law, is reasonablyrelated to the costs permitted by HIPAAand probably is less than the amount HIPAA would ultimately permit forcopies, postage, and preparing anexplanation/summary (it should benoted that HIPAA does not expresslypermit charging for “inspections,” as isliterally provided in State law, but as amatter of standard practice, the basisfor this charge is copying and postage;hence, it is reasonable to interpretthese provisions as consistent).Second, State law’s provisionprohibiting denial of access solely dueto inability to pay provides more rights to the individual and hence is more



stringent than HIPAA. HIPAA does notaddress fees that can be assessed onattorneys or another person or insureracting on behalf of the patient or his/herestate (i.e. those who are not personalrepresentatives).

Access by Qualified PersonsMHL §33.16(b)(7)

A facility may place reasonable limitations onthe time, place, and frequency of anyinspection of clinical records.

§164.524(c)(3): Time and manner of access. The covered entity must provide theaccess as requested by the individual in a timely manner ....including arrangingwith the individual for a convenient time and place to inspect or obtain a copy ofthe PHI or mailing a copy of the PHI at the individual’s request. The covered entitymay discuss the scope, format, and other aspects of the request for access withthe individual as necessary to facilitate the timely provision of access.

State Law Preempted: While State lawand HIPAA are similar, HIPAA requiresthe covered entity to discuss with theindividual a convenient time and placefor access. This step is not required inState law and must be before a facilityis authorized to place reasonable time,place, and frequency conditions onaccess.

Access by Qualified PersonsMHL §33.16(b)(8)

A treating practitioner may request theopportunity to review the patient informationwith the qualified person requesting suchinformation, but such review shall not be aprerequisite for furnishing the record.

§164.524(c)(3): .....The covered entity may discuss the scope, format, and otheraspects of the request for access with the individual as necessary to facilitate thetimely provision of access.

No Preemption State law is not contraryto HIPAA; State law prevails.

Access by Qualified PersonsMHL §33.16(b)(9): A facility may makeavailable for inspection either the original or acopy of the clinical records.

§164.524(c)(1): The covered entity must provide the access requested byindividuals, including inspection or obtaining a copy, or both, of the PHI about themin designated record sets...

(c)(2)(i): The covered entity must provide the individual with access to the PHI inthe form or format requested by the individual, if it is readily producible in suchform or format; if not, a readable hard copy form or such other form or format asagreed to by the covered entity and the individual.

State Law Preempted: With regard tothe requirement to make either originalsor copies available to individuals, Statelaw and HIPAA are generally similar. However, State law permits facilities tomake available for the inspection eitherthe original or a copy; HIPAA requirescovered entities to provide the accessby inspection (of presumably originals)or by providing copies, or both.

Additionally, State law is silent withregard to authorizing individuals todictate the form or format of their PHI, ifreadily producible as such. Therefore,this provision of HIPAA also prevails.

Limitations on Access §164.524(a)(2): Unreviewable grounds for denial. A covered entity may deny Fact Dependent: To the extent that the



MHL §33.16(c)(1): Upon the written request bya qualified person to inspect or copy the clinicalrecord maintained by a facility, the facility shallinform the treating practitioner of the request. The treating practitioner may review theinformation requested. Unless the treatingpractitioner determines that the requestedreview of the clinical record can reasonably beexpected to cause substantial and identifiableharm to the patient or others that wouldoutweigh the qualified person’s right of access,review of such record shall be permitted orcopies provided.

access to an individual without providing the individual an opportunity for review if: (1) the PHI is excepted from the right of access; (2) the individual consented tohave the right of access temporarily suspended in the course of research thatincludes treatment; (3) information is protected under the Privacy Act; or (4) theinformation was obtained from someone other than the health care provider undera promise of confidentiality and the access requested would likely reveal thesource of the information.

§164.524(a)(3) Reviewable grounds for denial: A covered entity may deny anindividual access, but must be given a right to have such denials reviewed in 3circumstances (i) when access would be reasonably likely to endanger the life orphysical safety of the individual or another person; (ii) when the PHI makesreference to another person and a licensed health care professional hasdetermined, in the exercise of professional judgment, that the access requested isreasonably likely to cause substantial harm to such other person; or (iii) therequest for access is made by the individual’s personal representative and alicensed health care professional has determined, in the exercise of professionaljudgment, that the provision of access to such personal representative isreasonably likely to cause substantial harm to the individual or another person.

re: (a)(3)(iii) Preamble: Under this reason for denial, covered entities may not denyaccess on the basis of the sensitivity of the health information or the potential forcausing emotional or psychological harm.

qualified person is a parent or guardianof an infant, or a parent, spouse, oradult child of an adult patient who isauthorized by law to make healthdecisions for the patient, State law isnot preempted. To the extent,however, that the request is beingmade by the patient and there is nopossibility of a threat to the life orphysical safety of the patient or others,HIPAA is more stringent than State lawin that it provides a greater right ofaccess to the patient. Hence, in thiscircumstance, State law would bepreempted.

Limitations on Access MHL §33.16(c)(2): A patient over the age of 12may be notified of any request by a qualifiedperson to review his/her record and if thepatient objects to disclosure, the facility, inconsultation with the practitioner, may deny therequest.

No comparable provision. No Preemption: Although HIPAAindicates that for purposes of access,personal representatives “stand in theshoes” of individuals, it is reasonable toconclude that State law actuallyprotects the privacy of an individual’srecords by providing an opportunity fora minor patient to limit what can bedisclosed to a greater degree than doesHIPAA ; hence, State law is morestringent and should prevail.

Limitations on Access MHL §33.16(c)(3): If, after consideration of allthe attendant facts and circumstances, thepractitioner/treating practitioner determines thatthe requested review of all or part of the clinicalrecord can reasonably be expected to cause

§164.524(a)(2): Unreviewable grounds for denial. A covered entity may denyaccess to an individual without providing the individual an opportunity for review if: (1) the PHI is excepted from the right of access; (2) the covered entity is acorrectional institution, the requestor is an inmate, and his/her access to PHI wouldjeopardize the health, safety, security, custody, or rehabilitation of the individual orof other inmates, or the safety of any officer, employee or other person at the

Fact Dependent:

1. In cases where HIPAA would allowa denial of access yet State law permitsa summary rather than a completedenial, State law is more stringent and



substantial and identifiable harm to the patientor others, or would have a detrimental effect,the facility may deny access to all or part of therecord and may grant access to a preparedsummary of the record. In making suchdetermination, the practitioner/treatingpractitioner may consider, among other things,the following: (1) the need for, and the fact of,continuing care & treatment; (2) the extent towhich the knowledge of the informationcontained in the clinical record may be harmfulto the health and safety of the patient or others;(3) the extent to which the clinical recordcontains sensitive information disclosed inconfidence to the practitioner/treatingpractitioner by family members, friends, andother persons, (4) the extent to which theclinical record contains sensitive informationdisclosed in confidence to thepractitioner/treating practitioner by the patientwhich would be injurious to the patient’srelationships with other persons except wherethe patient is requesting information abouthim/herself; and (5) in the case of a minormaking a request for access, the age of thepatient.

correctional institution or responsible for the transport of the inmate; (3) theindividual consented to have the right of access temporarily suspended in thecourse of research that includes treatment; (4) information is protected under thePrivacy Act; or (5) the information was obtained from someone other than thehealth care provider under a promise of confidentiality and the access requestedwould likely reveal the source of the information.

§164.524(a)(3) Reviewable grounds for denial: A covered entity may deny anindividual access, but must be given a right to have such denials reviewed in 3circumstances (i) when access would be reasonably likely to endanger the life orphysical safety of the individual or another person; (ii) when the PHI makesreference to another person and a licensed health care professional hasdetermined, in the exercise of professional judgment, that the access requested isreasonably likely to cause substantial harm to such other person; or (iii) therequest for access is made by the individual’s personal representative and alicensed health care professional has determined, in the exercise of professionaljudgment, that the provision of access to such personal representative isreasonably likely to cause substantial harm to the individual or another person.

re: (a)(3)(iii) Preamble: Under this reason for denial, covered entities may not denyaccess on the basis of the sensitivity of the health information or the potential forcausing emotional or psychological harm.

prevails.

2. To the extent that the qualifiedperson is a parent or guardian of aninfant, or a parent, spouse, or adultchild of an adult patient who isauthorized by law to make healthdecisions for the patient State law is notpreempted.

3. However, to the extent that therequest is being made by the patientand there is no possibility of a threat tothe life or physical safety of the patientor others, (unless the patient is aninmate, e.g., a person committed to apsychiatric institution via criminal courtorder) HIPAA is more stringent thanState law in that it provides a greaterright of access to the patient. Hence, inthis circumstance, State law would bepreempted.

*Note: In cases where a treatingpractitioner/practitioner believes thereis a substantial threat to the emotionalhealth of the patient, it would not becontrary to HIPAA if the patientconsents to waive access to certainparts of, or temporarily delay his/heraccess, to the records.

Limitations on AccessMHL §33.16(c)(4): In the event of a denial ofaccess, the qualified person shall be informedby the facility of such denial, and of thequalified person’s right to obtain, without cost,a review of the denial by the appropriateclinical record access review committee.

If such a review is requested, the facility will,within 10 days of its receipt thereof, transmitthe record to the chairman of the appropriate

§164.524(d)(2): The covered entity must provide a timely, written denial to theindividual. The denial must be in plain language and contain: (i) the basis for thedenial; (ii) a statement of the individual’s rights, including a description of how theindividual may exercise such review rights; and (iii) a description of how theindividual may complain to the covered entity. The description must include thename, or title, and telephone number of the contact person or office designated in§160.530(a)(1)(ii).

§164.524(d)(4): If the individual has requested a review of a denial, the coveredentity must designate a licensed health care professional, who was not directlyinvolved in the denial to review the decision to deny access. The covered entitymust promptly refer a request for review to such designated reviewing official. The

No Preemption:

1. Under State law, review is donewithout cost to the patient; HIPAA issilent on this point. As to this provision,State law prevails as it provides morerights/greater access to PHI to theindividual.

2. State law is more stringent withregard to putting a time limit of 10 dayswithin which to facilitate review; HIPAA



committee with a statement indicating whyaccess was denied. After an in camera review,and after providing all parties an opportunity tobe heard, the committee shall promptly make adetermination whether review of the records islikely to cause substantial and identifiable harmto the patient or others which outweighs thequalified person’s right of access, or whetherthe requested review would have a detrimentaleffect (as defined in subdivision (b) of thissection). If the committee determines therequest for access should be granted, thecommittee shall notify all parties and theaccess shall be granted.

designating reviewing official must determine, within a reasonable period of time,whether or not to deny the access requested. The covered entity must promptlyprovide written notice to the individual of the determination of the designatedreviewing official and take other action as required to carry out the designatedreviewing official’s determination.

merely sets a general obligation to doso “promptly.” Hence, State lawprevails here.

3. State law provisions which requirethat the information and a statementsetting forth the reasons why accesswas denied permit the reviewing entityto be privy to a greater pool ofinformation than does HIPAA, whichmerely requires that the request bereferred. Furthermore, State lawallows all parties to be heard andrequires in camera review of materials;HIPAA is silent with regard to dueprocess requirements. Theseprovisions could facilitate anindividual’s greater access toinformation, and therefore these Statelaw provisions prevail.

4. State law requires that a writtendecision by the review committee begiven promptly. HIPAA indicates thedecision must be given in a reasonableperiod of time, and does not indicatethe decision must be given in writing. While HIPAA indicates the individual isto be promptly notified of the decisionand State law is silent on this point, therequirement for the written decision tobe “given promptly,” can reasonably beinterpreted to mean that the individualis to be promptly notified. Therefore,these provisions do not appearinconsistent and State law is notpreempted.

5. HIPAA requires that the individualbe notified of the decision; State lawrequires all parties to be so notified. Inasmuch as it is possible for a coveredentity to comply with both provisions,State law is not preempted.



6. State law requires that if access isgranted, the provider must grantaccess. HIPAA required the coveredentity to take action to carry out thedetermination; these provisions areconsistent and State law is notpreempted.

Limitations on AccessMHL §33.16(c)(5): If, after review by theclinical access committee, access is denied inwhole or part, the committee shall notify theperson of his/her right to seek judicial review ofthe determination. Within 30 days of receivingnotification of the decision, the qualified personmay commence, upon notice, a specialproceeding in supreme court for a judgmentrequiring the provider to make the recordavailable for inspection/copying. The court,upon such application and in camera review(including the determination and record of thecommittee), and after providing all parties anopportunity to be heard, shall determine if areasonable basis exists for denial of access. The relief shall be limited to a judgmentrequiring the facility to make the recordsavailable to the qualified person forinspection/copying.

No corresponding provision. No preemption: HIPAA does notprovide for a second level of review, asis so provided in State law. As such,State law is more stringent in that itprovides greater access by giving aperson a second opportunity to begranted access on review.

Clinical Records Access ReviewCommitteesMHL §33.16(d): The Commissioners of OMH,OMRDD, and OASAS must appoint clinicalrecord access review committees to hearappeals of the denial of access to patientrecords as provided for in subdivision (c) of thissection. Members of the committees must beappointed by the respective Commissioners. The Committees shall consist of no fewer than

§164.524(d)(4): If the individual has requested a review of a denial, the coveredentity must designate a licensed health care professional, who was not directlyinvolved in the denial to review the decision to deny access. The covered entitymust promptly refer a request for review to such designated reviewing official. Thedesignating reviewing official must determine, within a reasonable period of time,whether or not to deny the access requested. The covered entity must promptlyprovide written notice to the individual of the determination of the designatedreviewing official and take other action as required to carry out the designatedreviewing official’s determination.

Fact Dependent: State law does notspecify the qualifications of members ofthe Clinical Access ReviewCommittees, while HIPAA requires a“licensed health professional” to reviewdenials of access. Compliance withboth laws could be effected if at leastone of the members appointed by aCommissioner for his Clinical AccessReview Committee be a licensed health



3, nor no more than 5, persons. TheCommissioners must promulgate rules andregulations to effect this section.

14 NYCRR §633.4(a)(10)(ii): The ClinicalAccess Review Committee shall consist of anOMRDD attorney; an OMRDD practitioner, anda representative of the voluntary provideragency community. The chairperson shall bean OMRDD attorney, and requests for reviewof denial of access shall be addressed to theOffice of Counsel for OMRDD.

professional.

Note, however, that OMRDDregulations are preempted by HIPAAbecause its specification of thecomposition of its Clinical AccessReview Committees is inconsistent withHIPAA. OMH and OASAS may wish todevelop regulations which properlyreflect HIPAA to ensure State law isconsistently interpreted.

Applicability of federal lawMHL §33.16(f): Whenever federal law orapplicable federal regulations restrict, or as acondition of federal aid require, that the releaseof clinical records or information be morerestrictive than is provided under this section,the provisions of federal law or federalregulation shall be controlling.

§160.203: This general rule applies, except if one or more of the followingconditions is met:....2) the provision of State law relates to the privacy of healthinformation and is more stringent than a standard, requirement, or implementationspecification under the Federal Rule.

No Preemption: HIPAA preemptsState laws that are more stringent withregard to disclosure, including thosethat would more greatly restrict patientaccess to PHI; State law indicates it ispreempted by federal law andregulations that are more restrictive interms of disclosures. Therefore, Statelaw and the HIPAA Privacy regulationare generally consistent with regard todisclosures of PHI.

Challenges to accuracyMHL §33.16(g): A qualified person maychallenge the accuracy of informationmaintained in the clinical record and mayrequire that a brief written statement preparedby him/her concerning the challengedinformation be inserted into the clinical record. This statement shall become a permanent partof the record and shall be released wheneverthe clinical record at issue is released. Thissubdivision shall apply only to factualstatements and shall not include a provider’sobservations, inferences or conclusions. Afacility may place reasonable restrictions onthe time and frequency of any challenges toaccuracy.

§164.501: "Designated Record Set" means: (1) A group of records maintained byor for a covered entity that is:(i) The medical records and billing records aboutindividuals maintained by or for a covered health care provider;(ii) The enrollment, payment, claims adjudication, and case or medicalmanagement record systems maintained by or for a health plan; or(iii) Used, in whole or in part, by or for the covered entity to make decisions aboutindividuals.(2) ...the term record means any item, collection, or grouping of information thatincludes protected health information and is maintained, collected, used, ordisseminated by or for a covered entity.§164.526(a)(1),(2): (1) An individual has the right to have a covered entity amendPHI or a record about the individual in a designated record set for as long as thePHI is maintained in the designated record set.

(2) Denial of amendment. A covered entity may deny an individual’s request foramendment if it determines the PHI or record...(1) was not created by the coveredentity, unless the individual provides a reasonable basis to believe that theoriginator of the PHI is no longer available to act on the requested amendment; (2)is not part of the designated record set; (3) would not be available for inspection

Preempted in Part:

1. Right to amend: Not preempted. AState law would be preempted if moregreatly restricted the right ofamendment than does HIPAA. TheState statute permits challenges toaccuracy by “qualified persons,” similarto the HIPAA provisions permittingamendment by “individuals,” which termincludes “personal representatives.” Further, both laws permit “appending”to records, rather thandeleting/correcting records. State lawensures the amended information isprotected to the same degree as theclinical record, consistent with HIPAAprovisions. Under State law,“challenging the accuracy of



under the access provision; or (4) is accurate and complete.

Preamble: Many commenters strongly encouraged the Secretary to adopt“appendment” rather than “amendment and correction” procedures. They arguedthat the term “correction” implies a deletion of information....appendment ratherthan correction procedures will ensure the integrity of the medical record and allowsubsequent health care providers access to the original information as well as theappended information......We agree.....we have revised the rule..in order to clarifythat covered entities are not required by this rule to delete any information from thedesignated record set. We do not intend to alter medical record retention laws orcurrent practice, except to require covered entities to append information asrequested to ensure that a record is accurate and complete. (p. 82736:1)

information” is the functional equivalentof amending. 2. Timely action by covered entity: State law does not contain timerequirements for responding torequests for amendment/challenge toaccuracy. Therefore, the timerequirements in HIPAA should bereferred to as an outside parameterwithin which a response should beprovided. 3. Making the amendment. State lawcontains no comparable provisions;hence, HIPAA applies.4. Informing the individual. State lawcontains no comparable provisions;hence, HIPAA applies.5. Informing others. State law containsno comparable provisions; hence,HIPAA applies.6. Denial. State law contains nocomparable provisions; hence, HIPAAapplies.7. Statement of disagreement. Statelaw contains no comparable provisionsregarding statements of disagreementwith amendment denials; hence, HIPAAapplies.8. Rebuttal Statement. State lawcontains no comparable provisions;hence, HIPAA applies.9. Recordkeeping. State law containsno comparable provisions; hence,HIPAA applies.10. Future Disclosures: State lawcontains no comparable provisions;hence, HIPAA applies.11. Actions on Notices ofAmendments. State law contains nocomparable provisions; hence, HIPAAapplies.12. Documentation: State law containsno comparable provisions; hence,HIPAA applies.



No comparable provisions. §164.526(b)(2) Timely action by covered entity. The covered entity must act on theindividual’s request no later than 60 days after receipt of such request by eithertaking the required action if it grants or denies the request in whole or in part. If thecovered entity is unable to act on the amendment within the time required, thecovered entity may have a one time extension of time for such action of no morethan 30 days, provided that it provides the individual with a written statement of thereason for the delay and the date by which the covered entity will complete itsaction. §164.526(c)(1): Making the amendment. The covered entity must make theappropriate amendment to the PHI or record that is the subject of the request, by,at a minimum, identifying the records in the designated record set that are affectedby the amendment and appending or otherwise providing a link to the location ofthe amendment. §164.526(c)(2): Informing the individual. The covered entity must timely inform theindividual that the amendment is accepted and obtain the individual’s identificationof and agreement to have the covered entity notify relevant persons with whom theamendment needs to be shared. §164.526(c)(3): Informing others. The covered entity must make reasonable effortsto inform and provide the amendment within a reasonable time to personsidentified by the individual as having received PHI abut the individual and needingthe amendment, and persons, including business associates, that the coveredentity knows have the PHI which is the subject of the amendment and that mayhave relied or could forseeably rely, on such information to the detriment of theindividual. §164.526(d)(1): Denial. The covered entity must provide the individual with atimely, written denial. The denial must be in plain language and contain: () thebasis for the denial, (2) the individual’s right to submit a written statement ofdisagreement, and how to file such a statement; (3) a statement that, if theindividual does not submit a statement of disagreement, the individual may requestthat the covered entity provide the individual’s request for amendment and thedenial with any future disclosures of the PHI; and (4) the covered entity’s complaintprocedures or how to file a complaint with the Secretary under HIPAA.§164.526(d)(2): Statement of disagreement: The covered entity must permit theindividual to submit to the covered entity a written statement disagreeing with thedenial of all or part of a requested amendment and the basis of suchdisagreement. The covered entity may reasonably limit the length of a statementor disagreement. §164.526(d)(3) Rebuttal statement. The covered entity may prepare a writtenrebuttal to the individual’s statement of disagreement and provide a copy of suchwritten rebuttal to the individual. §164.526(d)(4): Recordkeeping. The covered entity must, as appropriate, identifythe record or PHI in the designated record set that is the subject of the disputed



amendment and append or otherwise link the individual’s request for anamendment, the denial of the request, the statement of disagreement, if any, andthe rebuttal statement, if any, to the designated record set. §164.526(d)(5) Future disclosures. If a statement of disagreement has beensubmitted by the individual, the covered entity must include the material appended,or at the election of the covered entity, a summary of any such information, withany subsequent disclosure of the PHI to which the disagreement relates. If theindividual has not submitted a written statement of disagreement, the coveredentity must include the individual’s request for amendment and its denial, or anaccurate summary of such information, with subsequent disclosure of the PHI onlyif the individual has properly requested such action. When a subsequentdisclosure is made using a standard transaction (as defined in 45 CFR Part 162)that does not permit the additional material to be included with the disclosure, thecovered entity may separately transmit the material required, as applicable, to therecipient of the standard transaction. §164.526(e) Actions on Notices of Amendments. A covered entity that is informedby another covered entity of an amendment to the individual’s PHI must amend theindividual’s PHI in the designated record set. §164.526(f): Documentation. A covered entity must document titles of thepersons/offices responsible for receiving and processing requests for amendmentsby individuals and retain the documentation according to the requirements ofHIPAA.

DisclosureMHL §33.16(i): Nothing contained in thissection shall restrict, expand, or in any waylimit the disclosure of any information pursuantto articles 23, 31, and 45 of the Civil PracticeLaw and Rules or Section 677 of the CountyLaw.




No Preemption; There is nocomparable provision in HIPAA;disclosures permitted under laws cross-referenced in this section areindividually permitted via the listedexceptions in HIPAA, or because thedisclosures are being made by non-covered entities.



MHL SECTION 33.21 Consent for Mental Health Treatment of Minors

MHL §33.21: (b) In providing outpatient mentalhealth services to a minor..... the important roleof parents or guardians shall berecognized....and the consent of such personsshall be required for such treatment in non-emergency situations, except as provided insubdivisions (c),(d), and (e) of this section orsection 2504 of the Public Health Law. (c) ...The mental health practitioner shall fullydocument the reasons for his/herdeterminations. Such documentation shall beincluded in the minor’s clinical record....Asclinically appropriate, notice of a determinationmade pursuant to subparagraph (iii) ofparagraph 3 of this subdivision shall beprovided to the parent/guardian.

Not originally addressed in final rule; butRecently Adopted Amendments:

§164.502: (g)(1)(ii) Implementation specification: unemancipated minors...(A).Acovered entity may disclose PHI about an unemancipated minor to a parent,guardian, or other person acting in loco parentis if the applicable provision ofState law or other law, including applicable case law, permits or requires suchdisclosure, and (B) a covered entity may not disclose PHI about about anunemancipated minor to a parent, guardian, or other person acting in loco parentis if the applicable provision of State law or other law, including applicable case law,prohibits such disclosure.

No Preemption: Recent adoption of theamendments to HIPAA defer to Statelaw with regard to parentalconsent/access to records of minors,therefore, State law controls.

MHLSECTION 43.05: Investigations/Patient Resources

MHL §43.05 Disclosure of the fact of thepatient’s hospitalization in connection with aninvestigation of the patient’s resources ispermitted but requires release of patient.




No Preemption. Recent amendmentsto HIPAA remove the need to obtainconsent to use/disclose PHI forpayment purposes. State law ,however,requires patient consent toinvestigate resources for paymentpurposes, which is more stringent thanHIPAA. Hence, State law prevails.



MHL ARTICLE 45: Commission onQuality of Care for the Mentally Disabled

MHL §45.09: Procedures of the commission.(a) The commission, any member or anyemployee designated by the commission, mustbe granted access at any and all times to anymental hygiene facility, or adult home orresidence for adults in which 25% or moreresidents have at any time received or arereceiving services from a mental hygieneprovider which is licensed, funded, or operatedby OMH or OMRDD in order to carry out thefunctions of the commission as provided for insection 45.10 of this article, ...and to all books,records, and data pertaining to any such facilitydeemed necessary for carrying out thecommission’s functions, powers andduties....The Commission or any member mayrequire from any hospital, as defined underArticle 28 of the Public Health Law, anyinformation, report, or record necessary for thepurpose of carrying out the functions, powersand duties of the commission related to theinvestigation of deaths and complaints ofabuse or mistreatment concerning patients orformer patients of mental hygiene facilities whohave been treated at such hospitals, and fromany adult care facility....such information, reportor record, including access to such facilitynecessary for the purpose of carrying out thefunctions, powers and duties of thecommission related to the investigation ofdeaths, as provided for by section 45.17 of thischapter.... The results of investigationsinvolving such residents of adult care facilities shall be provided promptly to the commissionerof the department of social services and shallbe treated as a record or personal informationwithin the meaning of section 96 of the PublicOfficers Law and shall not be disclosed exceptin accordance with such section 96. Information, books, records or data which areconfidential as provided by law shall be kept






No Preemption: The CQC meets thedefinition of a “health oversight agency”under HIPAA. As such:

1. Disclosures by covered entities toCQC are permitted under the “healthoversight exception” to HIPAA.

2. Assuming the CQC is not a coveredentity (as it is neither a health plan,health care clearinghouse, or healthcare provider engaging in electronictransactions), disclosures made by it toother oversight agencies (such asDSS/DOH) are not within thejurisdiction of HIPAA. In this regard,State law, which continues to protectthe confidentiality of information sodisclosed, prevails.

3. With regard to complaints filed bypatients to CQC, in many cases thepatient will have authorized the CQC tohave access to his/her PHI in order toinvestigate the complaint. Hence, suchdisclosures will have been specificallyauthorized by the patient.

4. In cases where CQC has exercisedits subpoena authority, and/or a courtorder compelling disclosure has beenobtained, covered entities are permittedunder HIPAA to disclose PHI under the“required by law” exception.



confidential by the commission and by non-profit organizations receiving contractspursuant to subdivision (k) of section 45.07 ofthis article and any limitations on the releasethereof imposed by law upon the partyfurnishing the information, books, records ordata shall apply to the commission and suchnon-profit organizations receiving contractspursuant to subdivision (k) of this article. (b) Pursuant to the authorization of thecommission to administer the protection andadvocacy system as provided for by federallaw, any agency or person within or undercontract with the commission, which providesprotection and advocacy services, must begranted access at any and all times to anyresidential facility, or part thereof, serving aperson with a mental disability operated, orlicensed by any office or agency of the state,and to all books, records and data pertaining toany such facility upon receipt of a complaint byor on behalf of a person with a mentaldisability. Information, books, records or datawhich are confidential as provided by law shall be kept confidential by the person oragency within the protection and advocacysystem and any limitations on the releasethereof imposed by law upon the partyfurnishing the information, books, records ordata shall apply to the person or agency withinthe protection and advocacy system.(c) In the exercise of its functions, powers andduties, the commission and any member isauthorized to issue and enforce a subpoenaand a subpoena duces tecum, conducthearings, administer oaths and examinepersons under oath in accordance with andpursuant to civil practice law and rules. (d) In any case where a person in charge orcontrol of such facility or an officer of employeethereof shall fail to comply with the provisionsof subdivision (a), the commission may applyto the supreme court for an order directed tosuch person requiring compliance therewith.



Upon such application the court may issuesuch order as may be just and a failure tocomply with the order of the court shall be acontempt of court and punishable as such.

MHL §45.17: Functions, powers, and dutiesof the (Mental hygiene medical review)board:The mental hygiene medical review board shallhave the following functions, powers andduties: (a) make a preliminary determinationwhether the death of a patient or resident in amental hygiene facility which has been broughtto its attention is unusual or whether suchdeath reasonably appears to have resultedfrom other than natural causes and warrantsinvestigation; (b) investigate the causes of andcircumstances surrounding such unusual deathor deaths from other than natural causes ofpatients or residents in mental hygiene facilities(c) visit and inspect any facility in which such adeath has occurred; (d) cause the body of thedeceased to undergo such examinationsincluding autopsy as in the opinion of the boardare necessary to determine the cause of death,irrespective of whether such examination orautopsy shall have been previously performed;and (e) upon review of the cause of andcircumstances surrounding the death of anypatient or resident, submit its report thereon tothe commission and, where appropriate, makerecommendations to prevent the recurrence ofsame to the commissioner of mental hygieneand to the director of the facility.



No preemption: Because the MedicalAdvisory Review Board is establishedwithin and is part of the CQC and, assuch, serves in a health oversightagency capacity, covered entities arepermitted to release PHI to such Boardunder the “health oversight agency”exception to HIPAA.

MHL ARTICLES 80, 81:

MHL Article 80: Surrogate Decision-Makingfor Medical Care and Treatment

MHL Article 81: Proceedings for Appointmentof a Guardian for Personal Needs or PropertyManagement

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a government

No preemption: In cases wherecovered entities are asked to disclosePHI in the course and context of asurrogate decision-making orguardianship petition, it is probable thatthese disclosures will be permittedunder the “judicial/administrativeproceeding” or “required by law”



program providing public benefits.§164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited tothe relevant requirements of such law. §164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly to asubpoena, discovery request, or other lawful process if the covered entity hasmade reasonable efforts to give the patient notice of the request or the coveredentity is assured that reasonable efforts have been made to secure a qualifiedprotective order.

exceptions to HIPAA.

OTHER:

Notice of Privacy Practices

No comparable provision in NYS MentalHygiene Law

§164.520 Notice of privacy practices for PHI 1. An individual has a right to adequate notice of the uses and disclosures of PHIthat may be made by the covered entity, and the individual’s rights and the coveredentity’s legal duties with respect to PHI.2. The notice must contain the following statement as a header or otherwiseprominently displayed: THIS NOTICE DESCRIBES HOW MEDICALINFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOUCAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW ITCAREFULLY.3. The notice must be written in plain language and contain: (1) a description,including at least 1 example, of the types of uses/disclosures that the coveredentity is permitted to make for treatment, payment & health care operationspurposes; (2) a description of each of the other purposes for which the coveredentity is permitted/required to use/disclose PHI w/out the person’sconsent/authorization; (3) if a use/disclosure is prohibited or materially limited byother applicable law, the description of such use/disclosure must reflect the morestringent; (4) for each purpose described the description must include sufficientdetail to place the person on notice of the uses/disclosures that arepermitted/required by HIPAA and other applicable law; (5) a statement that otheruses/disclosures will be made only with the person’s written authorization and thatthe individual may revoke such authorization.4. If the covered entity intends to engage in any of the following, the descriptionmust include a separate statement, as applicable, that (1) the covered entity maycontact the individual to provide appointment reminders; (2) the covered entity maycontact the individual to raise funds; (3) a group health plan..may disclose PHI tothe sponsor.5. The notice must contain a statement of the individual’s rights with respect toPHI and a brief description of how the person can exercise those rights (i.e., rightto request restrictions, right to receive confidential communications, right toinspect/copy PHI, right to amend PHI, right to receive accounting of disclosures,

The Federal rule applies as there is nocomparable provision of law in the NYSMental Hygiene Law.



and right to receive paper copy of the notice, if notice is received electronically).6. The notice must contain covered entity requirements (i.e, statement that thecovered entity is required by law to maintain the privacy of PHI and to provide thenotice of its legal duties and privacy practices; a statement that the covered entityis required to abide by the terms of the notice; in order for the covered entity toapply a change in its privacy practices, a statement that it reserves the right tochange the terms of its notice and to make the new notice provision effective for allPHI it maintains (must also describe how it will provide persons with a new notice).7. Complaints. The notice must contain a statement that individuals may complainto the covered entity and the Secretary of HHS if they believe their privacy rightshave been violated; a brief description of how to file a complaint with the coveredentity; and advise of nonretaliation for filing a complaint.8. Contact. The notice must contain a contact name, or title, and telephone # of aperson/office to contact for further information.9. Effective date. The notice must contain the date on which the notice is first ineffect, which cannot be earlier than the date on which it is printed/published.10. Provisions for optional contents are also included. 11. A covered health care provider with a direct treatment relationship with thepatient must provide the notice no later than the date of first service delivery, and,except in an emergency situation, make a good faith effort to obtain a writtenacknowledgment. 12. Whenever the notice is revised, the notice must be made available uponrequest on or after the effective date of the revision and promptly comply with theacknowledgment requirements.13. Electronic notice is permitted.

Right to request Restrictions


§164.522 (a)(1) Right to request restrictions. A covered entity must permit anindividual to request that the covered entity restrict (1) uses/disclosures of PHIabout the individual to carry out treatment, payment and health care operationsand (2) disclosures of PHI for involvement in the individual’s care and notificationpurposes. A covered entity does not have to agree to these restrictions.

The Federal rule applies as there is nocomparable provision of law in the NYSMental Hygiene Law, provided,however, that although MHL does notlist this out as an express right, theopportunity to restrict disclosures ofPHI for care and notification purposesexists as a standard practice in theNew York State public mental healthsystem and is indirectly addressedMHL §33.13.

Right to request Accountings


§164.528 (a)(1) Right to request accountings. An individual has a right toreceive an accounting of disclosures of PHI made by a covered entity in the 6years prior to the date on which an accounting is requested, except for disclosures:(1) to carry out treatment, payment, and health care operations; (2) to theindividuals themselves; (3) that are made for national security or intelligence




purposes; (4) that are related to certain custodial situations; (5) to correctionalinstitutions and law enforcement officials; and (6) which occurred prior to thecompliance date for the covered entity.

§164.528 (c): The covered entity must act on the individual’s request for anaccounting no later than 60 days after receipt of such request by providing theaccounting or requesting an extension of no more than 30 days. The firstaccounting must be provided without charge, and thereafter a reasonable, cost-based fee for each subsequent accounting may be charged if the individual isinformed in advance of the fee and an opportunity to modify the request to reduceor avoid the fee.

§164.528 (d): Documentation. A covered entity must retain documentation of theinformation required to be included in an accounting, the written accountingprovided to the individual, and titles of persons or responsible officers who process/receive accountings.

Administrative Requirements:

No comparable provisions in NYS MentalHygiene Law

§164.530 (a)(1): Personnel Designations: A covered entity myst designate aprivacy official who is responsible for the development and implementation of thepolicies/procedures of the entity.

§164.530 (a)(2) Documentation: A covered entity must document the requiredpersonnel designations.

§164.530 (a)(3) Training: A covered entity must train all members of its workforceon the policies/procedures with respect to PHI required by HIPAA, as necessaryand appropriate to carry out their functions within the covered entity. Theworkforce must be trained prior to the compliance date; new members must betrained within a reasonable time after joining the workforce..... Such training mustbe documented.

§164.530 (c) Safeguards. A covered entity must have in place appropriateadministrative, technical, and physical safeguards to protect the privacy of PHI...

§164.530 (d)(1): Complaints. A covered entity must provide a process forindividuals to make complaints concerning: (1) the covered entity’s policies andprocedures required by HIPAA and (2) its compliance with such policies andprocedures or the requirements of HIPAA.

§164.530 (d)(2) Documentation of complaints: A covered entity must document allcomplaints received, as well as their disposition.

§164.530 (e)(1),(2) Sanctions: A covered entity must have and apply appropriatesanctions against members of its workforce who fail to comply with HIPAA... Those




sanctions must be documented.

§164.530 (f): Mitigation: A covered entity must mitigate, to the extent practicable,any harmful effects known to the covered entity of a use/disclosure of PHI inviolation of its policies/procedures or HIPAA by the covered entity or its businessassociate.

§164.530 (g) Retaliatory acts: A covered entity may not intimidate, threaten,coerce, discriminate against, or take retaliatory action against anyindividual for exercising his/her rights or for filing a complaint with HHS...

§164.530 (h): Waiver: A covered entity may not require individuals to waive theirrights to file complaints or any other rights under HIPAA as a condition of provisionof treatment, payment, enrollment in a health plan, or eligibility for benefits.

§164.530 (i)(1),(2),(3),(4) Policies and procedures: A covered entity mustimplement policies and procedures with respect to PHI designed to comply with therequirements of HIPAA.... Such policies/procedures must be changed asnecessary to comply with changes in the law ..must document and implement therevised policies/procedures promptly....and must revise its Notice of PrivacyPractices.

§164.530 (j)(1),(2) Retention of policies: A covered entity must maintain therequired policies/procedures in written or electronic form, copies ofcommunications HIPAA requires, and records of any action, activity, or designationHIPAA requires to be documented. Such documentation must be retained for 6years from date of creation or date last in effect, whichever is later.

CRIMINAL PROCEDURE LAW

CPL §330.20 Procedure following verdict orplea of not responsible by reason of mentaldisease or defect

2. Examination order; psychiatric examiners. Upon entry of a verdict of not responsible byreason of mental disease or defect, or upon theacceptance of a plea of not responsible byreason of mental disease or defect, the courtmust immediately issue an examination order. Upon receipt of such order, the commissionermust designate 2 qualified psychiatricexaminers to conduct the examination to

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing publicbenefits.§164.501: Correctional institution means any penal or correctional facilility....forthe confinement or rehabilitation of persons charged with or convicted of a criminaloffense or other person held in lawful custody. Other persons held in lawful

No Preemption: HIPAA and State laware consistent; State law applies.

1. The disclosures of information bythe commissioner to qualifiedpsychiatrists, and by the qualifiedpsychiatrists to the commissioner ofOMH/OMRDD and court, and by thecommissioner to the court, arepermitted by HIPAA because they arerequired by law and are necessary inthe course of a judicial proceeding.



examine the defendant. In conducting theirexamination, the psychiatric examiners mayemploy any method which is accepted by themedical profession for the examination ofpersons alleged to be suffering from adangerous mental disorder or to be mentally illor retarded. The court may authorize apsychiatrist or psychologist retained by thedefendant to be present at such examination. The clerk of the court must promptly forward acopy of such examination order to the mentalhygiene legal service and such service maythereafter participate in all subsequentproceedings under this section. 5. Examination order; reports. After he hascompleted his examination of the defendant,each psychiatric examiner must promptlyprepare a report of his findings and evaluationconcerning the defendant’s mental conditionand submits such report to the commissioner. If the psychiatric examiners differ in theiropinion as to whether the defendant is mentallyill/is suffering from a dangerous mentaldisorder, the commissioner must designateanother psychiatric examiner to examine thedefendant. Upon receipt of the examinationreports, the commissioner must submit them tothe court that issued the examination order. Ifthe court is not satisfied with the findings ofthese psychiatric examiners, the court maydesignate one or more additional psychiatricexaminers pursuant to subdivision fifteen ofthis section. The court must furnish a copy ofthe reports to the district attorney, counsel forthe defendant, and the mental hygiene legalservice. 6. Initial hearing, commitment order. ...If thecourt finds that the defendant has a dangerousmental disorder, it must issue a commitmentorder. 8. First retention order. When a defendant isin the custody of the commissioner pursuant toa commitment order....... continued, next row)

custody includes...persons committed to mental institutions through the criminaljustice system. §160.501:Law enforcement official means an officer or employee of any agencyor authority, of the United States, a State, a territory, a political subdivision of aState or territory, or an Indian tribe, who is empowered by law to: (1) investigate orconduct an official inquiry into a potential violation of law; or (2) prosecute orotherwise conduct a criminal, civil, or administrative proceeding arising from analleged violation of law.


§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorizedin the order; or(2) in response to a subpoena, discovery request, or other lawfulprocess if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order. (p.82814)

§164.512(j):A covered entity may use/disclose PHI (consistent with law &professional conduct) if it believes in good faith that the disclosure is necessary toprevent or lessen a serious & imminent threat to the health or safety of a person(per preamble, consistent with Tarasoff) or the public and is being made to aperson or persons reasonably able to prevent or lessen the threat or is necessaryfor law enforcement authorities to identify/apprehend an individual. If disclosure isto be made to one other than the target, the information cannot have beenobtained in the course of treatment to affect the propensity to commit the criminalconduct or through a request by the person to initiate or be referred to treatment.disclosures are about an inmate and are necessary for the health and safety of theinmate and others, and because they are being made to law enforcement officialsto avert a threat to public health and safety. §164.512(k)(5) Correctional institutions and other law enforcement custodialsituations.(i) A covered entity may disclose to a correctional institution or a lawenforcement official having lawful custody of an inmate or other individual PHIabout such inmate or individual, if the correctional institution or such law enforcement official represents that such PHI is necessary for: (A) the provision ofhealth care to such individuals; (B) the health and safety of such individual/otherinmates; (C) the health/safety of the officers or employees of or others at thecorrectional institution; (D) the health/safety of such individuals/officers/otherpersons responsible for the transporting of inmates or their transfer form oneinstitution, facility, or setting to another; (E) law enforcement on the premises of the

2. All disclosures in this section of lawmade by the court to MHLS are notimpacted by HIPAA, since the court isnot a covered entity under HIPAA.

3. Disclosures by a covered entity(OMH/OMRDD) to the district attorneyand to the counsel for the defendant inthe context of (as applicable)applications for first retention orders,second & subsequent retention orders, discharge orders, and recommitmentorders, are all permitted by HIPAA asthey are required by law and/or arenecessary disclosures in the course ofa judicial proceeding. 4. Disclosures made by a coveredentity (OMH/OMRDD) prior to thedischarge or release of a personcommitted to the custody of thecommissioner pursuant to a criminalcourt order are permitted under HIPAAbecause they are required by law.

5. Disclosures made by a coveredentity (OMH/OMRDD) pursuant to theescape of a person committed to thecustody of the commissioner pursuantto a criminal court order are permittedunder HIPAA because they arerequired by law, because thedisclosures are about an inmate andare necessary for the health and safetyof the inmate and others, and becausethey are being made to avert a threat topublic health and safety.



The commissioner must give written notice ofthe application to the district attorney , thedefendant, counsel for the defendant, and themental hygiene legal service... 9. Second and subsequent retention orders. When a defendant is in the custody of thecommissioner pursuant to a first retentionorder....... The commissioner must give writtennotice of the application to the district attorney ,the defendant, counsel for the defendant, andthe mental hygiene legal service... 10. Furlough order. The commissioner mayapply for a furlough order....The commissionermust give ... written notice of the application tothe district attorney , the defendant, counsel forthe defendant, and the mental hygiene legalservice...11. Transfer order. The commissioner mayapply for a transfer order....The commissionermust give ... written notice of the application tothe district attorney , the defendant, counsel forthe defendant, and the mental hygiene legalservice...12. Release order and order of conditions. Thecommissioner may apply for a releaseorder....The commissioner must give ... writtennotice of the application to the district attorney ,the defendant, counsel for the defendant, andthe mental hygiene legal service...13. Discharge order. The commissioner mayapply for a discharge order....Thecommissioner must give ... written notice of theapplication to the district attorney , thedefendant, counsel for the defendant, and themental hygiene legal service...14. Recommitment order. At any time.. anapplication may be made by the commissioneror the district attorney for a recommitmentorder....The applicant must give written noticeof the application to the defendant, counsel forthe defendant, and the mental hygiene legalservice and if the applicant is the commissionerhe must give such notice to the district attorneyand if the applicant is the district attorney he

correctional institution; and (F) the administration and maintenance of the safety,security & good order of the correctional institution.



must give such notice to the commissioner....15. Designation of psychiatric examiners. ..Ifat any hearing.....the court may direct thecommissioner to designate one or morepsychiatric examiners to conduct anexamination of the defendant and submit areport of their findings. In addition, the courtmay...designate one or more psychiatricexaminers to examine the defendant andsubmit a report of their findings. 18. Notwithstanding any other provision of law,no person confined by reason of commitmentorder, recommitment order or retention order toa secure facility may be discharged/releasedunless the commissioner shall deliver writtennotice...in advance of such discharge/releaseto all of the following: (a) the district attorney;(b) the police department having jurisdiction ofthe area to which the defendant is to bedischarged or released; (c) any other personthe court may designate. 19. Escape from custody, notice requirements. If a defendant is in the custody of thecommissioner pursuant to an order issuedunder this section, and the defendant escapesfrom custody, immediate notice of such escapeshall be given to: (a) the district attorney; (b)the superintendent of state police; (c) thesheriff of the county where the escapeoccurred; (d) the police department havingjurisdiction of the area where the escapeoccurred; (e) any person the facility staffbelieves to be in danger; and (f) any lawenforcement agency and any person the facilitystaff believes would be able to apprise suchendangered person that the defendant hasescaped from the facility...

(Also see OMH Official Policy Manual QA-520)

CPL §730.20 Fitness to proceed; generally.1. The appropriate director (of a state

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;




OMH/OMRDD hospital) to whom a criminalcourt issues an order of examination must bedetermined....Upon receipt of the examinationorder, the director may designate 2 qualifiedpsychiatric examiners, of whom he may beone, to examine the defendant to determine ifhe is an incapacitated person. In conductingtheir examination, the psychiatric examinersmay employ any method which is accepted bythe medical profession for the examination ofpersons alleged to be mentally ill or mentallydefective. The court may authorize apsychiatrist or psychologist retained by thedefendant to be present at such examination. 5. Each psychiatric examiner, after he hascompleted his examination of the defendant,must promptly prepare an examination reportand submit it to the director...Upon receipt ofthe examination reports, the director mustsubmit them to the court that issued the orderof examination. The court must furnish a copyof the reports to counsel for the defendant andto the district attorney.

includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing publicbenefits.


§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorizedin the order; or(2) in response to a subpoena, discovery request, or other lawfulprocess if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order. (p.82814:

1. The disclosures of information bythe director to qualified psychiatrists,and then by qualified psychiatrists backto the director and court, are permittedby HIPAA because they are required bylaw and are necessary in the course ofa judicial proceeding.

2. Disclosures to the court by thedirector are permitted by HIPAA as theyare required by law and/or arenecessary disclosures in the course ofa judicial proceeding.

CPL §730.40 Fitness to proceed; localcriminal court accusatory instrument. 4......If the director has submitted theexamination reports to the local criminal court,such court must forward them to the superiorcourt in which the indictment was filed. If thedirector has not submitted such reports to thelocal criminal court, he must submit them to thesuperior court in which the indictment was filed.

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing publicbenefits.


§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorizedin the order; or(2) in response to a subpoena, discovery request, or other lawful


1. Disclosures of information by thelocal criminal court to the superior court are not impacted by HIPAA as neitherare covered entities.

2. Disclosures to the court by thedirector are permitted by HIPAA as theyare required by law and/or arenecessary disclosures in the course ofa judicial proceeding.



process if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order. (p.82814)

CPL §730.50 Fitness to proceed; indictment.2. When a defendant is in the custody of thecommissioner (of OMH/OMRDD) immediatelyprior to the expiration of the period prescribedin a temporary order of commitment and thesuperintendent of the institution wherein thedefendant is confined is of the opinion that thedefendant continues to be an incapacitatedperson, such superintendent must apply to thecourt that issued the order for an order ofretention....The superintendent must givewritten notice of the application to thedefendant and to the mental hygiene legalservice. ...4. When a defendant is in the custody of thecommissioner at the expiration of theauthorized period prescribed in the last order ofretention....and the commissioner mustpromptly certify to such court and to theappropriate district attorney that the defendantwas in his custody on such expiration date...5. When...any defendant remains in thecustody of the commissioner pursuant to anorder.....the superintendent or director of theinstitution where the defendant is confinedshall, if he believes that the defendantcontinues to be an incapacitated person, applyforthwith to a court....for an order of retention.



§164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorizedin the order; or(2) in response to a subpoena, discovery request, or other lawfulprocess if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order. (p.82814)

No Preemption: Disclosures to thecourt by the commissioner arepermitted by HIPAA as they arerequired by law and/or are necessarydisclosures in the course of a judicialproceeding. HIPAA and State law areconsistent; State law applies

CPL §730.60 Fitness to proceed; procedurefollowing custody by commissioner. 1. When a local criminal court issues a final ortemporary order of observation or order ofcommitment.....Upon receipt thereof, thecommissioner must designate an appropriateinstitution operated by the department ofmental hygiene in which the defendant is to be



1. The disclosures of information bythe superintendent to the court arepermitted by HIPAA because they arerequired by law and are necessary inthe course of a judicial proceeding.



placed.2. Except as otherwise provided....such orderis suspended until the superintendent of theinstitution in which the defendant is confineddetermines that he is no longer anincapacitated person. In that event, the courtthat issued such order and the appropriatedistrict attorney must be notified, in writing, bythe superintendent of his determination....6. (a) Notwithstanding any other provision oflaw, no person committed to the custody of thecommissioner pursuant to this article, orcontinuously retained thereafter in suchcustody, may be discharged/released oncondition or placed in any less secure facility oron any less restrictive status, including but notlimited to vacations, furloughs, or temporarypasses, until the the commissioner shalldeliver written notice...in advance of thechange to all of the following: (a) the districtattorney of the county from which such personwas committed; (b) the superintendent of statepolice, (c) the sheriff of the county where thefacility is located; (d) the police departmenthaving jurisdiction of the area where the facilityis located; (e) any person who may reasonablybe expected to be the victim of any assault orany violent felony offense...; and (f) any otherperson the court may designate.... (b) The notice ...shall also be givenimmediately upon the departure of suchcommitted person from the commissioner’sactual custody, without proper authorization...

program providing publicbenefits.§164.501: Correctional institution means any penal or correctional facilility....forthe confinement or rehabilitation of persons charged with or convicted of a criminaloffense or other person held in lawful custody. Other persons held in lawfulcustody includes...persons committed to mental institutions through the criminaljustice system. §160.501:Law enforcement official means an officer or employee of any agencyor authority, of the United States, a State, a territory, a political subdivision of aState or territory, or an Indian tribe, who is empowered by law to: (1) investigate orconduct an official inquiry into a potential violation of law; or (2) prosecute orotherwise conduct a criminal, civil, or administrative proceeding arising from analleged violation of law. §164.512(a): A covered entity may use/ disclose PHI to the extent that such use/ disclosure is required by law and the use/ disclosure complies with and is limited tothe relevant requirements of such law. §164.512(e): PHI can be released w/out patient consent in the course of anyjudicial or administrative proceeding(1)in response to an order of a court oradministrative tribunal, provided release is limited to that PHI expressly authorizedin the order; or(2) in response to a subpoena, discovery request, or other lawfulprocess if the covered entity has made reasonable efforts to give the patient noticeof the request or the covered entity is assured that reasonable efforts have beenmade to secure a qualified protective order. (p.82814:§164.512(j):A covered entity may use/disclose PHI (consistent with law &professional conduct) if it believes in good faith that the disclosure is necessary toprevent or lessen a serious & imminent threat to the health or safety of a person(per preamble, consistent with Tarasoff) or the public and is being made to aperson or persons reasonably able to prevent or lessen the threat or is necessaryfor law enforcement authorities to identify/apprehend an individual. If disclosure is to be made to one other than the target, the information cannot have beenobtained in the course of treatment to affect the propensity to commit the criminalconduct or through a request by the person to initiate or be referred to treatment. §164.512(k)(5) Correctional institutions and other law enforcement custodialsituations.(i) A covered entity may disclose to a correctional institution or a lawenforcement official having lawful custody of an inmate or other individual PHIabout such inmate or individual, if the correctional institution or such law enforcement official represents that such PHI is necessary for: (A) the provision ofhealth care to such individuals; (B) the health and safety of such individual/otherinmates; (C) the health/safety of the officers or employees of or others at thecorrectional institution; (D) the health/safety of such individuals/officers/otherpersons responsible for the transporting of inmates or their transfer form oneinstitution, facility, or setting to another; (E) law enforcement on the premises of thecorrectional institution; and (F) the administration and maintenance of the safety,security & good order of the correctional institution.

2. Disclosures by a covered entity(OMH/OMRDD) to the district attorneyare permitted by HIPAA as they arerequired by law and/or are necessarydisclosures in the course of a judicialproceeding. 3. Disclosures made by a coveredentity (OMH/OMRDD) prior to thedischarge or release of a personcommitted to the custody of thecommissioner pursuant to a criminalcourt order are permitted under HIPAAbecause they are required by law,because the disclosures are about aninmate and are necessary for the healthand safety of the inmate and others,and because they are being made tolaw enforcement officials to avert athreat to public health and safety.



CIVIL PRACTICE LAW AND RULES SECTION 2302: Subpoenas

CPLR 2302 (a): Subpoenas may be issuedwithout a court order by the clerk of the court, ajudge where there is no clerk, the attorneygeneral, an attorney of record for a party to anaction, an administrative proceeding or anarbitrator.....provided, however, that asubpoena to compel production of a patient’sclinical record maintained pursuant to theprovisions of section 33.13 of the MHL shall beaccompanied by a court order...



No preemption State law applies, sinceit is more stringent by preventingdisclosure without an accompanying court order, which can only be madeafter specific findings have been made.

PENAL LAW SECTION 400: Firearms

Penal Law §400(4) Investigation. Before alicense( to possess or deal in firearms) isissued or renewed, there shall be aninvestigation of all statements required in theapplication by the duly constituted policeauthorities of the locality where suchapplication is made. For that purpose, therecords of the appropriate office of thedepartment of mental hygiene concerningprevious or present mental illness of theapplicant shall be available for inspection bythe investigating officer of the policeauthority....Upon completion of theinvestigation, the police authority shall reportthe results to the licensing officer withoutunnecessary delay.



§164.512(f) Disclosures for law enforcement purposes. A covered entity may

No Preemption: Because of the nexusbetween the need for the disclosure bylaw enforcement and public safety,State law and the HIPAA Privacyregulation are consistent and State lawapplies. Additionally, though not legallynecessary, it is possible that throughthe application process the individual isauthorizing this disclosure.



disclose PHI: (i) as required by law including laws that require the reporting ofcertain types of wounds...(ii) In compliance with and as limited by the relevantrequirements of..(C) an administrative request..., provided that: (1) the informationsought is relevant and material to a legitimate law enforcement inquiry; (2) therequest is specific and limited in scope to the extent reasonably practicable in lightof the purpose for which the information is sought; and (3) De-identified informationcould not reasonably be used.

Preamble: “The importance and legitimacy of law enforcement activities arebeyond question, and they are not at issue in this regulation. We permit disclosureof protected health information to law enforcement officials without authorization insome situations precisely because of the importance of these activities to publicsafety.” (P. 82678:3)

LABOR LAW SECTIONS 458,459: Explosives

Labor Law §458(5): Before a license orcertificate (to deal in explosives) is issued, theCommissioner of Labor shall have the authorityto request and receive from any department,division, board, bureau, commission or agencyof the state or local government thereof suchassistance and information as will enable himproperly and effectively to carry out his powersand duties under this article.

Labor Law §459 (1): A license or certificate (todeal in explosives) may be denied where theCommissioner of Labor has probably reason tobelieve...after due investigation...that theapplicant...has been confined as a patient orinmate in a public or private institution for thetreatment of mental diseases...



§164.512(f) Disclosures for law enforcement purposes. A covered entity maydisclose PHI: (i) as required by law including laws that require the reporting ofcertain types of wounds...(ii) In compliance with and as limited by the relevantrequirements of..(C) an administrative request..., provided that: (1) the informationsought is relevant and material to a legitimate law enforcement inquiry; (2) therequest is specific and limited in scope to the extent reasonably practicable in lightof the purpose for which the information is sought; and (3) De-identified informationcould not reasonably be used.

Preamble: “The importance and legitimacy of law enforcement activities arebeyond question, and they are not at issue in this regulation. We permit disclosureof protected health information to law enforcement officials without authorization in

No Preemption: Because of the nexusbetween the need for the disclosure bylaw enforcement and public safety,State law and the HIPAA Privacyregulation are consistent and State lawapplies. Additionally, though not legallynecessary, it is possible that throughthe application process the individual isauthorizing this disclosure



some situations precisely because of the importance of these activities to publicsafety.” (P. 82678:3)

Federal Law HIPAA Regulation Compatability AnalysisFEDERAL PROTECTION AND ADVOCACYFOR THE MENTALLY ILL:

42 USCA §10806: An eligible system whichhas access to records which, under federal orState law, are required to be maintained in aconfidential manner by a provider of healthservices shall, except as provided insubsection (b) of this section, maintain theconfidentiality such records to the same extentas is required of the provider of services. A system established in a State under section10803 of this title to protect and advocate therights of individuals with mental illnessshall....(4) in accordance with section 10806 ofthis title, have access to all records of...(A) anyindividual who is a client of the system if suchindividual, or the legal guardian, conservator,or other legal representative of such individual,has authorized the system to have suchaccess; (B) any individual(including anindividual whose whereabouts are unknown) (i)who, by reason of the mental or physicalcondition of such individual is unable toauthorize the system to have such access; (ii)who does not have a legal guardian,conservator, or other legal representative, orfor whom the legal guardian is the State; and(iii) with respect to whom a complaint has beenreceived by the system or with respect towhom as a result of monitoring or otheractivities...there is probable cause to believethat such individual has been subject to abuseor neglect; and (C) any individual with a mentalillness, who has a legal guardian, conservator,or other legal representative, with respect towhom a complaint has been received bv the

§164.502(a)(1): A covered entity is permitted to use/disclose PHI to the patient(including a patient’s personal representative, i.e., someone authorized to act onpatient’s behalf to make health care decisions).


§164.512(c)(1): Disclosures about victims of abuse, neglect, or domestic violence. Except for reports of child abuse or neglect....a covered entity may disclose PHIabout an individual whom the covered entity reasonably believes to be a victim ofabuse, neglect, or domestic violence to a government authority, including a socialservice or protective services agency, authorized by law to receive reports of suchabuse, neglect, or domestic violence: (i) to the extent the disclosure is required bylaw and the disclosure complies with and is limited to the relevant requirements ofsuch law; (ii) if the individual agrees to the disclosure; or (iii) to the extent thedisclosure is expressly authorized by statute or regulation and: (A) the coveredentity, in the exercise of professional judgment, believes the disclosure isnecessary to prevent serious harm to the individual or other potential victims or (B)if the individual is unable to agree because of incapacity, a law enforcement officialor other public official authorized to receive the report represents that the PHI forwhich disclosure is sought is not intended to be used against the individual andthat an immediate enforcement activity that depends upon the disclosure would bematerially and adversely affected by waiting until the individual is able to agree tothe disclosure. (continued, next row)

§164.512(c)(2) Informing the individual. A covered entity that makes a disclosurepermitted by paragraph (c)(1) of this section must promptly inform the individualthat such a report has been/will be made, except if: (i) the covered entity, in theexercise of professional judgment, believes informing the individual would placehim/her at serious risk of harm; or (ii) the covered entity would be informing apersonal representative and the covered entity reasonably believes he/she is theperpetrator and informing him/her would not be in the patient’s best interests, usingprofessional judgment

The two sets of federal regulationsappear similar, in that disclosures toPAMI systems are not permitted unlessthe patient has authorized thedisclosure, or in instances involvingabuse that are accommodated inHIPAA; however, HIPAA should befollowed to ensure requisite attempts tonotify the individual are made.

Federal Law HIPAA Regulation Compatability Analysis


system or with respect to whom there isprobable cause to believe the health or safetyof the individual is in serious and immediatejeopardy, whenever (i) such representative hasbeen contacted by such system upon receipt ofthe name and address of the representative; (ii)such system has offered assistance to suchrepresentative to resolve the situation; and (iii)such representative has failed or refused to acton behalf of the individual.


42 CFR PART 2: Confidentiality of Alcohol and Drug Abuse Patient Records

§2.4 Criminal penalty for violation. Under 42USC 290ee-3(f) and 42 USC 290-dd3(f), anyperson who violates any provision of thosestatutes or these regulations shall be fined notmore than $500 in the case of a first offense,and not more than $5,000 in the case of eachsubsequent offense.

§160.312(a)(2): If a covered entity fails to adhere to the privacy regulations, it issubject to civil/criminal penalties initiated by HHS. Non-compliant entities aresubject to civil monetary penalties ranging from $100 to $25,000, depending on theextent of non-compliance. Misdemeanor or felony criminal penalties apply if acovered entity wrongfully/knowingly discloses PHI in violation of HIPAA. Criminalviolations are punishable by fines up to $250,000 or imprisonment (a maximum of10 years) or both.

HIPAA penalties are more severe thanthose under 42 CFR Part 2; it is unclearwhich penalties would apply to aprogram covered by both in the eventof an unauthorized use/disclosure ofPHI, but may be fact dependent.

§2.11 Definitions

Diagnosis: means any reference to anindividual’s alcohol/drug abuse or to acondition which is identified as having beencaused by that abuse which is made for thepurpose of treatment or referral to treatment.

Patient identifying information: means thename, address, social security number,fingerprints, photograph, or similar informationby which the identity of a patient can bedetermined with reasonable accuracy andspeed either directly or by reference to otherpublicly available information. The term doesnot include a number assigned to a patient by aprogram, if that number does not consist of, orcontain numbers (such as a social security, ordriver’s license number) which could be usedto identify a patient with reasonable accuracyand speed from sources external to theprogram.


§160.103: Health Information means any information, whether oral or recorded inany medium, that: (1) is created or received by a health care provider, health plan,public health authority, employer, life insurer, school or university, or health careclearinghouse; and (2) relates to the past, present, or future physical or mentalhealth or condition of an individual, the provision of health care to an individual, orthe past, present, or future payment for the provision of health care to anindividual. §160.103: Individually identifiable health information: is information that is asubset of health information, including demographic information collected from anindividual, and: (1) is created or received by a health care provider, health plan,emploher, or health care clearinghouse; and (2) relates to the past, present, orfuture physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision ofhealth care to an individual; and (i) that identifies the individual; or (ii) with respectto which there is a reasonable basis to believe the information can be used toidentify the individual.

§160.103: Protected health information: is individually identifiable health

1. HIPAA broadly applies to “coveredentities;” 42 CFR Part 2 applies to“federally assisted alcohol/drugprogram.” Hence, unless a coveredentity is also a federally assistedalcohol/drug program, it is not bound by42 CFR Part 2. A federally assistedalcohol/drug program that is also acovered entity is bound both by HIPAAand 42 CFR Part 2.

2. The HIPAA definition of “protectedhealth information” covers a widerscope of information than does 42 CFRPart 2. Hence, the HIPAA definition ofPHI preempts the definition of “patientidentifying information” in 42 CFR Part2.



Record means any information, whetherrecorded or not, relating to a patient receivedor acquired by a federally assisted alcohol ordrug program.

Federally assisted : means an alcohol drugprogram that (1) receives federal funds in anyform, even if the funds do not directly pay forthe alcohol/drug services; or (2) is assisted bythe IRS through grant of tax exempt status orallowance of tax deductions for contributions;or (3) is authorized to conduct business by thefederal government; or (4) is conducted directlyby the federal government.

information that is transmitted or maintained in any medium.

§164.514(b): Requirements for de-identification of PHI: (2)(i): [Information isconsidered de-identifying if] ...the following identifiers are removed: (A) Names; (B)all geographic subdivisions smaller than a State...; (C)all elements of dates, exceptyear for dates directly related to an individual..;(D) telephone #s; (E)fax #s; (F) e-mail addresses; (G) SS#s; (H) medical record #s; (I) health plan beneficiary #s; (J)account #s; (K) certificate/license #s; (L)vehicle identifiers and serial #s...;(M)device identifers and serial #s; (N)URLs; (O) IP address #s; (P)biometricidentifers; (Q) full face photographic images and any comparable images; and (R)any other unique identifying #, characteristic or code; and (ii) the covered entitydoes not have actual knowledge that the information could be used alone or incombination with other information to identify an individual who is the subject of theinformation.

§2.11 Definitions

Patient means any individual who has appliedfor or been given diagnosis or treatment foralcohol/drug abuse at a federally assistedprogram and includes any individual who, afterarrest on a criminal charge, is identified as analcohol/drug abuser in order to determine thatperson’s eligibility to participate in a program.

§164.501: Individual means the person who is the subject of protected healthinformation.

§164.502(g):A “personal representative” can fulfill the role of the individual aboutwhom PHI pertains if the representative has authority to act on behalf of theindividual in making decisions about health care.

1. The definitions of “patient” and“individual” are similar; although insome respects the 42 CFR Part 2definition is more broad; therefore, aprovider covered by both should followthe 42 CFR Part 2 definition.

2. Both regulations permit “personalrepresentatives” to stand in thepatient’s shoes with regard toconsenting for the use/disclosure ofhealth information. However, theHIPAA definition is more narrow in thatit defines a “personal representatives”as a person who has authority to act onbehalf of the individual in makingdecisions about health care. 42 CFRPart 2 would permit a person withpower of attorney over fiscal affairs(i.e., he/she is authorized under law toact in the patient’s behalf, albeit inlimited regard) to provide such consent. Therefore, the HIPAA definition of



“personal representative” is morestringent than 42 CFR Part 2 andcontrols.

§2.11 Definitions Qualified Service organization: means aperson which: (a) provides services to aprogram, such as data processing, billcollecting, dosage preparation, laboratoryanalyses, or legal, medical, accounting or otherprofessional services, or services to prevent ortreat child abuse or neglect, including trainingon nutrition and child care and individual andgroup therapy; and (b) Has entered into awritten agreement with a program under whichthat person: (1) acknowledges that in receiving,storing, processing or otherwise dealing withany patient records from the programs, it isfully bound by 42 CFR Part 2; and (2) ifnecessary, will resist in judicial proceedingsany efforts to obtain access to patient recordsexcept as provided by 42 CFR Part 2.

§2.12(c)(4): The restrictions on disclosure inthese regulations do not apply tocommunications between a program and aQSOA of information needed by theorganization to provide services to theprogram.

§160.103 Business Associate means a person or entity other than a member ofthe covered entity’s workforce that performs or assists in performing a function oractivity on behalf of the covered entity that involves the use or disclosure of PHI.

§164.504: Uses & disclosures; organizational requirements (e)(1): Businessassociate contracts: Business associate contracts must: (1) establish the BA’spermitted and required uses and disclosures of PHI; (2) prohibit the BA fromusing/further disclosing PHI, except as permitted by HIPAA; (3) BA must useappropriate safeguards to prevent unauthorized use/disclosure of the information;(4) BA must report to the covered entity if it becomes aware of any use/disclosureof PHI in violation of the contract; (5) BA must ensure that itsagents/subcontractors agree to the same restrictions on use/disclosure of PHI; (6)BA must make PHI available for amendment and incorporate any amendments toPHI; (7) BA’s internal practices, books, and records relating to use/disclosure ofPHI must be made to the HHS for purposes of determining compliance; (8) attermination of the contract: (a) if feasible, return or destroy all PHI the BAmaintains in any form and retain no such copies of such information; (b) or, ifreturn/destruction is not feasible, continue the protections of the contract to the PHIand limit further uses/disclosures to the purposes that make return or destruction ofthe PHI infeasible; (9) the contract must allow the covered entity to terminate thecontract if the covered entity determines that the BA has violated a material term.

Preamble: A covered entity may disclose PHI to a business associate, consistentwith the other requirements of the final rule, as necessary to permit the businessassociate to perform functions and activities for or on behalf of the covered entity.....a business associate may only use the PHI it receives in its capacity as abusiness associate to a covered entity as permitted by its contract or agreementwith the covered entity. (p. 82504:2)

1. A “qualified services organization” isa subset of a “business associate;” theHIPAA term “business associate” ismore broad than is QSOA. Therefore,programs covered by both HIPAA and42 CFR Part 2 should follow thedefinition of “business associate” inmaking determinations as to entitieswith which it needs to have formalizedagreements.

2. Business Associate agreementsunder HIPAA have 9 requiredelements, while QSOAs under 42 CFRPart 2 have only 2. Therefore,programs covered by both will need toensure all 11 elements are addressedin their formalized agreements.

3. If an entity covered by both HIPAAand 42 CFR has a QSOA relationship,but PHI is not necessarily needed inorder to perform that service (which isnot a requirement for something to beconsidered a QSOA) it would notconstitute a “business associate”relationship for purposes of HIPAA. Hence, disclosures would not bepermitted without patient authorization. In this regard, HIPAA is more stringentthan 42 CFR Part 2 and prevails.

§2.12(c)(1) Applicability: VeteransAdministration: These regulations do notapply to information on alcohol and drug abusepatients maintained in connection with theVeterans Administration provisions of hospitalcare, nursing home care, domiciliary care, andmedical services under title 38, United StatesCode. Those records are governed by 38


Further analysis is required todetermine whether or not the provisionsof 38 U.S.C. 4132 and correspondingregulations are equally, or more,stringent than HIPAA. If they are, thisprovision of 42 CFR Part 2 cannot befollowed. If they are not, however, thisprovision of 42 CFR Part 2 will, in fact,



U.S.C. 4132 and regulations issued under thatauthority by the Administrator of VeteransAffairs.

prevail.

§2.12(c)(2) Applicability: Exceptions ArmedForces: These regulations apply to anyinformation which was obtained by anycomponent of the Armed Forces during aperiod when the patient was subject to theUniform Code of Military Justice except: (i) anyinterchange of that information within theArmed Forces; and (ii) any interchange of thatinformation between the Armed Forces andthose components of the VeteransAdministration furnishing health care toveterans.


HIPAA applies to all health information;to the extent 42 CFR Part 2 “carvesout” a subset of health information,depending on where/how it wasobtained, to which the regulations donot apply, it provides lessprotection/access to health recordsthan does HIPAA, and programscovered by both sets of regulationsshould comply with HIPAA in thisregard.

§2.12(c)(3) Applicability: ExceptionsCommunication within a program orbetween a program and an entity havingdirect administrative control over thatprogram. The restrictions on disclosure inthese regulations do not apply tocommunications of information between oramong personnel having a need for theinformation in connection with their duties thatarise out of the provision of diagnosis,treatment, or referral for treatment ofalcohol/drug abuse if the communications are(1) within a program; or (2) between a programand an entity that has direct administrativecontrol over the program.

§164.502 (b)(2) Minimum necessary does not apply to: (i) disclosures to orrequests by a health care provider for treatment....

§164.504 (a) Definitions: Common control exists if an entity has the power,directly or indirectly, significantly to influence or direct the actions or policies ofanother entity.

Common ownership exists if an entity ...possesses an ownership or equity interestof 5% or more in another entity.

(d)(1) Affiliated covered entities. Legally separate covered entities that areaffiliated may designate themselves as a single covered entity for purposes of thissubpart. (2)(i) legally separate covered entities may designate themselves ...as asingle affiliated covered entity ...if all of the covered entities designated are undercommon ownership or control.

Programs covered by both 42 CFR Part2 and HIPAA should follow 42 CFRPart 2 in regard to intra-programcommunications; while both rules aresimilar, 42CFR Part 2 more strictlydefines the concept of an affiliatedentity.

§2.12(c)(5) Applicability: Crimes on programpremises: The restrictions on disclosure anduse ...do not apply to communications fromprogram personnel to law enforcement officerswhich (i) are directly related to a patient’scommission of a crime on the premises of theprogram or against program personnel or to athreat to commit such a crime; and (ii) arelimited to the circumstances of the incident,including the patient status of the individualcommitting/threatening to commit the crime,

§164.512(f)(5): Crime on program premises. A covered entity may disclose to alaw enforcement official PHI that the covered entity believes in good faithconstitutes evidence of criminal conduct that occurred on the premises of thecovered entity.

Programs covered by both 42 CFRPart 2 and HIPAA should follow 42CFR Part 2 in regard to reportingcrimes on program premises. While therules are similar, 42CFR Part 2contains limitations on the amount ofinformation that can be so disclosed.



that individual’s name and address, and thatindividual’s last known whereabouts.

§2.12(c)(6) Applicability: Exceptions: Reports of suspected child abuse orneglect. The restrictions on disclosure anduse in these regulations do not apply to thereporting under State law of incidents ofsuspected child abuse and neglect to theappropriate State or local authorities. However, the restrictions continue to apply tothe original alcohol or drug abuse patientrecords maintained by the program includingtheir disclosure and use for civil or criminalproceedings which may arise out of the reportof suspected child abuse or neglect.

§164.512(b): A covered entity may disclose PHI for the public health activitiesand purposes described in this paragraph to: (ii) a public health authority or otherappropriate government authority authorized by law to receive reports of childabuse or neglect.

Programs covered by both 42 CFRPart 2 and HIPAA should follow 42CFR Part 2 in regard to child abusereporting; while both rules are similar,42CFR Part 2 reinforces theconfidentiality of such records for anypurpose beyond the making of thereport.

§2.12(d) Applicability: Applicability torecipients of information (1) Restriction onuse of information. The restriction on the useof any information subject to these regulationsto initiate or substantiate any criminal chargesagainst a patient or to conduct any criminalinvestigation of a patient applies to any personwho obtains that information from a federallyassisted alcohol or drug abuse program,regardless of the status of the person obtainingthe information or of whether the informationwas obtained in accordance with theseregulations. This restriction on use bars, ...theintroduction of that information as evidence in acriminal proceeding and any other use of thatinformation to investigate or prosecute apatient with respect to a suspected crime. Information obtained by undercover agents orinformants..or through patient access..issubject to the restriction on use.

No comparable provision. Programs covered by both 42 CFR Part2 and HIPAA should follow thisprovision of 42 CFR Part 2.

§2.12(d) Applicability: Applicability torecipients of information (2) Restriction ondisclosures - Third party payers,administrative entities, and others. Therestrictions on disclosure in these regulationsapply to: (1) 3rd party payers with regard to


Programs covered by both 42 CFR Part2 and HIPAA should follow thisprovision of 42 CFR Part 2; it is broaderin reach than is HIPAA and would coverall health care providers, regardless ofwhether or not they engage in



records disclosed to them by federally assistedalcohol or drug abuse programs; (2) Entitieshaving direct administrative control overprograms with regard to informationcommunicated to them by the program under§2.12(c)(3), (3) persons who receive patientrecords directly from a federally assistedalcohol or drug abuse program and who arenotified of the restrictions on redisclosure of therecords in accordance with §2.32 of theseregulations.

electronic transactions.

§2.12(e) Explanation of applicability (1)Coverage: These regulations cover anyinformation (including information on referraland intake) about alcohol and drug abusepatients obtained by a program, (a definedterm) if the program is federally assisted in anymanner (a defined term). Coverage includes,but is not limited to, those treatment orrehabilitation programs, employee assistanceprograms, programs within general hospitals,school-based programs, and privatepractitioners who hold themselves out asproviding, and do provide, alcohol/drug abusediagnosis, treatment, or referral for treatment. However, these regulations would not apply,for example, to emergency room personnelwho refer a patient to the intensive care unit foran apparent overdose, unless the primaryfunction of such personnel is the provision ofalcohol/drug abuse diagnosis, treatment orreferral and they are identified as providingsuch services or the emergency room haspromoted itself to the community as a providerof such services.


HIPAA covers a much wider range ofproviders and information than does 42C.F.R. Part 2. Programs covered byboth 42 CFR Part 2 and HIPAA shouldcontinue to follow this provision of 42CFR Part 2 for guidance as to whatinformation that is under the jurisdictionof such regulation.

§2.12(e) Explanation of applicability (2)Federal assistance to program required: If apatient’s alcohol/drug abuse diagnosis,treatment, or referral for treatment is notprovided by a program which is federallyconducted, regulated, or supported in amanner which constitutes federal


HIPAA covers a much wider range ofproviders and entities than does 42C.F.R. Part 2. Programs covered byboth 42 CFR Part 2 and HIPAA shouldcontinue to follow this provision of 42CFR Part 2 for guidance as to whatproviders/entities under the jurisdiction



assistance.....that patient’s record is notcovered by this regulation....

of such regulation.

§2.12(e) Explanation of applicability (3)Information to which restrictions areapplicable. Whether a restriction is onuse/disclosure affects the type of informationwhich may be available (sic). The restrictionson disclosure apply to any information whichwould identify a patient as an alcohol/drugabuser. The restriction on use of information tobring criminal charges against a patient for acrime applies to any information obtained bythe program for the purpose of diagnosis,treatment or referral for treatment ofalcohol/drug abuse.

§160.103: Individually identifiable health information: is information that is asubset of health information, including demographic information collected from anindividual, and: (1) is created or received by a health care provider, health plan,emploher, or health care clearinghouse; and (2) relates to the past, present, orfuture physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision ofhealth care to an individual; and (i) that identifies the individual; or (ii) with respectto which there is a reasonable basis to believe the information can be used toidentify the individual.

§160.103: Protected health information: is individually identifiable healthinformation that is transmitted or maintained in any medium.

Programs covered by both 42 CFR Part2 and HIPAA should follow thisprovision of 42 CFR Part 2

§2.12(e) Explanation of applicability (4) Howtype of diagnosis affects coverage. Theseregulations cover any record of a diagnosisidentifying a patient as an alcohol/drug abuserwhich is prepared in connection with thetreatment/referral for treatment of alcohol/drugabuse. A diagnosis prepared for the purposeof treatment or referral for treatment but whichis not so used is covered by these regulations. The following are not covered by theseregulations: (i) diagnosis which is made solelyfor the purpose of providing evidence for useby law enforcement authorities; or (ii) adiagnosis of drug overdose or alcoholintoxication which clearly shows that theindividual involved is not an alcohol/drugabuser (e.g. involuntary ingestion ofalcohol/drugs or reaction to a prescribeddosage of one or more drugs).

§160.103: Individually identifiable health information: is information that is asubset of health information, including demographic information collected from anindividual, and: (1) is created or received by a health care provider, health plan,emploher, or health care clearinghouse; and (2) relates to the past, present, orfuture physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision ofhealth care to an individual; and (i) that identifies the individual; or (ii) with respectto which there is a reasonable basis to believe the information can be used toidentify the individual.

§160.103: Protected health information: is individually identifiable healthinformation that is transmitted or maintained in any medium.

42 C.F. R. Part 2 “excepts out” aportion of information that is not givenprivacy protection under this regulation;HIPAA covers all individuallyidentifiable health informationused/disclosed by a covered entity orBusiness Associate. Programscovered by both must either extendHIPAA coverage to the informationexcepted out of 42 CFR Part 2 in thisprovision, or extend the reach of 42CFR Part 2 to this exceptedinformation.



§2.13 Confidentiality restrictions. (a)General. The patient records to which theseregulations apply may be disclosed/used onlyas permitted ...and may not otherwise bedisclosed/used in any civil, criminal,administrative, or legislative proceedingsconducted by any Federal, State, or localauthority. Any disclosure made under theseregulations must be limited to that informationwhich is necessary to carry out the purpose ofthe disclosure.

§164.502(b) Minimum Necessary: (1)When using or disclosing PHI or whenrequesting PHI from another covered entity, a covered entity must makereasonable efforts to limit PHI to the minimum necessary to accomplish thepurpose of the use, disclosure, or request. (2) This does not apply to: (i)Disclosures to/ requests by a health care provider for treatment; (ii) Uses ordisclosures made to the individual, as required by paragraph (a)(2)(i) of thissection, or pursuant to an authorization; (iii) Disclosures made to the Secretary ofHHS; (iv) Uses or disclosures that are required by law, and (v) Uses or disclosuresthat are required for compliance with applicable requirements of this Subchapter. (p. 82805,82806)

Programs covered by both 42 CFR Part2 and HIPAA should contined to followthis provision of 42 CFR Part 2, since itis more stringent than HIPAA.

§2.13 Confidentiality restrictions. (b)Unconditional compliance required. Therestrictions on disclosure and use in theseregulations apply whether the holder of theinformation believes that the person seekingthe information already has it, has other meansof obtaining it, is a law enforcement or otherofficial, has obtained a subpoena, or assertsany other justification for a disclosure or usewhich is not permitted by these regulations.

No comparable provision. Programs covered by both 42 CFR Part2 and HIPAA should follow thisprovision of 42 CFR Part 2.

§2.13 Confidentiality restrictions. (c)Acknowledging the presence of patients:Responding to requestsl (1) The presence ofan identified patient in a facility/component of afacility which is publicly identified as a placewhere only alcohol/drug abuse diagnosis,treatment or referral is provided may beacknowledged only if the patient’s writtenconsent is obtained in accordance with subpartC of these regulations or if an authorizing courtorder is entered in accordance with subpart Eof these regulations. The regulations permitacknowledgment of the presence of anidentified patient in a facility or part of a facilityif the facility is not publicly identified as only analcohol/drug abuse diagnosis, treatment orreferral facility, and if the acknowledgmentdoes not reveal that the patient is analcohol/drug abuser. (2) Any answer to arequest for a disclosure of patient recordswhich is not permissible under these

§164.510(a) Use/Disclosure for Facility Directories: (1) Except when anobjection is expressed....a covered health care provider may: (i) Use the followingPHI to maintain a directory of individuals in its facility: Individual’s name;location inthe facility; condition described in general terms that does not communicatespecific medical information; religious affiliation; and (ii) Disclose for directorypurposes such information: to members of the clergy;or except for religiousaffiliation, to other persons who ask for the individual by name.


Generally, providers covered by both42 CFR Part 2 and HIPAA shouldfollow the former with regard to theseprovisions. However, HIPAAsupersedes the provision in 42 CFRPart 2 which permits acknowledgmentof the presence of an identified patientin a facility or part of a facility if thefacility is not publicly identified as onlyan alcohol/drug abuse program and ifthe acknowledgment does not revealthat the patient is an alcohol/drugabuser. Under HIPAA, this is notpermitted unless the individual hasbeen given an opportunity to agree orobject to these disclosures.



regulations must be made in a way that will notaffirmatively reveal that an identified individualhas been, or is being diagnosed or treated foralcohol/drug abuse. An inquiring party may begiven a copy of these regulations and advisedthat they restrict the disclosure of alcohol/drugabuse patient records, but may not be toldaffirmatively that the regulations restrict thedisclosure of the records of an identifiedpatient. The regulations do not restrict adisclosure that an identified individual is notand has never been a patient.

§2.14 Minor patients. (a) Definition of minor.As used in these regulations the term "minor"means a person who has not attained the ageof majority specified in the applicable Statelaw, or if no age of majority is specified in theapplicable State law, the age of eighteen years.(b) State law not requiring parental consent totreatment. If a minor patient acting alone hasthe legal capacity under the applicable Statelaw to apply for and obtain alcohol or drugabuse treatment, any written consent fordisclosure authorized under Subpart C of theseregulations may be given only by the minorpatient. This restriction includes, but is notlimited to, any disclosure of patient identifyinginformation to the parent or guardian of a minorpatient for the purpose of obtaining financialreimbursement. These regulations do notprohibit a program from refusing to providetreatment until the minor patient consents tothe disclosure necessary to obtainreimbursement, but refusal to providetreatment may be prohibited under a State orlocal law requiring the program to furnish theservice irrespective of ability to pay.(c) State law requiring parental consent totreatment.(1) Where State law requires consentof a parent, guardian, or other person for aminor to obtain alcohol or drug abusetreatment, any written consent for disclosureauthorized under Subpart C of these

Not originally addressed in final rule, but see recent amendments: (8/02)

§164.502: (g)(1)(ii) Implementation specification: unemancipated minors...(A).Acovered entity may disclose PHI about an unemancipated minor to a parent,guardian, or other person acting in loco parentis if the applicable provision ofState law or other law, including applicable case law, permits or requires suchdisclosure, and (B) a covered entity may not disclose PHI about about anunemancipated minor to a parent, guardian, or other person acting in loco parentis if the applicable provision of State law or other law, including applicable case law,prohibits such disclosure.

Regulations are consistent: Inasmuchthe adoption of recent amendments toHIPAA defer to State law with regard toparental consent/access to records ofminors, and 42 CFR Part 2 essentiallydoes the same, with additional morestringent provisions, 42 CFR and Statelaw (MHL §22.11) control.



regulations must be given by both the minorand his or her parent, guardian, or other personauthorized under State law to act in the minor'sbehalf.(2) Where State law requires parental consentto treatment the fact of a minor's application fortreatment may be communicated to the minor'sparent, guardian, or other person authorizedunder State law to act in the minor's behalf onlyif:(i) The minor has given written consent to thedisclosure in accordance with Subpart C ofthese regulations or (ii) The minor lacks thecapacity to make a rational choice regardingsuch consent as judged by the programdirector under paragraph (d) of this section(d) Minor applicant for services lacks capacityfor rational choice. Facts relevant to reducing athreat to the life or physical well being of theapplicant or any other individual may bedisclosed to the parent, guardian, or otherperson authorized under State law to act in theminor's behalf if the program director judgesthat: (1) A minor applicant for services lackscapacity because of extreme youth or mentalor physical condition to make a rationaldecision on whether to consent to a disclosureunder Subpart C of these regulations to his orher parent, guardian, or other personauthorized under State law to act in the minor'sbehalf, and(2) The applicant's situation poses asubstantial threat to the life or physical wellbeing of the applicant or any other individualwhich may be reduced by communicatingrelevant facts to the minor's parent, guardian,or other person authorized under State law toact in the minor's behalf.

§ 2.15 Incompetent and deceased patients.(a) Incompetent patients other than minors (1)Adjudication of incompetence. In the case of a

§164.502(g) (1) :A “personal representative” can fulfill the role of the individualabout whom PHI pertains; (2) If, under applicable law, a person has authority to acton behalf of an individual who is an adult or an emancipated minor im making

1. HIPAA acknowledges consent by“personal representatives,” defined as



patient who has been adjudicated as lackingthe capacity, for any reason other thaninsufficient age, to manage his or her ownaffairs, any consent which is required underthese regulations may be given by the guardianor other person authorized under State law toact in the patient's behalf.(2) No adjudication of incompetency. For anyperiod for which the program directordetermines that a patient, other than a minor orone who has been adjudicated incompetent,suffers from a medical condition that preventsknowing or effective action on his or her ownbehalf, the program director may exercise theright of the patient to consent to a disclosureunder Subpart C of these regulations for thesole purpose of obtaining payment for servicesfrom a third party payer.(b) Deceased patients(1) Vital statistics. These regulations do notrestrict the disclosure of patient identifyinginformation relating to the cause of death of apatient under laws requiring the collection ofdeath or other vital statistics or permittinginquiry into the cause of death.(2) Consent by personal representative. Anyother disclosure of information identifying adeceased patient as an alcohol or drug abuseris subject to these regulations. If a writtenconsent to the disclosure is required, thatconsent may be given by an executor,administrator, or other personal representativeappointed under applicable State law. If thereis no such appointment the consent may begiven by the patient's spouse or, if none, byany responsible member of the patient's family.

decisions related to health care, a covered entity must treat such person as apersonal representative with respect to PHI relevant to such personalrepresentation.

§164.506(a)(3)(i)(A),(B),(C) : In emergency treatment situations, if the coveredhealth care provider is required by law to treat the individual, or if a covered healthcare provider is unable to obtain consent due to substantial barriers tocommunication and the covered health provider determines, in its professionaljudgment, that the patient’s consent is inferred by the circumstances, and thecovered health care provider attempts to obtain such consent but is unable toobtain such consent, a covered health care provider may use/disclose PHI to carryout treatment, payment, or health care operations without patient consent. Note: Recent amendments eliminate this requirement. §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02

§164.512(g): A covered entity may disclose PHI to a coroner or medical examinerfor the purpose of identifying a deceased person, determining cause of death, orother duties as authorized by law. (P. 82816: 1)

persons authorized to make health caredecisions for the individual. 42 CFR,however, is both more narrow andmore broad than HIPAA in that itrequires adjudication that a person isunable to manage his/her own affairs;HIPAA does not. However, HIPAA onlypermits personal representation if therepresentative can make health caredecisions for the individual, whereas 42CFR Part 2 uses the term “manageaffairs,” so in this respect HIPAAprevails.

2. HIPAA would permit provisions of 42CFR Part 2 which allow a programdirector to use PHI for paymentpurposes without patient consent forthe sole purpose of seeking payment,under the “substantial barriers tocommunication” exception. HIPAAwould permit use/disclosure in thesecircumstances for treatment and healthcare operations purposes as well, but42 CFR Part 2 would not, and hencethat aspect of the latter regulationwould prevail.

3. HIPAA and 42 CFR Part 2 aregenerally consistent with regard todisclosures about decedents forpurposes of investigating cause ofdeath; programs covered by bothshould follow 42 CFR Part 2. It shouldbe noted, however, that HIPAAcontains no provisions with regard towho may consent to the release of PHIupon a person’s death; therefore, it isnot clear if the provisions under 42 CFRPart 2 allowing such consent by anexecutor, personal representative,spouse or family member arepermissible.



§ 2.16 Security for written records.(a) Written records which are subject to theseregulations must be maintained in a secureroom, locked file cabinet, safe or other similarcontainer when not in use; and(b) Each program shall adopt in writingprocedures which regulate and control accessto and use of written records which are subjectto these regulations.

§164.530(c)(1): Safeguards: A covered entity must have in place appropriateadministrative, technical, and physical safeguards to protect the privacy of PHI.(2)A covered entity must reasonably safeguard PHI from any intentionaluse/disclosure that is in violation of these standards, implementationspecifications, or other requirements of this subpart.

The security provisions of 42 CFR Part2 apply only to written records. Oncean entity is covered by HIPAA, theprivacy protections apply to recordscreated/stored/transmitted in anymedium. Therefore, HIPAA wouldsupersede 42 CFR Part 2 andprograms covered by both shouldcomply with the HIPAA safeguardrequirements.

§ 2.17 Undercover agents and informants.(a) Restrictions on placement. Except asspecifically authorized by a court order grantedunder § 2.67 of these regulations, no programmay knowingly employ, or enroll as a patient,any undercover agent or informant.(b) Restriction on use of information. Noinformation obtained by an undercover agent orinformant, whether or not that undercoveragent or informant is placed in a programpursuant to an authorizing court order, may beused to criminally investigate or prosecute anypatient.

No comparable provision Programs covered by both HIPAA and42 CFR Part 2 are bound by 42 CFRPart 2 with regard to this provision.

§ 2.18 Restrictions on the use ofidentification cards.No person may require any patient to carry onhis or her person while away from the programpremises any card or other object which wouldidentify the patient as an alcohol or drugabuser. This section does not prohibit a personfrom requiring patients to use or carry cards orother identification objects on the premises of aprogram.

No comparable provision Programs covered by both HIPAA and42 CFR Part 2 are bound by 42 CFRPart 2 with regard to this provision



§ 2.19 Disposition of records bydiscontinued programs.

(a) General. If a program discontinuesoperations or is taken over or acquired byanother program, it must purge patientidentifying information from its records ordestroy the records unless--(1) The patient who is the subject of therecords gives written consent (meeting therequirements of § 2.31) to a transfer of therecords to the acquiring program or to anyother program designated in the consent (themanner of obtaining this consent mustminimize the likelihood of a disclosure ofpatient identifying information to a third party); or(2) There is a legal requirement that therecords be kept for a period specified by lawwhich does not expire until after thediscontinuation or acquisition of the program.(b) Procedure where retention period requiredby law. If paragraph (a)(2) of this sectionapplies, the records must be:(1) Sealed in envelopes or other containerslabeled as follows: "Records of [insert name ofprogram] required to be maintained under[insert citation to statute, regulation, court orderor other legal authority requiring that recordsbe kept] until a date not later than [insertappropriate date]"; and(2) Held under the restrictions of theseregulations by a responsible person who must,as soon as practicable after the end of theretention period specified on the label, destroythe records.

§164.530(c)(1): Safeguards: A covered entity must have in place appropriateadministrative, technical, and physical safeguards to protect the privacy of PHI.(2)A covered entity must reasonably safeguard PHI from any intentionaluse/disclosure that is in violation of these standards, implementationspecifications, or other requirements of this subpart.

It would appear that a program coveredby both HIPAA and 42 CFR Part 2could comply with both provisions;however, applicable provisions of theHIPAA security regulation, whenfinalized, may impact this analysis.

§2.21 Relationship to Federal statutes Covered entities subject to these rules are also subject to other statutes and As the federal research statutes



protecting research subjects againstcompulsory disclosure of their identity.(a)Research privilege description. There may beconcurrent coverage of patient identifyinginformation by these regulations and byadministrative action taken under: Section303(a) of the Public Health Service Act...andimplementing regulations at 42 CFR Part 2a);or section 502(c) of the Controlled SubstancesAct (21 USC 872(c) and the implementingregulations at 21 CFR 1316.21. These"research privilege" statutes confer on theSecretary of Health and Human Services andon the Attorney General, respectively, thepower to authorize researchers conductingcertain types of research to withhold from allpersons not connected with the research thenames and other identifying informationconcerning individuals who are the subjects ofthe research.(b) Effect of concurrent coverage.These regulations restrict the disclosure anduse of information about patients, whileadministrative action taken under the researchprivilege statutes and implementing regulationsprotects a person engaged in applicableresearch from being compelled to disclose anyidentifying characteristics of the individualswho are the subjects of that research. Theissuance under Subpart E of these regulationsof a court order authorizing a disclosure ofinformation about a patient does not affect anexercise of authority under these researchprivilege statutes. However, the researchprivilege granted under 21 CFR 291.505(g)totreatment programs using methadone formaintenance treatment does not protect fromcompulsory disclosure any information which ispermitted to be disclosed under thoseregulations. Thus, if a court order entered inaccordance with Subpart E of these regulationsauthorizes a methadone maintenancetreatment program to disclose certaininformation about its patients, that programmay not invoke the research privilege under 21

regulations. Thus, covered entities will need to determine how the privacyregulation will affect their ability to comply with these other laws. ..Ordinarily, later,general statutes will not repeal the special provisions of an earlier, specific statute. In somce cases, when a later, general statute creates an irreconcilable conflict oris manifestly inconsistent with the earlier, specific statute in a manner thatrepresents a clear and manifest Congressional intent to repeal the earlier statute,courts will find that the later statute repeals the earlier statute by implication. Inthese cases, the latest legislative action may prevail and repeal the prior law, butonly to the extent of the conflict. (Preamble, p. 82481)

identified in 42 CFR Part 2 do notappear inconsistent with, or contrary tothe HIPAA privacy regulations,providers subject to both HIPAA and 42CFR Part 2 should continue to followthis provision.



CFR 291.505(g)as a defense to a subpoena forthat information.

§2.22 Notice to patients of Federalconfidentiality requirements.(a) Noticerequired. At the time of admission or as soonthereafter as the patient is capable of rationalcommunication. each program shall:(1)Communicate to the patient that Federal lawand regulations protect the confidentiality ofalcohol and drug abuse patient records; and(2) Give to the patient a summary in writing ofthe Federal law and regulations.(b) Required elements of written summary. Thewritten summary of the Federal law andregulations must include:(1) A general description of the limitedcircumstances under which a program mayacknowledge that an individual is present at afacility or disclose outside the programinformation identifying a patient as an alcoholor drug abuser.(2) A statement that violation of the Federal lawand regulations by a program is a crime andthat suspected violations may be reported toappropriate authorities in accordance withthese regulations.(3) A statement that information related to apatient's commission of a crime on thepremises of the program or against personnelof the program is not protected.(4) A statementthat reports of suspected child abuse andneglect made under State law to appropriateState or local authorities are not protected.(5) Acitation to the Federal law and regulations.(c)Program options. The program may devise itsown notice or may use the sample notice inparagraph (d) to comply with the requirementto provide the patient with a summary in writingof the Federal law and regulations. In addition,the program may include in the writtensummary information concerning State law andany program policy not inconsistent with Stateand Federal law on the subject of

§164.520 Notice of privacy practices for PHI 1. An individual has a right to adequate notice of the uses and disclosures of PHIthat may be made by the covered entity, and the individual’s rights and the coveredentity’s legal duties with respect to PHI.2. The notice must contain the following statement as a header or otherwiseprominently displayed: THIS NOTICE DESCRIBES HOW MEDICALINFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOUCAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW ITCAREFULLY.3. The notice must be written in plain language and contain: (1) a description,including at least 1 example, of the types of uses/disclosures that the coveredentity is permitted to make for treatment, payment & health care operationspurposes; (2) a description of each of the other purposes for which the coveredentity is permitted/required to use/disclose PHI w/out the person’sconsent/authorization; (3) if a use/disclosure is prohibited or materially limited byother applicable law, the description of such use/disclosure must reflect the morestringent; (4) for each purpose described the description must include sufficientdetail to place the person on notice of the uses/disclosures that arepermitted/required by HIPAA and other applicable law; (5) a statement that otheruses/disclosures will be made only with the person’s written authorization and thatthe individual may revoke such authorization.4. If the covered entity intends to engage in any of the following, the descriptionmust include a separate statement, as applicable, that (1) the covered entity maycontact the individual to provide appointment reminders; (2) the covered entity maycontact the individual to raise funds; (3) a group health plan..may disclose PHI tothe sponsor.5. The notice must contain a statement of the individual’s rights with respect toPHI and a brief description of how the person can exercise those rights (i.e., rightto request restrictions, right to receive confidential communications, right toinspect/copy PHI, right to amend PHI, right to receive accounting of disclosures,and right to receive paper copy of the notice, if notice is received electronically).6. The notice must contain covered entity requirements (i.e, statement that thecovered entity is required by law to maintain the privacy of PHI and to provide thenotice of its legal duties and privacy practices; a statement that the covered entityis required to abide by the terms of the notice; in order for the covered entity toapply a change in its privacy practices, a statement that it reserves the right tochange the terms of its notice and to make the new notice provision effective for allPHI it maintains (must also describe how it will provide persons with a new notice).7. Complaints. The notice must contain a statement that individuals may complainto the covered entity and the Secretary of HHS if they believe their privacy rightshave been violated; a brief description of how to file a complaint with the covered

It would appear that a program coveredby both HIPAA and 42 CFR Part 2could comply with both provisions;however,extensive revision of thenotice required under 42 CFR isrequired in order to comport with theHIPAA notice requirements.



confidentiality of alcohol and drug abusepatient records.(d) Sample notice....(is provided)

entity; and advise of nonretaliation for filing a complaint.8. Contact. The notice must contain a contact name, or title, and telephone # of aperson/office to contact for further information.9. Effective date. The notice must contain the date on which the notice is first ineffect, which cannot be earlier than the date on which it is printed/published.10. Provisions for optional contents are also included. 11. A covered health care provider with a direct treatment relationship with thepatient must provide the notice no later than the date of first service delivery, and,except in an emergency situation, make a good faith effort to obtain a writtenacknowledgment. 12. Whenever the notice is revised, the notice must be made available uponrequest on or after the effective date of the revision and promptly comply with theacknowledgment requirements.13. Electronic notice is permitted.

§ 2.23 Patient access and restrictions onuse.(a) Patient access not prohibited. Theseregulations do not prohibit a program fromgiving a patient access to his or her ownrecords, including the opportunity to inspectand copy any records that the programmaintains about the patient. The program is notrequired to obtain a patient's written consent orother authorization under these regulations inorder to provide such access to the patient.(b) Restriction on use of information.Information obtained by patient access to his orher patient record is subject to the restrictionon use of his information to initiate orsubstantiate any criminal charges against thepatient or to conduct any criminal investigationof the patient as provided for under § 2.12(d)(1).


§164.524(c)(1): The covered entity must provide the access requested byindividuals, including inspection or obtaining a copy, or both, of the PHI about themin designated record sets.

§164.524(c)(2)(i): The covered entity must provide the individual with access to thePHI in the form or format requested by the individual, if it is readily producible insuch form or format; if not, a readable hard copy form or such other form or formatas agreed to by the covered entity and the individual.

It would appear that a program coveredby both HIPAA and 42 CFR Part 2could comply with both provisions;however, HIPAA provides anarticulated right to access while 42 CFRPart 2 simply indicates a program is notprohibited from providing such access. Additional provisions of HIPAA give anindividual the right to request access toinformation in a specific format. Therefore, a program covered by bothregulations should refer to both todetermine how to respond to requestsfor access to a record by a patient andto ensure compliance with patient rightsunder HIPAA.

§ 2.31 Form of written consent.(a) Required elements. A written consent to adisclosure under these regulations must include:(1) The specific name or general designation ofthe program or person permitted to make the disclosure.(2) The name or title of the individual or thename of the organization to which disclosure isto be made.(3) The name of the patient.

§164.506(c): Consent: Content requirements. A consent under this section mustbe in plain language and: (1) Inform the individual that PHI may be used/disclosedto carry out treatment, payment, and health care operations; (2) refer the individualto the notice required by §164.520 for a more complete description of suchuses/disclosures and state that the individual has the right to review the noticeprior to signing the consent; (3) if the covered entity has reserved the right tochange its privacy practices that are described in the notice in accordance with§164.520(b)(1)(v)(C), state that the terms of its notice may change and describehow the individual may obtain a revised notice; (4) state that: (i) the individual has

With a limited exception, programscovered by both 42 CFR Part 2 andHIPAA should follow 42 CFR Part 2with regard to form of consent.However, since a “consent” under 42CFR Part 2 more closely resembles aHIPAA “authorization” than a HIPAA“consent,” a program covered by bothneeds to ensure that its consent form



(4) The purpose of the disclosure.(5) How much and what kind of information isto be disclosed.(6) The signature of the patient and, whenrequired for a patient who is a minor, thesignature of a person authorized to giveconsent under § 2.14; or, when required for apatient who is incompetent or deceased, thesignature of a person authorized to sign under§ 2.15 in lieu of the patient.(7) The date onwhich theconsent is signed.(8) A statement that the consent is subject torevocation at any time except to the extent thatthe program or person which is to make thedisclosure has already acted in reliance on it.Acting in reliance includes the provision oftreatment services in reliance on a validconsent to disclose information to a third partypayer(9) The date, event, or condition upon whichthe consent will expire if not revoked before.This date, event, or condition must insure thatthe consent will last no longer than reasonablynecessary to serve the purpose for which it isgiven.(b) Sample consent form. The following formcomplies with paragraph (a) of this section, butother elements may be added.1. I (name ofpatient) ()Request "( )" Authorize:2. (name orgeneral designation of program which is tomake the disclosure)3. To disclose: (kind and amount of informationto be disclosed)4. To: (name or title of the person ororganization to which disclosure is to bemade)5. For (purpose of the disclosure)6. Date(on which this consent is signed)7. Signature ofpatient 8. Signature of parent or guardian(where required)9. Signature of person authorized to sign inlieu of the patient (where required)10. This consent is subject to revocation at anytime except to the extent that the programwhich is to make the disclosure has already

the right to request that the covered entity restrict how PHI is used/disclosed tocarry out treatment, payment, or health care operations; (ii) the covered entity isnot required to agree to requested restrictions; and (iii) if the covered entity agreesto a requested restriction, the restriction is binding on the covered entity; (5) statethat the individual has the right to revoke the consent in writing, except to theextent the covered entity has acted in reliance on it; and (6) be signed by theindividual and dated. ( Note: Recent amendments eliminate this requirement).


§164.508(c): Authorization: Core elements and requirements: A validauthorization under this section must contain at least the following elements: (i) adescription of the information to be used/disclosed that identifies the information ina specific and meaningful fashion (ii) the name/other specific identification of theperson(s) or class of person authorized to make the requested use/disclosure; (iii)the name/other specific identification of the person(s) or class of persons to whomthe covered entity may make the requested use/disclosure; (iv) an expirationdate/expiration event that relates to the individual/purpose of use/disclosure; (v) astatement of the individual’s right to revoke the authorization in writing and theexceptions to the right to revoke, together with a description of how the individualmay revoke the authorization; (vi) a statement that information used/disclosedpursuant to the authorization may be subject to redisclosure by the recipient andno longer be protected by HIPAA; (vii) signature of individual and date; and (viii) ifthe authorization is signed by a personal representative of the individual, adescription of such representative’s authority to act for the individual.

(2) Required statements. In addition to the core elements, theauthorization must contain statements adequate to place the individual on notice ofall of the following:

(i) The individual’s right to revoke the authorization in writing, and either:(A) The exceptions to the right to revoke and a description of how the

individual may revoke the authorization; or(B) To the extent that the information in paragraph (c)(2)(i)(A) of this

section is included in the notice required by section 164.520, a reference to thecovered entity’s notice.

(ii) The ability or inability to condition treatment, payment, enrollment oreligibility for benefits on the authorization, by stating either:

(A) The covered entity may not condition treatment, payment, enrollmentor eligibility for benefits on whether the individual signs the authorization when theprohibition on conditioning of authorizations in paragraph (b)(4) of this sectionapplies; or

includes all of the elements necessaryfor a valid HIPAA authorization for alluses/disclosures of PHI for which apatient authorization is needed underHIPAA.

A 42 CFR Part 2 “consent” is morestringent than a HIPAA consent, in lightof the amount of detail it requires. Furthermore, the “minimum necessary”rule, which does not apply to HIPAAuses/disclosures for payment, andhealth care operations purposes,continues to apply to all 42 CFR Part 2uses and disclosures, with noexceptions. Therefore, the “minimumnecessary” rule of 42 CFR Part 2should continue to be applied in alluses/disclosures for which a consent isneeded under 42 CFR Part 2 and aconsent/authorization is needed underHIPAA.

42 CFR Part 2 does not require anytype of consent for use/disclosure ofPHI for treatment purposes; this isconsistent with the recent amendmentsto HIPAA. Thus, the two sets ofregulations are consistent on this point.



taken action in reliance on it. If not previouslyrevoked, this consent will terminate upon:(specific date, event, or condition(c) Expired,deficient, or false consent. A disclosure maynot be made on the basis of a consent which:(1) Has expired:(2) On its face substantially fails to conform toany of the requirements set forth in paragraph(a) of this section;(3) Is known to have been revoked; or(4) Is known, or through a reasonable effortcould be known, by the person holding therecords to be materially false.

(B) The consequences to the individual of a refusal to sign theauthorization when, in accordance with paragraph (b)(4) of this section, thecovered entity can condition treatment, enrollment in the health plan, or eligibilityfor benefits on failure to obtain such authorization.

(iii) The potential for information disclosed pursuant to the authorizationto be subject to redisclosure by the recipient and no longer be protected by thisrule.

(3) Plain language requirement. The authorization must be written inplain language.

(4) Copy to the individual. If a covered entity seeks an authorizationfrom an individual for a use or disclosure of protected health information, thecovered entity must provide the individual with a copy of the signed authorization. revised 8/02



§ 2.32 Prohibition on redisclosure.

Notice to accompany disclosure. Eachdisclosure made with the patient's writtenconsent must be accompanied by the followingwritten statement:This information has been disclosed to youfrom records protected by Federalconfidentiality rules (42 CFR Part 2). TheFederal rules prohibit you from making anyfurther disclosure of this information unlessfurther disclosure is expressly permitted by thewritten consent of the person to whom itpertains or as otherwise permitted by 42 CFRPart 2. A general authorization for the releaseof medical or other information is NOTsufficient for this purpose. The Federal rulesrestrict any use of the information to criminallyinvestigate or prosecute any alcohol or drugabuse patient.

No comparable provision. Programs covered by both sets offederal regulations should continue tofollow 42 CFR Part 2 with regard to thisrequirement.

§ 2.34 Disclosures to prevent multipleenrollments in detoxification andmaintenance treatment programs.(a) Definitions. For purposes of this section:Central registry means an organization whichobtains from two or more member programspatient identifying information about individualsapplying for maintenance treatment ordetoxification treatment for the purpose ofavoiding an individual's concurrent enrollmentin more than one program.Detoxification treatment means the dispensingof a narcotic drug in decreasing doses to anindividual in order to reduce or eliminateadverse physiological or psychological effectsincident to withdrawal from the sustained useof a narcotic drug.Maintenance treatment means the dispensingof a narcotic drug in the treatment of anindividual for dependence upon heroin or other

§160.203 General rule and exceptions

A standard, requirement, or implementation specification adopted under thissubchapter that is contrary to a provision of State law preempts the provision ofState law . This general rule applies, except if one or more of the followingconditions is met: (a) A determination is made by the Secretary under §160.204that the provision of State law:...(2) Has as its principal purpose the regulation ofthe manufacture, registration, distribution, dispensing, or other control of anycontrolled substances (as defined in 21 USC 802), or that is deemed a controlledsubstance by State law.

Although HIPAA appears to require awritten determination by the Secretary,it appears likely that reports to themethadone registry will continue to bepermitted under HIPAA in accordancewith this provision.



morphine-like drugs.Member program means a detoxificationtreatment or maintenance treatment programwhich reports patient identifying information toa central registry and which is in the sameState as that central registry or is not morethan 125 miles from any border of the State inwhich the central registry is located.(b) Restrictions on disclosure. A program maydisclose patient records to a central registry orto any detoxification or maintenance treatmentprogram not more than 200 miles away for thepurpose of preventing the multiple enrollmentof a patient only if:(1) The disclosure is made when:(i) The patient is accepted for treatment;(ii) The type or dosage of the drug is changed; or(iii) The treatment is interrupted, resumed orterminated.(2) The disclosure is limited to:(i) Patient identifying information:(ii) Type and dosage of the drug; and(iii) Relevant dates.(3) The disclosure is made with the patient'swritten consent meeting the requirements of §2.31, except that:(i) The consent must list the name and addressof each central registry and each knowndetoxification or maintenance treatmentprogram to which a disclosure will be made; and(ii) The consent may authorize a disclosure toany detoxification or maintenance treatmentprogram established within 200 miles of theprogram after the consent is givenwithout naming any such program.

(c) Use of information limited to prevention ofmultiple enrollments. A central registry and anydetoxification or maintenance treatmentprogram to which information is disclosed toprevent multiple enrollments may notredisclose or use patient identifying informationfor any purpose other than the prevention ofmultiple enrollments unless authorized by a



court order under Subpart E of these regulations.(d) Permitted disclosure by a central registry toprevent a multiple enrollment. When a memberprogram asks a central registry if an identifiedpatient is enrolled in another member programand the registry determines that the patient isso enrolled, the registry may disclose--(1) The name, address, and telephone numberof the member program(s) in which the patientis already enrolled to the inquiring memberprogram; and(2) The name, address, and telephone numberof the inquiring member program to themember program(s) in which the patient isalready enrolled. The member programs maycommunicate as necessary to verify that noerror has been made and to prevent oreliminate any multiple enrollment.(e) Permitted disclosure by a detoxification ormaintenance treatment program to prevent amultiple enrollment. A detoxification ormaintenance treatment program which hasreceived a disclosure under this section andhas determined that the patient is alreadyenrolled may communicate as necessary withthe program making the disclosure to verifythat no error has been made and to prevent oreliminate any multiple enrollment

NYS Mental Hygiene Law §19.16 Methadoneregistry. The office shall establish andmaintain, either directly or through contract, acentral registry for purposes of preventingmultiple enrollment in methadone programs. The office shall require all methadoneprograms to utilize such registry and shall havethe power to assess methadone programssuch fees as are necessary and appropriate.

§ 2.35 Disclosures to elements of thecriminal justice system which have referredpatients.

§164.501: Required by law means a mandate contained in law that compels acovered entity to make a use or disclosure of protected health information and thatis enforceable in a court of law. Required by law includes, but is not limited to,court orders and court ordered warrants, subpoenas or summons issued by acourt, grand jury, a governmental or tribal inspector general, or an administrative

If the disclosures back to a courtregarding treatment are mandated in acourt order, HIPAA would permit thesedisclosures without patient consent.



(a) A program may disclose information abouta patient to those persons within the criminaljustice system which have made participationin the program a condition of the disposition ofany criminal proceedings against the patient orof the patient's parole or other release fromcustody if:(1) The disclosure is made only to thoseindividuals within the criminal justice systemwho have a need for the information inconnection with their duty to monitor thepatient's progress (e.g., a prosecuting attorneywho is withholding charges against the patient,a court granting pretrial or posttrial release,probation or parole officers responsible forsupervision of the patient); and(2) The patient has signed a written consentmeeting the requirements of § 2.31 (exceptparagraph (a)(8) which is inconsistent with therevocation provisions of paragraph (c) of thissection) and the requirements of paragraphs(b) and (c) of this section.(b) Duration ofconsent. The written consent must state theperiod during which it remains in effect. Thisperiod must be reasonable, taking into account:(1) The anticipated length of the treatment;(2) The type of criminal proceeding involved,the need for the information in connection withthe final disposition of that proceeding, andwhen the final disposition will occur; and(3) Such other factors as the program, thepatient, and the person(s) who will receive thedisclosure consider pertinent.(c) Revocation of consent. The written consentmust state that it is revocable upon thepassage of a specified amount of time or theoccurrence of a specified, ascertainable event.The time or occurrence upon which consentbecomes revocable may be no later than thefinal disposition of the conditional release orother action in connection with which consentwas given.(d) Restrictions on redisclosure and use. Aperson who receives patient information under

body authorized to require the production of information; a civil or an authorizedinvestigative demand; Medicare conditions of participation with respect to healthcare providers participating in the program; and statutes or regulations that requirethe production of information, including statutes or regulations that require suchinformation if payment is sought under a government program providing publicbenefits.

In contrast, 42 CFR Part 2 wouldrequire patient consent for suchdisclosures, but does not permitrevocation of such consent until aspecified date or event. Since theprovision requiring consent for thesedisclosures is more stringent, this partof 42 CFR Part 2 would apply.

However, under HIPAA, authorizationsare revocable by the patient at anytime. Compliance with both HIPAA and42 CFR Part 2 would require providersto utilize consents/authorizations thatmeet the requirements of both. Therefore, it would appear that criminaljustice consents, like any HIPAAconsent/authorization, would berevocable by patients at any time.



this section may redisclose and use it only tocarry out that person's official duties withregard to the patient's conditional release orother action in connection with which theconsent was given.

§ 2.51 Medical emergencies.

(a) General Rule. Under the proceduresrequired by paragraph (c) of this section,patient identifying information may bedisclosed to medical personnel who have aneed for information about a patient for thepurpose of treating a condition which poses animmediate threat to the health of any individualand which requires immediate medicalintervention. (b) Special Rule. Patientidentifying information may be disclosed tomedical personnel of the Food and DrugAdministration (FDA) who assert a reason tobelieve that the health of any individual may bethreatened by an error in the manufacture,labeling, or sale of a product under FDAjurisdiction, and that the information will beused for the exclusive purpose of notifyingpatients or their physicians of potential dangers.(c) Procedures. Immediately followingdisclosure, the program shall document thedisclosure in the patient's records, setting forthin writing:(1) The name of the medical personnel towhom disclosure was made and their affiliationwith any health care facility;(2) The name of the individual making the disclosure;(3) The date and time of the disclosure;and(4) The nature of the emergency (or error, if thereport was to FDA).

§164.506(a)(3)(i)(A): A covered health care provider may use/disclose PHI withoutpatient consent in emergency treatment situations, if the covered health careprovider attempts to obtain consent as soon as reasonably practical after thedelivery of treatment. Note recent amendments to this requirement : §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02

§164.512(b): A covered entity may disclose PHI for the public health activitiesand purposes described in this paragraph to: (ii) a public health authority or otherappropriate government authority authorized by law to receive reports of childabuse or neglect.,,,(iii) a person subject to the jurisdiction of the FDA (A) to reportadverse events....


In general, programs covered by 42CFR Part 2 and HIPAA can continue tofollow the provisions of 42 CFR Part 2with regard to disclosures for medicalemergencies.



§ 2.52 Research activities.

(a) Patient identifying information may bedisclosed for the purpose of conductingscientific research if the program directormakes a determination that the recipient of thepatient identifying information:(1) Is qualified to conduct the research;(2) Has a research protocol under which thepatient identifying information:(i) Will be maintained in accordance with thesecurity requirements of § 2.16 of theseregulations (or more stringent requirements); and(ii) Will not be redisclosed except as permittedunder paragraph (b) of this section; and(3) Has provided a satisfactory writtenstatement that a group of three or moreindividuals who are independent of theresearch project has reviewed the protocol anddetermined that:(i) The rights and welfare of patients will beadequately protected; and(ii) The risks in disclosing patient identifyinginformation are outweighed by the potentialbenefits of the research.(b) A person conducting research may disclosepatient identifying information obtained underparagraph (a) of this section only back to theprogram from which that information wasobtained and may not identify any individualpatient in any report of that research orotherwise disclose patient identities.

§164.512(h): A covered entity may use/disclose PHI for research, regardless of thesource of the funding of the research, provided that (i) Board approval of a waiverof authorization: The covered entity obtains documentation that an alteration to orwaiver, in whole or in part, of the individual authorization required by §164.508 foruse/disclosure of PHI has been approved by either (A) an IRB established inaccordance with....(B) a privacy board that: (1) has members with varyingbackgrounds and appropriate professional competency as necessary to review theeffect of the research protocol on the individual’s privacy rights and relatedinterests; (2) includes at least one member who is not affiliated with the coveredentity, not affiliated with any entity conducting or sponsoring the research, and notrelated to any person who is affiliated with any of such entities and; (3) does nothave any member participating in a review of any project in which the member hasa conflict of interest....

(2) Documentation of waiver approval. For a use/disclosure to bepermitted,...documentation must include.. Ii) Waiver criteria: A statement that theIRB or privacy board has determined that the alteration or waiver, in whole or inpart, of authorization satisfies the following criteria: (A) the use/disclosure of PHIinvolves no more than minimal risk to the individuals;(B) the alteration/waiver willnot adversely affect the privacy rights/welfare of the individuals; (C) theresearch could not practicably be conducted without the alteration/waiver; (D) theresearch could not practicably be conducted without access to/use of the PHI; (E)the privacy risks to individuals whose PHI are reasonable in relation to theanticipated benefits if any to the individuals, and the importance of the knowledgethat may reasonably be expected to result from the research; (F) there is anadequate plan to destroy the identifiers at the earliest opportunity consistent withconduct of the research, unless there is a health or research justification forretaining the identifiers, or such retention is otherwise required by law; and (Hthere is adequate written assurances that the PHI will not be reused/disclosed toany person/entity except as required by law, for authorized oversight of theresearch project, or for other research for which the use/disclosure of the PHIwould be permitted by this subpart.

In this instance, HIPAA is generallymore restrictive on use/disclosure ofPHI for research purposes. Therefore,programs covered by both 42 CFR Part2 and HIPAA should refer to HIPAA indetermining how to respond to requestsfor PHI for research purposes. Itshould be noted, however, the 42 CFRPart 2 permits redisclosure of PHI only back tothe program from which thatinformation was obtained and may notidentify any individual patient in anyreport of that research or otherwisedisclose patient identities; thisrequirement is more restrictive thanHIPAA and thus would prevail.

§ 2.53 Audit and evaluation activities.(a) Records not copied or removed. If patientrecords are not copied or removed, patientidentifying information may be disclosed in thecourse of a review of records on programpremises to any person who agrees in writingto comply with the limitations on redisclosure


With regard to audit and evaluationactivities, 42 CFR Part 2 is generallymore restrictive on use/disclosure ofPHI for these purposes. Therefore,programs covered by both 42 CFR Part2 and HIPAA should refer to 42 CFRPart 2 in determining how to respond to



and use in paragraph (d) of this section andwho:(1) Performs the audit or evaluationactivity on behalf of:(i) Any Federal, State, or local governmentalagency which provides financial assistance tothe program or is authorized by law to regulateits activities; or(ii) Any private person whichprovides financial assistance to the program,which is a third party payer covering patients inthe program, or which is a quality improvementorganization performing a utilization or qualitycontrol review; or(2) Is determined by theprogram director to be qualified to conduct theaudit or evaluation activities.(b) Copying or removal of records. Recordscontaining patient identifying information maybe copied or removed from program premisesby any person who:(1) Agrees in writing to:(i) Maintain the patientidentifying information in accordance with thesecurity requirements provided in § 2.16 ofthese regulations (or more stringentrequirements);(ii) Destroy all the patientidentifying information upon completion of theaudit or evaluation; and(iii) Comply with the limitations on disclosureand use in paragraph (d) of this section; and(2) Performs the audit or evaluation activity onbehalf of:(i) Any Federal, State, or local governmentalagency which provides financial assistance tothe program or is authorized by law to regulateits activities; or(ii) Any private person whichprovides financial assistance to the program,which is a third part payer covering patients inthe program, or which is a quality improvementorganization performing a utilization or qualitycontrol review.



Note: Recent amendments eliminate this requirement. §164.506(c):(1) A covered entity may use/disclose PHI for its own treatment,payment, or health care operations. (2) A covered entity may disclose PHI fortreatment activities of a health care provider. (3) A covered entity may disclose PHIto another covered entity or health care provider for the payment activities of theentity that receives the information.... revised 8/02

requests for PHI for audit andevaluation activities.

(c) Medicare or Medicaid audit or evaluation.(1) For purposes of Medicare or Medicaid auditor evaluation under this section, audit orevaluation includes a civil or administrative



investigation of the program by any Federal,State, or local agency responsible for oversightof the Medicare or Medicaid program andincludes administrative enforcement, againstthe program by the agency, of any remedyauthorized by law to be imposed as a result ofthe findings of the investigation.(2) Consistent with the definition of program in§ 2.11, program includes an employee of, orprovider of medical services under, theprogram when the employee or provider is thesubject of a civil investigation or administrativeremedy, as those terms are used in paragraph(c)(1) of this section.(3) If a disclosure to aperson is authorized under this section for aMedicare or Medicaid audit or evaluation,including a civil investigation or administrativeremedy, as those terms are used in paragraph(c)(1) of this section, then a qualityimprovement organization which obtains theinformation under paragraph (a) or (b) maydisclose the information to that person but onlyfor purposes of Medicare or Medicaid audit or evaluation.(4) The provisions of this paragraph do notauthorize the agency, the program, or anyother person to disclose or use patientidentifying information obtained during the auditor evaluation for any purposes other than thosenecessary to complete the Medicare orMedicaid audit or evaluation activity asspecified in this paragraph.(d) Limitations on disclosure and use. Exceptas provided in paragraph (c) of this section,patient identifying information disclosed underthis section may be disclosed only back to theprogram from which it was obtained and usedonly to carry out an audit or evaluation purposeor to investigate or prosecute criminal or otheractivities, as authorized by a court orderentered under § 2.66 of these regulations

§ 2.61 Legal effect of order. §164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;

Because 42 CFR Part 2 is more strictthan HIPAA in specifying the necessary



(a) Effect. An order of a court of competentjurisdiction entered under this subpart is aunique kind of court order. Its only purpose isto authorize a disclosure or use of patientinformation which would otherwise beprohibited by 42 U.S.C. 290ee-3, 42 U.S.C.290dd-3 and these regulations. Such an orderdoes not compel disclosure. A subpoena or asimilar legal mandate must be issued in orderto compel disclosure. This mandate may beentered at the same time as and accompanyan authorizing court order entered under these regulations.(b) Examples.(1) A person holding records subject to theseregulations receives a subpoena for thoserecords: a response to the subpoena is notpermitted under the regulations unless anauthorizing court order is entered. The personmay not disclose the records in response to thesubpoena unless a court of competentjurisdiction enters an authorizing order underthese regulations.(2) An authorizing court order is entered underthese regulations, but the person authorizeddoes not want to make the disclosure. If thereis no subpoena or other compulsory process ora subpoena for the records has expired orbeen quashed, that person may refuse to makethe disclosure. Upon the entry of a validsubpoena or other compulsory process theperson authorized to disclose must disclose,unless there is a valid legal defense to theprocess other than the confidentialityrestrictions of these regulations.



content of court orders under which PHIcan be disclosed, programs covered byboth 42 CFR Part 2 and HIPAA shouldcontinue to refer to the former whenreleasing PHI pursuant to court order.

§ 2.62 Order not applicable to recordsdisclosed without consent to researchers,auditors and evaluators.

A court order under these regulations may notauthorize qualified personnel, who havereceived patient identifying information withoutconsent for the purpose of conducting


Because 42 CFR Part 2 is more strictthan HIPAA in restricting the ability ofcourt orders to authorize disclosure ofPHI in certain circumstances, programscovered by both 42 CFR Part 2 andHIPAA should continue to refer to theformer when considering releases ofPHI obtained in the course of research,



research, audit or evaluation, to disclose thatinformation or use it to conduct any criminalinvestigation or prosecution of a patient.However, a court order under § 2.66 mayauthorize disclosure and use of records toinvestigate or prosecute qualified personnelholding the records.

program providing publicbenefits.


audit, or evaluation activities in thecontext of criminal investigations ofpatients.

§ 2.63 Confidential communications.

(a) A court order under these regulations mayauthorize disclosure of confidentialcommunications made by a patient to aprogram in the course of diagnosis, treatment,or referral for treatment only if:(1) The disclosure is necessary to protectagainst an existing threat to life or of seriousbodily injury, including circumstances whichconstitute suspected child abuse and neglectand verbal threats against third parties;(2) The disclosure is necessary in connectionwith investigation or prosecution of anextremely serious crime, such as one whichdirectly threatens loss of life or serious bodilyinjury, including homicide, rape, kidnapping,armed robbery, assault with a deadly weapon,or child abuse and neglect; or(3) The disclosure is in connection withlitigation or an administrative proceeding inwhich the patient offers testimony or otherevidence pertaining to the content of theconfidential communications.



In limiting the scope of authorizing courtorders, 42 CFR Part 2 is more strictthan HIPAA, which provides for no suchlimitations. Therefore, for programscovered by both regulations, 42 CFRPart 2 shall continue to control in thiscircumstance.

§ 2.64 Procedures and criteria for ordersauthorizing disclosures for noncriminalpurposes.(a) Application. An order authorizing thedisclosure of patient records for purposes other

No comparable provision.

but see:

§164.501: Required by law: a mandate contained in law that compels a covered

Programs covered by both HIPAA and42 CFR Part 2 should continue to referto 42 CFR Part 2 with regard to theprocedure/criteria for authorizing courtorders for disclosures for noncriminal



than criminal investigation or prosecution maybe applied for by any person having a legallyrecognized interest in the disclosure which issought. The application may be filed separatelyor as part of a pending civil action in which itappears that the patient records are needed toprovide evidence. An application must use afictitious name, such as John Doe, to refer toany patient and may not contain or otherwisedisclose any patient identifying informationunless the patient is the applicant or has givena written consent (meeting the requirements ofthese regulations) to disclosure or the courthas ordered the record of the proceedingsealed from public scrutiny.(b) Notice. The patient and the person holdingthe records from whom disclosure is soughtmust be given:(1) Adequate notice in a manner which will notdisclose patient identifying information to otherpersons: and(2) An opportunity to file a written response tothe application, or to appear in person, for thelimited purpose of providing evidence on thestatutory and regulatory criteria for theissuance of the court order.(c) Review of evidence: Conduct of hearing.Any oral argument, review of evidence, orhearing on the application must be held in thejudge's chambers or in some manner whichensures that patient identifying information isnot disclosed to anyone other than a party tothe proceeding, the patient, or the personholding the record, unless the patient requestsan open hearing in a manner which meets thewritten consent requirements of theseregulations. The proceeding may include anexamination by the judge of the patient recordsreferred to in the application.(d) Criteria forentry of order. An order under this section maybe entered only if the court determines thatgood cause exists. To make this determinationthe court must find that:(1) Other ways of obtaining the information are

entity to make a use/disclosure of PHI and that is enforceable in a court of law;includes, but is not limited to, court orders and court ordered warrants, subpoenasor summons issued by a court, grand jury, a gov’tal...inspector general, or anadministrative body authorized to require the production of information; a civil or anauthorized investigative demand; Medicare conditions of participation...; andstatutes/ regulations that require the production of information, including statutes/regulations that require such information if payment is sought under a governmentprogram providing publicbenefits.


purposes.



not available or would not be effective; and(2) The public interest and need for thedisclosure outweigh the potential injury to thepatient, the physician-patient relationship andthe treatment services.(e) Content of order. Anorder authorizing a disclosure must:(1) Limitdisclosure to those parts of the patient's recordwhich are essential to fulfill the objective of theorder.(2) Limit disclosure to those persons whoseneed for information is the basis for the order; and(3) Include such other measures as arenecessary to limit disclosure for the protectionof the patient, the physician-patient relationshipand the treatment services; for example,sealing from public scrutiny the record of anyproceeding for which disclosure of a patient'srecord has been ordered.

§ 2.66 Procedures and criteria for ordersauthorizing disclosure and use of recordsto investigate or prosecute a program or theperson holding the records.(a) Application. (1) An order authorizing thedisclosure or use of patient records tocriminally or administratively investigate orprosecute a program or the person holding therecords (or employees or agents of thatprogram or person) may be applied for by anyadministrative, regulatory, supervisory,investigative, law enforcement, or prosecutorialagency having jurisdiction over the program'sor person's activities.(2) The application may be filed separately oras part of a pending civil or criminal actionagainst a program or the person holding therecords (or agents or employees of theprogram or person) in which it appears that thepatient records are needed to provide materialevidence. The application must use a fictitiousname, such as John Doe, to refer to anypatient and may not contain or otherwisedisclose any patient identifying information

No comparable provision.but see:

§160.501:Law enforcement official means an officer or employee of any agencyor authority, of the United States, a State, a territory, a political subdivision of aState or territory, or an Indian tribe, who is empowered by law to: (1) investigate orconduct an official inquiry into a potential violation of law; or (2) prosecute orotherwise conduct a criminal, civil, or administrative proceeding arising from analleged violation of law.

§164.512(f)(1): A covered entity maydisclose PHI for a law enforcement purpose to a law enforcement official...(i) incompliance with and as limited by the relevant requirements of:(A) a court order orcourt-ordered subpoena or summons issued by a judicial officer; (B) a grand jurysubpoena; or(C) an administrative request, including an administrative subpoenaor summons, a civil or an authorized investigative demand, or similar processauthorized under law, provided that:(1) the information sought is relevant andmaterial to a legitimate law enforcement inquiry;(2)the request is specific andlimited in scope to the extent reasonably practicable in light of the purpose forwhich the information is sought; and(3)de-identified information could notreasonably be used.

§164.501: Required by law: a mandate contained in law that compels a coveredentity to make a use/disclosure of PHI and that is enforceable in a court of law;

Programs covered by both HIPAA and42 CFR Part 2 should continue to referto 42 CFR Part 2 with regard to theprocedure/criteria for authorizing courtorders for disclosures for prosecutorialpurposes.



unless the court has ordered the record of theproceeding sealed from public scrutiny or thepatient has given a written consent (meetingthe requirements of § 2.31 of these regulations)to that disclosure.(b) Notice not required. Anapplication under this section may, in thediscretion of the court, be granted withoutnotice. Although no express notice is requiredto the program, to the person holding therecords, or to any patient whose records are tobe disclosed, upon implementation of an orderso granted any of the above persons must beafforded an opportunity to seek revocation oramendment of that order, limited to thepresentation of evidence on the statutory andregulatory criteria for the issuance of the court order.(c) Requirements for order. An order under thissection must be entered in accordance with,and comply with the requirements of,paragraphs (d) and (e) of § 2.64 of these regulations.(d) Limitations on disclosure and use of patientidentifying information:(1) An order enteredunder this section must require the deletion ofpatient identifying information from anydocuments made available to the public.(2) No information obtained under this sectionmay be used to conduct any investigation orprosecution of a patient, or be used as thebasis for an application for an order under §2.65 of these regulations.



§ 2.67 Orders authorizing the use ofundercover agents and informants tocriminally investigate employees or agentsof a program.(a) Application. A court order authorizing theplacement of an undercover agent or informantin a program as an employee or patient may beapplied for by any law enforcement orprosecutorial agency which has reason tobelieve that employees or agents of theprogram are engaged in criminal misconduct.(b) Notice. The program director must be given

No comparable provisions. Programs covered by both HIPAA and42 CFR Part 2 should continue to referto 42 CFR Part 2 with regard to theprocedure/criteria for orders authorizingthe use of undercover agents andinformants.



adequate notice of the application and anopportunity to appear and be heard (for thelimited purpose of providing evidence on thestatutory and regulatory criteria for theissuance of the court order), unless theapplication asserts a belief that:(1) The program director is involved in thecriminal activities to be investigated by theundercover agent or informant; or(2) The program director will intentionally orunintentionally disclose the proposedplacement of an undercover agent or informantto the employees or agents who are suspectedof criminal activities.(c) Criteria. An order under this section may beentered only if the court determines that goodcause exists. To make this determination thecourt must find:(1) There is reason to believe that an employeeor agent of the program is engaged in criminal activity;(2) Other ways of obtaining evidence of thiscriminal activity are not available or would notbe effective; and(3) The public interest and need for theplacement of an undercover agent or informantin the program outweigh the potential injury topatients of the program, physician-patientrelationships and the treatment services.(d)Content of order. An order authorizing theplacement of an undercover agent or informantin a program must:(1) Specifically authorize the placement of anundercover agent or an informant;(2) Limit the total period of the placement to sixmonths;(3) Prohibit the undercover agent or informantfrom disclosing any patient identifyinginformation obtained from the placementexcept as necessary to criminally investigate orprosecute employees or agents of the program;and(4) Include any other measures which areappropriate to limit any potential disruption ofthe program by the placement and any



potential for a real or apparent breach ofpatient confidentiality; for example, sealingfrom public scrutiny the record of anyproceeding for which disclosure of a patient'srecord has been ordered.(e) Limitation on use of information. Noinformation obtained by an undercover agent orinformant placed under this section may beused to criminally investigate or prosecute anypatient or as the basis for an application for anorder under § 2.65 of these regulations.

Patient Access to Records

Not addressed in 42 CFR Part 2.



Programs covered by both 42 CFR Part2 and HIPAA must follow the HIPAArules in reqard to this requirement.

Right to request Restrictions


§164.522 (a)(1) Right to request restrictions. A covered entity must permit anindividual to request that the covered entity restrict (1) uses/disclosures of PHIabout the individual to carry out treatment, payment and health care operationsand (2) disclosures of PHI for involvement in the individual’s care and notificationpurposes. A covered entity does not have to agree to these restrictions.


Right to request Accountings


§164.528 (a)(1) Right to request accountings. An individual has a right to receivean accounting of disclosures of PHI made by a covered entity in the 6 years priorto the date on which an accounting is requested, except for disclosures: (1) tocarry out treatment, payment, and health care operations; (2) to the individualsthemselves; (3) that are made for national security or intelligence purposes; (4)that are related to certain custodial situations; (5) to correctional institutions andlaw enforcement officials; and (6) which occurred prior to the compliance date forthe covered entity.

§164.528 (c): The covered entity must act on the individual’s request for anaccounting no later than 60 days after receipt of such request by providing theaccounting or requesting an extension of no more than 30 days. The firstaccounting must be provided without charge, and thereafter a reasonable, cost-based fee for each subsequent accounting may be charged if the individual isinformed in advance of the fee and an opportunity to modify the request to reduceor avoid the fee.




§164.528 (d): Documentation. A covered entity must retain documentation of theinformation required to be included in an accounting, the written accountingprovided to the individual, and titles of persons or responsible officers who process/receive accountings.

Administrative Requirements:

Not addressed, (or in the case of safeguardrequirements, not adequately addressed), in 42CFR Part 2.

§164.530 (a)(1): Personnel Designations: A covered entity myst designate aprivacy official who is responsible for the development and implementation of thepolicies/procedures of the entity.

§164.530 (a)(2) Documentation: A covered entity must document the requiredpersonnel designations.

§164.530 (a)(3) Training: A covered entity must train all members of its workforceon the policies/procedures with respect to PHI required by HIPAA, as necessaryand appropriate to carry out their functions within the covered entity. Theworkforce must be trained prior to the compliance date; new members must betrained within a reasonable time after joining the workforce..... Such training mustbe documented.

§164.530 (c) Safeguards. A covered entity must have in place appropriateadministrative, technical, and physical safeguards to protect the privacy of PHI...

§164.530 (d)(1): Complaints. A covered entity must provide a process forindividuals to make complaints concerning: (1) the covered entity’s policies andprocedures required by HIPAA and (2) its compliance with such policies andprocedures or the requirements of HIPAA.

§164.530 (d)(2) Documentation of complaints: A covered entity must documentall complaints received, as well as their disposition.

§164.530 (e)(1),(2) Sanctions: A covered entity must have and apply appropriatesanctions against members of its workforce who fail to comply with HIPAA... Thosesanctions must be documented.

§164.530 (f): Mitigation: A covered entity must mitigate, to the extent practicable,any harmful effects known to the covered entity of a use/disclosure of PHI inviolation of its policies/procedures or HIPAA by the covered entity or its businessassociate.§164.530 (g) Retaliatory acts: A covered entity may not intimidate, threaten,coerce, discriminate against, or take retaliatory action against anyindividual for exercising his/her rights or for filing a complaint with HHS...

§164.530 (h): Waiver: A covered entity may not require individuals to waive theirrights to file complaints or any other rights under HIPAA as a condition of provision

Programs covered by both 42 CFRPart 2 and HIPAA must follow theHIPAA rules in reqard to theserequirements.



of treatment, payment, enrollment in a health plan, or eligibility for benefits.

§164.530 (i)(1),(2),(3),(4) Policies and procedures: A covered entity mustimplement policies and procedures with respect to PHI designed to comply with therequirements of HIPAA.... Such policies/procedures must be changed asnecessary to comply with changes in the law ..must document and implement therevised policies/procedures promptly....and must revise its Notice of PrivacyPractices.

§164.530 (j)(1),(2) Retention of policies: A covered entity must maintain therequired policies/procedures in written or electronic form, copies ofcommunications HIPAA requires, and records of any action, activity, or designationHIPAA requires to be documented. Such documentation must be retained for 6years from date of creation or date last in effect, whichever is later.

Documents

HIPAA PRIVACY RULE PREEMPTION ANALYSIS · the HIPAA privacy law and regulations, it is necessary to first determine how HIPAA affects New York State laws and rules that govern the