Skip to Content
Health Information and Data SharingSubstance Use Prevention and Harm Reduction

Disease Outbreaks at Substance Use Treatment Facilities: Balancing Privacy and Public Health

December 16, 2020


A lack of clear and standardized public health reporting regulations for federally-assisted substance use treatment programs raises questions about how communicable disease reporting occurs in these settings, including whether the burden of disease among specific patient populations is accurately tracked and whether gaps in the legal framework necessitate a fix.

Although HIPAA regulations apply to substance use treatment records, regulations under 42 CFR Part 2 (Part 2) are generally stricter and therefore preempt HIPAA’s less stringent privacy standards. In particular, unlike the HIPAA Privacy Rule, which permits disclosure of protected health information to public health authorities for authorized purposes, laws governing the privacy of substance use disorder records do not provide as explicit a pathway for public health reporting.

If a substance use treatment program identifies a cluster of disease cases among its patient population, what steps might the facility take to protect patient privacy while also protecting the public’s health?

Federal regulations under 42 CFR Part 2 apply to records which “would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person” (42 CFR § 2.12(a)). These regulations impose disclosure restrictions on Part 2 programs—federally-assisted substance use disorder programs as defined by 42 CFR § 2.12(b), which include programs receiving federal funds, programs receiving tax-exempt status, programs participating in Medicare, and programs conducted in whole or in part by any department or agency of the federal government. In addition, federal regulations preempt any state law compelling disclosures prohibited by Part 2 regulations (42 CFR § 2.20).

The clearest way in which a Part 2 program can provide protected information to a public health program is through patient consent. Under 42 CFR § 2.33(a), a patient can consent in writing to the disclosure of records to any person or category of persons identified in the consent. Recent amendments to these regulations (effective August 14, 2020) removed elements of the rule that impeded disclosure to public health agencies even with consent. Notably, 42 CFR § 2.31 previously distinguished between entities with and without a treating provider relationship with a patient, imposing heightened requirements for disclosure to entities without a treating provider relationship. The amendments removed this distinction. Under the current rule, a Part 2 program patient may consent in writing, consistent with the regulatory requirements, to the disclosure of their records to either an entity (e.g. a communicable disease program) or a public health official named in the consent.

Part 2 programs also have the option to report de-identified patient information to public health authorities. The CARES Act (Pub. L. 116-136), enacted as part of Congress’s initial response to the coronavirus pandemic, amended section 543(b) of the Public Health Service Act (42 USC 290dd-2(b)) to allow Part 2 programs to disclose de-identified information to a public health authority “so long as such content meets the standards established in section 164.514(b) of title 45, Code of Federal Regulations [the HIPAA Privacy Rule] (or successor regulations) for creating de-identified information.”

Finally, a court order may authorize disclosure if “the disclosure is necessary to protect against an existing threat to life or serious bodily injury . . .” (42 CFR § 2.61, et seq.). A court may enter an order if it finds that good cause exists. The factors the court uses to make this determination are whether “other ways of obtaining the information are not available or would not be effective” and whether “the public interest and need for the disclosure outweigh the potential injury to the patient, physician-patient relationship and the treatment services” (42 CFR § 2.64(d)). There is a strong presumption against disclosing substance use treatment information, which includes information regarding the presence of an identified patient at a substance use disorder treatment facility. There must be unique circumstances meeting the standard for entry of a court order, which must be clearly detailed within the court order.

In a public health surveillance capacity, particularly during a pandemic, court orders will not typically be a viable option. While there may be limited instances in which a court order may be appropriate and worth pursuing under these circumstances, the length of court proceedings may outlast the period of time in which a disclosure would be of use to public health officials.

A public health reporting system largely reliant on consent may hinder a complete case count. Under the current model, public health programs and other health care entities must take particular care to build trust, provide culturally competent care, and respect individuals’ agency and autonomy to engender confidence in patients consenting to public health reporting. De-identification of health information provides another option for reporting communicable disease but may similarly impede contact tracing and recognition of outbreaks among particular populations. Moving forward, there should be a deliberate effort by substance use treatment programs and public health agencies to partner to develop consent forms for public health reporting and to educate providers and patients. These local efforts can supplement broader proposals for reform such as those previously raised in public comments on Part 2 regulations  requesting a public health exemption to align the law with HIPAA.

Without comprehensive and accurate public health data, there may be concerns about whether a specific population is receiving proper attention, tailored interventions, and sufficient protections from communicable disease. Tensions between privacy and public health surveillance will remain, but the current pandemic demonstrates the need for careful and explicit consideration of public health reporting provisions in privacy law.

This post was developed by Susan Fleurant, Senior Legal Researcher, Network for Public Health Law – Mid-States Region Office and J.D./M.P.H Candidate, University of Michigan (2022) and reviewed by Sallie Milam, J.D, CIPP/US/G, Deputy Director, Network for Public Health Law – Mid-States Region Office and Colleen Healy Boufides, J.D., Deputy Director, Network for Public Health Law – Mid-States Region Office.

The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.

Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.