I'll take a stab at answering your question. Please remember that in an
effort to keep it relatively brief, this is a fairly simplistic, high-level

Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other
Drugs)regs), disclosure within a "program" is allowed on a need-to-know
basis  without the consent of the patient. This "internal" disclosure is
limited to "personnel having a need for the information in connection with
their duties which arise out of the provision of diagnosis, treatment, or
referral for treatment." In practice, I think this is very close to, if not
the same as, the HIPAA "use" definition. Although the AOD regs do not
require a formal minimum necessary analysis, the concept of only disclosing
the minimum amount of information necessary to accomplish the purpose for
making the disclosure is clearly embedded in the regs.

It is the disclosure to external entities where, especially with the
adoption of the August, 2002, HIPAA changes, a wide gap remains between the
two sets of regs. While HIPAA allows treatment providers to disclose PHI for
treatment and payment (even another provider's payment) without the
patient's written consent, the AOD regs absolutely prohibit such disclosures
related to payment, and disclosures for treatment (except for medical
emergencies) require that a written agreement be in place and that the
services which the external provider render be something different than what
the primary provider is providing. This written agreement is known in the
AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A
QSOA is akin to a BA agreement, though much shorter and less complicated,
charachteristics which are, unfortunately, soon to be a thing of the past.
While a QSOA can be used in limited circumstances for treatment (the biggest
problem is that we cannot have one with another AOD provider), its most
common use is for operations, just as the HIPAA BA agreement will be used
(e.g., we have a QSOA with our auditor, or outside attorneys, the company
which prints and sends out our bills, the lab which analyzes the urine
specimens we collect, etc.). But, if we want to be able to bill an insurance
company or any other third party payer, we have to have the patient's
written consent (in fact, we cannot even call to get pre-authorization
without written consent; how's that for customer friendly?). If we want to
refer the patient to another health care provider, of whatever type, or
consult with another provider (like their primary care provider) who has
seen the patient, we must have the patient's written consent unless the
situation fits within the pretty narrow exception where a QSOA can be used
and we have (or can get) one in place (the logistics and pain of trying to
get a QSOA with all of those providers, which make doing so pretty
impracticle). The requirements in the AOD regs for a valid written consent
are very similar to those for a HIPAA authorization: who is disclosing the
information, to whom is the information being disclosed, what information is
being disclosed and why is it being disclosed, there must be a reasonble,
identifiable expiration date, the patient must be able to revoke the consent
at any time (one specific exception here for persons referred by an element
of the criminal justice system where treatment is a part of the
disposition), the name of the patient, the patient's signature and the date
of the signature.

The remaining situations where disclosure can be made without written
patient consent under the AOD regs are very limited. I'll list only a few of
the major differences between the HIPAA and AOD regs. There is no general
exception for "otherwise required by law." I've forgotten exactly when the
exception for allowing a child abuse report to be filed if required by state
law was added, sometime around 1990, I think, but that used to be quite a
problem and even now the exception is very limited. There are no exceptions
for reporting any other kind of abuse. The HIPAA "law enforcement"
exception. There are provisions for disclosure in response to a court order,
but it requires a very specific order after following very specific

I hope this has been helpful. Let me know if you have any other questions.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice or a binding signature.

> -----Original Message-----
> From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 18, 2003 5:02 PM
> To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List'
> Subject: RE: HIPAA privacy and people
> Darrell,
> Thank you for sharing your thoughts.  And now that you 
> brought it up, how
> would you compare the "42 CFR" consent with the (voluntary) 
> HIPAA-consent
> and the HIPAA-authorization.  In my mind, the "42 CFR" allows a more
> generalized use and disclosure for TPO, and consequently is 
> more equivalent
> to the (voluntary) HIPAA-consent, than it is to the more specific
> HIPAA-authorization.
> But, I would like to know your take on this matter.
> Thanks in advance.
> Matt
> Matthew Rosenblum
> Chief Operations Officer
> Privacy, Quality Management & Regulatory Affairs
> CPI Directions, Inc.
> 10 West 15th Street, Suite 1922
> New York, NY 10011
> (212) 675-6367
> CONFIDENTIALITY NOTICE: This E-Mail is intended only for the 
> use of the
> individual or entity to which it is addressed and may contain 
> information
> that is privileged, confidential and exempt from disclosure 
> under applicable
> law. If you have received this communication in error, please do not
> distribute it.  Please notify the sender by E-Mail at the 
> address shown and
> delete the original message. Thank you.
> AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
> individuo o la entidad a la cual se dirige y puede contener 
> información
> privilegiada, confidencial y exenta de acceso bajo la ley 
> aplicable. Si
> usted ha recibido esta comunicación por error, por favor no 
> lo distribuya.
> Favor notificar al remitente del E-Mail a la dirección 
> mostrada y elimine el
> mensaje original. Gracias.

The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at or send a blank email to 
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at

Reply via email to