Privacy Policy


Summary of HIPAA Rules on Disclosures and Comparison with Federal Confidentiality Regulations
HIPAA regulations are structured differently from Federal alcohol and drug confidentiality rules.

Under HIPAA, there are mandatory disclosures (which do not require patient consent). These are limited to disclosures to patients themselves and also disclosures to the Secretary of HHS, when the Secretary seeks information to investigate or determine a provider’s compliance with HIPAA. (In comparison, Federal confidentiality regulations do not provide for any mandatory disclosures but permit disclosures to the client himself or herself.)


Disclosures that do not require client authorization (consent).

  1. These include disclosures:
    1. To the client for the following:
      1. Treatment
      2. Payment
      3. Healthcare Operations
    2. To the healthcare provider, who may use or disclose protected health information for its own:
      1. Treatment
      2. Payment
      3. Healthcare Operations
    3. By the healthcare provider, who may disclose protected health information for treatment activities of another healthcare
    4. A healthcare provider may disclose protected health information to another healthcare provider covered by HIPAA for the payment activities of that other healthcare
    5. A healthcare provider may disclose protected health information to another healthcare provider covered by HIPAA for healthcare operations in certain

  1. For a variety of public health activities such as reporting to the Centers for Disease Control and Prevention and the Food and Drug Administration and notification of persons exposed to communicable
  2. To family, close friends or other persons identified by the patient as involved in the patient’s care or payment related to the patient’s care, so long as the provider obtains the patient’s verbal consent, provides the patient with an opportunity to object to the disclosure and the patient does not do so or can infer that the patient does not object. If the patient is unable to consent, the provider may make the disclosure if in the exercise of professional judgment it determines that the disclosure is in the best interests of the
  3. In the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal or in response to a subpoena, discovery request or other lawful
  4. To a law enforcement official for law enforcement purposes under a variety of
  5. To a coroner, medical examiner or funeral director, in certain circumstances.
  6. To organ procurement organizations for the purpose of facilitating organ


HIPAA requires that when a healthcare provider discloses protected health information to or requests information from another covered healthcare provider, it make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request”, unless the disclosure or request is for the purpose of treatment. The regulations discourage disclosure of the client’s entire record. The minimum necessary rule does not apply when disclosure is made to the individual, for the purpose of treatment, pursuant to an authorization or as required by law.


  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful
  • The name or other specific identification of the persons or class of persons authorized to make the requested use or
  • The name or other specific identification of the persons or class of persons to whom the provider may make the requested use or
  • A description of each purpose of the requested use or disclosure (“At the request of the individual” is a sufficient description of purpose when the client initiates the authorization and does not provide a statement of the ).
  • An expiration date or event that relates to the client or the purpose of the use or
  • A statement adequate to place the client on notice of the potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer protected by
  • A statement adequate to place the client on notice of his/her right to
  • The authorization, how he or she may do so and any exceptions to that right. A statement adequate to place the client on notice of the program’s ability or inability to condition treatment on whether the client signs the authorization. A program not conducting research would generally not be permitted to condition treatment on a patient’s signing a HIPAA
  • The signature of the patient and the date it was signed. If the authorization is signed by a personal representative (or parent), a description of the representative’s authority must be
  • The patient may revoke authorization at any time, but revocation must be in


The authorization provision is similar to the confidentiality rules’ consent provision, however, is somewhat more restrictive; revocation of consent need not be in writing and re-disclosure is prohibited. The only element HIPAA adds to the requirements of 42 CFR Part 2 is the statement concerning the program’ s ability or inability to condition treatment on the patient’s signing the authorization form. Because federal rules are more restrictive, programs must continue to follow the federal confidentiality regulations’ consent rules.


HIPAA gives special protection to “psychotherapy notes” which it defines as notes “recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual’s medical record”. Psychotherapy notes are process notes that capture the therapist’s impressions about the patient, contain details of the psychotherapy conversation considered to be inappropriate for the medical record and are used by the provider for future sessions. They do not include summary information, such as the current state of the patient, symptoms, the theme of the psychotherapy session, diagnoses, medications prescribed, side effects or any other information necessary for treatment or payment. Summary information should be placed in the patient’s medical record.

The originator of the psychotherapy notes can use them without the patient’s authorization. The program may use or disclose the notes (1) for its own training programs in which students or practitioners in mental health learn under supervision to practice or improve their skills and (2) to defend itself in a legal action. Programs may disclose psychotherapy notes when the Secretary of HHS requires it as a part of an investigation or the program’s compliance with HIPAA and in Tarasoff situations. Programs must obtain the client’s authorization (consent) to make any other disclosure of psychotherapy notes.

Violation of HIPAA requirements can subject the offender to civil and/or criminal penalties.

NOTE: Programs subject to both HIPAA and the Federal alcohol and drug confidentiality regulations must comply with the more stringent standard.