About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 1 (April 30, 2021)

handle is hein.crs/goveddp0001 and id is 1 raw text is: C o gr s io a R e ea c Ser ic Updated April 30, 2021 Private Health Information and Prescription Drug Monitoring Programs (PDMPs) Prescription drug monitoring programs (PDMPs) maintain statewide electronic databases of prescriptions dispensed for controlled substances (i.e., prescription drugs of abuse that are subject to stricter government regulation). Information collected by PDMPs may be used to support access to legitimate medical use of controlled substances; to identify or prevent drug abuse and diversion; to facilitate the identification of prescription drug-addicted individuals and enable intervention and treatment; to outline drug use and abuse trends to inform public health initiatives; or to educate individuals about prescription drug use, abuse, and diversion (see CRS Report R42593, Prescription Drug Monitoring Programs). PDMPs have raised concerns about patient privacy, including issues around the scope and breadth of authorized access-specifically, by law enforcement agencies-as well as the potential for unauthorized access or breaches. While PDMPs are seen as valuable in the effort to address improper prescribing of controlled substances, concern persists about both legal disclosure of and illegal access to health information in PDMPs. PDMPs have varying requirements with respect to the security and authorized use and disclosure of their stored information. These are governed by state law. PDMPs receive protected health information (PHI) from pharmacists and other health care providers (HIPAA [Health Insurance Portability and Accountability Act] covered entities) who are subject to the federal HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E). Challenges have arisen with reporting individually identifiable health information related to treatment at certain substance use disorder (SUD) facilities to PDMPs, as this information is subject to stricter privacy requirements under the Part 2 rule (42 C.F.R. Part 2, implementing Public Health Service Act [PHSA] Section 543 [42 U.S.C. §290dd-2]). A July 2020 final rule amending the Part 2 rule made changes that facilitate this reporting (85 Federal Register, 42986). The HIPAA Privacy Rule and PDMPs The HIPAA Privacy Rule (the Rule) governs covered entities' (health care plans, providers, and clearinghouses) and their business associates' use and disclosure of PHI. To meet the definition of covered entity under the Rule, a health care provider must electronically transmit health information in connection with certain standard transactions. PHI is defined as individually identifiable health information created or received by a covered entity that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium (45 C.F.R. §160.103). https://crsreport The Rule describes multiple situations in which covered entities may use or disclose PHI without authorization, while all uses and disclosures of PHI that are not expressly permitted under the rule require an individual's prior written authorization. Generally, covered entities may share PHI between and among themselves for the purposes of treatment, payment, or health care operations, with few restrictions (and specifically, without the individual's authorization) (45 C.F.R. §164.506). Health care operations include a number of activities as they relate to covered functions; for example, conducting quality assessment or improvement activities, reviewing the competence of health care professionals, and business planning and development. Express authorization is required for use and disclosure of psychotherapy notes and for marketing or sale purposes. Certain other uses and disclosures (e.g., sharing PHI with family members and friends) are permitted, but they require a covered entity to give the individual the opportunity to object or agree to the PHI's use or disclosure (45 C.F.R. §164.510). In two cases, covered entities are required to disclose PHI: to the individual who is the subject of the information in certain circumstances and to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining compliance with the rule (45 C.F.R. §164.502(a)(2)). Covered Entity Reporting of PHI to PDMPs The Privacy Rule recognizes that PHI may be useful in other circumstances aside from health care treatment and payment for a given individual. For this reason, the Rule lists a number of national priority purposes for which covered entities may disclose PHI without an individual's authorization or opportunity to agree or object (45 C.F.R. §164.512). PDMPs may receive PHI from covered entities under authority of one or more of these exceptions. Relevant exceptions identified in the Rule may include disclosures required by law (e.g., state PDMP laws) or those to a public health authority for public health activities. Generally, the Rule requires disclosures of PHI to be limited to the minimum amount necessary to meet the purpose of the disclosure. With respect to disclosures to public officials to meet the national priority purposes (e.g., for public health activities), the covered entity may assume the requested information is the minimum necessary if the requesting official represents that it is (45 C.F.R. §164.514). Some states expressly note that they rely on these exceptions to receive PHI from HIPAA-covered entities to populate their PDMP. For example, Virginia's Department of Health Professions notes that the Rule allows for disclosure of PHI by covered entities without authorization .congress.gov 0

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most