NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Center for Substance Abuse Treatment. Simple Screening Instruments for Outreach for Alcohol and Other Drug Abuse and Infectious Diseases. Rockville (MD): Substance Abuse and Mental Health Services Administration (US); 1994. (Treatment Improvement Protocol (TIP) Series, No. 11.)

Cover of Simple Screening Instruments for Outreach for Alcohol and Other Drug Abuse and Infectious Diseases

Simple Screening Instruments for Outreach for Alcohol and Other Drug Abuse and Infectious Diseases.

Show details

Chapter 5 - Legal Issues Surrounding Client Confidentiality 1

Street outreach workers for alcohol and other drug (AOD) abuse and infectious diseases need to be aware of the legal issues that affect the operation of their programs. Of primary concern among these issues is confidentiality: the protection of the client's right to privacy.

Programs that provide street outreach for populations at risk for AOD and infectious diseases typically face questions about how to refer clients for assessment, diagnosis, and possible treatment; how to communicate with collateral sources to gather additional information about clients; and how to communicate with other agencies working with clients. For example, outreach workers are engaged in assessment, diagnosis, or treatment of AOD or infectious diseases, they will generally not be responsible for reporting infectious diseases to State often called upon to assist clients to find and apply for services from appropriate health and social service agencies.

Can outreach staff perform this function and at the same time protect clients' confidentiality? How can outreach workers contact collateral sources for information about a client without violating his or her confidentiality? Are there special rules for outreach workers who assist clients who are minors? What are the rules for reporting child abuse and neglect? This chapter attempts to answer these questions.

Since outreach workers are not health departments, warning others of clients' infectious conditions, or tracing individuals who have had contact with the client and who might therefore be at risk of acquiring communicable diseases. Therefore, these questions are not addressed in this chapter.

This chapter reviews Federal laws and regulations governing the confidentiality of information about persons who seek or receive AOD assessment and treatment services.

Perceived Obstacles to Maintaining Confidentiality

Laws and regulations that govern communication about clients and protect their confidentiality are sometimes viewed as an irritation or a barrier to achieving program goals. For example, some staff may view as burdensome the requirement that a client must sign a consent form before a street outreach worker can make a telephone call to a treatment program on that client's behalf.

The process of obtaining consent, however, can also be seen as a small ceremony that provides a way of making a contract with the client. The worker is about to perform services for the client, and the client should begin to view seriously his or her part of the bargain in following up. Moreover, it is at this point that the outreach worker can let the client know that workers and their agencies, as well as other people helping the client, take his or her privacy very seriously. Indeed, since the outreach worker can make only the most preliminary of determinations about a client, maintaining confidentiality assumes an even greater importance.

Most of the problems that may arise under the laws and regulations that protect clients' confidentiality can easily be avoided through planning ahead. Familiarity with the rules will ease communication and can limit confidentiality-related conflicts among the program, the client, and outside agencies or individuals to a few relatively rare situations.

Federal and State Confidentiality Laws

The primary idea behind protecting confidentiality is to allow the client (rather than the program) to determine when and to whom information about his or her AOD abuse or infectious diseases will be disclosed. Two sets of laws apply in this area.

First, Federal statutes and regulations guarantee the strict confidentiality of information about all persons applying for or receiving services for AOD abuse prevention, screening, assessment, and treatment. These statutes and regulations apply to any program that holds itself out as providing services for AOD abuse (see "Programs Governed by the Federal Regulations" later in this chapter). (The legal citation for these laws and regulations is 42 U.S.C. §§290dd-3 and ee-3 and 42 C.F.R. Part 2.) Violating the regulations is punishable by a fine of up to $500 for a first offense or up to $5,000 for each subsequent offense (§2.4). 2

Second, State laws govern the confidentiality of information about human immunodeficiency virus (HIV) infection and acquired immunodeficiency syndrome (AIDS), as well as other infectious diseases. Each State has its own rules about how program staff must treat information related to clients' HIV infection and other infectious diseases. (Most States that have laws concerning this information have two separate laws, one for HIV and AIDS and another for other infectious diseases.) Some State laws (particularly those pertaining to HIV- and AIDS-related information) are as strict as the Federal AOD confidentiality law and regulations, whereas others are more lenient.

Information about infectious diseases of clients in AOD programs is protected by both the Federal AOD confidentiality regulations and State confidentiality laws. Information that would identify a client who is part of an outreach program for infectious diseases as an AOD abuser, either directly or by implication, is protected by both State confidentiality laws and the Federal AOD confidentiality regulations (as long as the program holds itself out as providing AOD outreach services and is otherwise subject to the Federal law; see below).

Programs that provide outreach services to populations at risk for AOD and infectious diseases must familiarize their staffs with the requirements of both sets of laws. The impact of State laws, along with the requirements of the Federal law, are discussed here.

Federal Laws and Regulations

The General Rule

Two Federal laws and a set of regulations guarantee the strict confidentiality of information about all persons who seek or receive services for AOD abuse prevention, assessment, and treatment. These individuals include persons whom outreach workers help on the street.

Federal confidentiality laws and regulations protect any information about a client who has applied for or received any services related to AOD abuse from a program that is covered under the law. The services applied for or received by a client may include screening, referral, assessment, diagnosis, individual or group counseling, or treatment.

The restrictions on disclosure of such information apply to any information that would identify the client as an AOD abuser, either directly or by implication. This general rule applies from the time the client makes an appointment or accepts services. 3 It also applies to former clients or patients. The rule still applies when the person making an inquiry about the client already has the information, has other ways of getting it, has some form of official status, is authorized by State law, or has a subpoena or search warrant.

Federal laws and regulations are intended to protect clients' confidentiality in order to attract people into treatment. The regulations tightly restrict communications; unlike in either the physician-patient or the attorney-client privilege, the AOD worker is prohibited from disclosing even the client's name (§2.4).

Programs Governed by the Federal Regulations

Any program that specializes, in whole or in part, in providing treatment, counseling, or assessment and referral services for people with AOD problems must comply with the Federal confidentiality regulations (§2.12(3)). This means that programs that provide outreach services for populations at risk for infectious diseases but also provide outreach services for those at risk for AOD problems must comply with the Federal law.

Although the Federal regulations apply only to programs that receive Federal assistance, this includes indirect forms of Federal aid, such as tax-exempt status or State or local government funding received (in whole or in part) from the Federal Government.

Coverage under the Federal regulations does not depend on how a program labels its services. Calling itself a "prevention program," an "outreach program," or a "screening program" does not excuse a program from adhering to the confidentiality rules. It is the kind of services, not the label, that determines whether the program must comply with the Federal confidentiality laws.

State Laws

In the wake of the AIDS epidemic, many States have passed laws protecting HIV-related information about clients. These laws are designed to encourage individuals who are at risk for HIV infection to get tested; to determine their HIV status and, if found to be positive, to begin medical treatment early; and to change risk-associated behaviors. Many State laws have been passed because of the concern that HIV-positive individuals may experience discrimination in employment, medical care, insurance, housing, and other areas if their HIV status becomes known to others. Separate State laws may protect information about other infectious diseases.

Because State laws that protect information about infectious diseases vary in scope, programs providing outreach services to populations at risk for infectious diseases should become familiar with the requirements of their State laws. State health departments should be able to provide information about local laws pertaining to infectious diseases.

Sharing Confidential AOD Information

Information that is protected by the Federal confidentiality regulations may be disclosed after the client has signed a proper consent form. (As explained later in this chapter, some States also require parental consent if the client is a minor.) The regulations also permit disclosure without the client's consent in certain situations, such as medical emergencies, program evaluations, and communications among staff within a program.

The most commonly used exception to the general rule that prohibits disclosure of AOD information is when a program obtains a client's written consent. State laws that protect information about infectious diseases also generally permit disclosure of information if the client signs a consent form. (State laws vary considerably, however, on what language the consent form must contain.)


Most disclosures of information about an AOD client are permissible if the client has signed a valid consent form that has not expired or been revoked (§2.31). 4 An exception may exist when an AOD client's file contains information about HIV infection or AIDS (see "Use of Consent Forms").

A proper consent form must be in writing and must contain each of the items contained in §2.31 (see sample consent form in Exhibit 5-1 ), which are:

  • The name or general description of the program(s) making the disclosure
  • The name or title of the individual or organization that will receive the disclosure
  • The name of the client
  • The purpose or need for the disclosure
  • How much and what kind of information will be disclosed
  • A statement that the client may revoke (take back) the consent at any time, except to the extent that the program has already acted on it
  • The date, event, or condition on which the consent expires if not previously revoked
  • The signature of the client
  • The date on which the consent is signed (§2.31(a)).

Box Icon


Exhibit 5-1: Consent for the Release of Confidential Information. I, (Name of client) authorize (Name or general designation of program making disclosure)

A general medical release form, or any consent form that does not contain all of the elements listed above, is not acceptable. Some items on this list deserve further explanation and are discussed below.

Purpose of the Disclosure and How Much and What Kind of Information Will Be Disclosed

The purpose of the disclosure, and how much and what kind of information will be disclosed, are closely related. All disclosures, and especially those made pursuant to a consent form, must be limited to information that is necessary to accomplish the need or purpose for the disclosure (§2.13(a)). It would be improper to disclose everything in a client's file if the recipient of the information needs only one specific piece of information.

In completing a consent form, therefore, it is important to determine the purpose or need for the communication of information. Once this need has been identified, it is easier to determine how much and what kind of information will be disclosed, tailoring it to what is essential to accomplish the need or purpose that has been identified.

As an example, suppose an outreach worker is screening a client for AOD services and determines that the client should be assessed more fully by a treatment program. The outreach worker may want to call a treatment program to set up an appointment for the client. The purpose of the disclosure would be "to set up an appointment for an assessment." The disclosure would then be limited to a statement that "Jane Doe (the client) has been screened for AOD abuse." No other information about Jane Doe would be released to the treatment program.

Client's Right to Revoke Consent

The general consent form authorized by the Federal regulations permits the client to revoke consent at any time, and the consent form must include a statement to this effect. Such revocation need not be in writing. If a program has already made a disclosure prior to the revocation, the program is said to have acted in reliance on the consent - in other words, the program was relying on the permission given in the consent form when it made the disclosure. Therefore, the program is not required to try to retrieve the information it has already disclosed. 5

Expiration of the Consent Form

The consent form must also contain a date, event, or condition on which it will expire if it is not revoked by the client before then. A consent must last "no longer than reasonably necessary to serve the purpose for which it is given" (§2.31(a) (9)).

If the purpose of the disclosure can be expected to be accomplished in 5 or 10 days, for example, it is better to fill in that amount of time rather than a longer period. It is better to think through how much time the consent form should run than to have all consent forms within an agency expire within a standard time, such as 60 or 90 days. When a uniform expiration date is used, an agency can find itself in a situation in which there is a need for a disclosure, but the client's consent form has expired. This means, at the least, that the client must come to the agency again to sign a consent form. At worst, the client has left or is unavailable (e.g., hospitalized), and the agency will not be able to make the disclosure.

The consent form does not need to contain a specific expiration date, but may instead specify an event or condition. For example, if an AOD client is being referred to an HIV testing site, the consent form should state that it will expire after he or she has "gone for testing," or on the date that the appointment for testing will be made.

If an outreach worker needs to communicate with an outside agency over a longer period, the consent form should be worded accordingly. For example, if the outreach worker is communicating with a child welfare agency about placement of the client's children, then the consent form should expire "after Jane Doe's children are returned."

Signature by Minors and Parental Consent

A minor (defined in most states as persons under age 18) must always sign a consent form for a program to release information, even to his or her parent(s). (Parent refers to a parent, guardian, or other person legally responsible for the minor.) The program must obtain the parent's signature in addition to the minor's signature only if the program is required by State law to obtain parental permission before providing treatment to minors (§2.14).

In other words, if State law does not require the program to obtain parental consent to provide services to a minor, then parental consent is not required to make disclosures (§2.14(b)). If State law does require parental consent to provide services to a minor, then parental consent is required to make any disclosures. The program must always obtain the minor's consent for disclosures and cannot rely on the parent's signature alone. Outreach programs should consult with a local lawyer to determine whether they need parental consent to provide services to minors. 6

Required Notice Against Redisclosure of Protected Information

Once the consent form has been properly completed, one last formal requirement remains. Any disclosure made with the written consent of the client must be accompanied by a written statement that the information disclosed is protected by Federal law and that the person receiving the information cannot make any further disclosure of such information unless permitted by the regulations (§2.32). This statement, not the consent form itself, should be delivered and explained to the recipient at the time of disclosure or earlier (see Exhibit 5-2 ).

Box Icon


Exhibit 5-2: Prohibition on Redisclosing Information Concerning Clients Receiving Treatment for AOD Abuse. This notice accompanies a disclosure of information concerning a client in alcohol/drug abuse treatment, made to you with the consent of (more...)

The prohibition on redisclosure is clear and strict. Those who receive the notice are prohibited from rereleasing information except as permitted by the regulations. A client may, however, sign a consent form authorizing such a redisclosure.

Use of Consent Forms

The fact that a client has signed a proper consent form authorizing the release of information does not force a program to make the proposed disclosure unless the program has also received a subpoena or court order (§§2.3(b); 2.61(a) (b)). 7 The program's only obligation is to refuse to honor a consent that is expired, deficient, or otherwise known to be revoked, false, or invalid (§2.31(c)). A program cannot be forced to disclose information, even by a subpoena, if a client has not given consent; however, a program can be forced to disclose by a subpoena if the client has given consent.

In most cases, the decision of whether to make a disclosure pursuant to a consent form is within the discretion of the program, unless State law requires or prohibits disclosure once consent is given. In general, it is best to follow this rule: Disclose only what is necessary, for only as long as is necessary, keeping in mind the purpose of the communication.

The above rules apply to any program that specializes, in whole or in part, in providing treatment, counseling, and/or assessment and referral services for people with AOD abuse problems. State laws control how programs may release information about infectious diseases. Many States that protect information about HIV infection and AIDS prohibit the release of information without the consent of the client and have strict requirements about the form the client must sign.

What happens when a client signs a proper consent form permitting disclosure of information about AOD abuse, and his or her file also contains information about HIV infection or AIDS? Can the program release the AOD information? The answer depends on the law of the State in which the program is located. Even if a client has signed a consent form permitting disclosure of information about his or her AOD abuse, the program may not release information about HIV infection or AIDS unless it has complied with State law governing the release of such information.

Suppose a client's file contains information about both AOD abuse and HIV infection, and the client wants to allow the program to disclose the AOD information, but not the HIV information, to an outside agency. There are a number of ways to handle such a situation.

  • The consent form can be drafted in a way that includes all (or relevant parts of) the AOD information but excludes all the HIV information. The consent form must contain a statement of the purpose of the disclosure and how much and what kind of information will be disclosed. The program can restrict access to the HIV information in the client's file by having the client sign a consent form that has as its purpose, for example, "referral for outpatient AOD treatment." How much and what kind of information will be disclosed would then be "results of AOD screening and assessment."
  • The program can maintain a filing system that separates AOD- and HIV-related information into two different files, such as "treatment" and "medical," and disclose only information from the treatment (AOD) file. (This solution can be used regardless of whether State law protects information about HIV infection and AIDS.)
  • The program can send the client's file without the HIV-related information to the outside agency and place the following notice on the disclosure: This file, which is being provided to [name of the referral agency] with the client's consent, does not contain any information protected by section [number] of [State] law. The fact that this notice accompanies these records is NOT an indication that the client's file that is maintained by [name of the referring agency] contains any information protected by section [number].

If this approach is used, the notice should be attached to all clients' files, regardless of whether they contain any HIV-related information, when referrals are made so that those who do have such information are not singled out and identified by implication.

If the client wants information about his or her HIV infection to be disclosed to an outside agency, the program must ensure that it is complying with the requirements of State law before it releases any such information.

Communication With Others

Now that the rules regarding consent are clear, we can turn to the questions that were introduced at the beginning of this chapter:

  • How can outreach workers make referrals for further assessment without violating clients' confidentiality rights?
  • How can outreach workers and programs seek information from collateral sources about clients whom they are screening?
  • How can multiple agencies effectively communicate without violating the Federal rules or State laws?
  • Can outreach workers and programs report child abuse?

The following sections address these questions. In all such cases, it is important to bear in mind the requirements of the Federal regulations concerning AOD information, as well as any State laws that govern the confidentiality of information about infectious diseases (including HIV infection). In all cases, any program that wishes to communicate with collateral sources about a client's infectious diseases must check State laws to determine whether the client's consent is required before such contacts are made.

Making Referrals for AOD Assessment

When a street outreach worker makes an appointment for a client to receive assessment or treatment for AOD abuse, is the worker making a disclosure that is covered by the Federal AOD regulations? The answer is yes.

When a program that screens clients for AOD abuse makes contact with an AOD assessment or treatment agency to set up an appointment for a client, it is making a client-identifying disclosure that the client has sought or received its services. In other words, when the outreach worker makes a telephone call to an AOD program, the worker is, in effect, telling the AOD program that the client has asked for or received AOD services. The Federal AOD regulations generally prohibit this kind of disclosure unless the client gives consent or the disclosure falls under one of the other exceptions to the general rule. (See "Other Exceptions to the General Rule" later in this chapter.)

How, then, is an outreach worker to proceed? The easiest way is to obtain the client's written consent to call the assessment or treatment program. 8 Another possibility is for the outreach worker to accompany the client to the assessment or referral program and allow the client to make all disclosures.

If the outreach worker uses a consent form, it must be one that meets the requirements of the regulations, not a general medical release form. If the outreach worker is part of the program to which the client will be referred, then a consent form may not be necessary under the Federal rules, since there is an exception for information disclosed to staff within the same program (see "Internal Program Communications" later in this chapter).

If the outreach worker is making a referral for the client to receive services for HIV infection or AIDS, the worker must check State laws to find out whether the client's consent is required before contact is made with an outside agency. Programs that provide outreach services for both HIV/AIDS and AOD abuse must comply with both sets of laws. Thus, an AOD program that makes a referral for HIV testing must comply with both Federal and State HIV/AIDS confidentiality laws. An HIV/AIDS outreach program that is screening for AOD abuse must also comply with both sets of laws when it makes a referral for AOD abuse.

Seeking Information From Collateral Sources

Programs that screen clients may at times need to ask a collateral source, such as a family member, employer, physician, or mental health professional, to verify information obtained from the client. To communicate with others in this way, however, is to make a client-identifying disclosure. In other words, when program staff seek information from these sources, they are letting those sources know that the client has asked for AOD services. The Federal AOD regulations generally prohibit this kind of disclosure unless the client consents to it.

To address this problem, a program may obtain the client's consent to contact the specific individual or agency from which information is being sought. Another approach is to ask the client to sign a consent form that permits disclosure to any one of a number of entities or persons listed on the consent form itself. The form used in this latter method must include "the name or title of the individual or the name of the organization" for each collateral source the program may contact. With either of these two methods, the consent form required by the Federal regulations, not a general medical release form, must be used.

Programs that screen for infectious diseases (including HIV infection) and wish to obtain information from collateral sources must check State laws to determine whether the client's consent is required to contact those sources. For example, an HIV/AIDS outreach worker wishing to communicate with a client's AOD treatment program must first determine whether the client's consent is required, as well as what other State law requirements must be met. The drug treatment program, in turn, must obtain a signed consent form from the client before releasing any information to the outreach worker.

Ongoing Communications Among Diverse Agencies

Programs to which referrals are made for treatment often wish to review the results of screening procedures, as well as any other information that the referring agency has about a client. To get this information, the AOD treatment program must obtain the client's consent to receive screening results from the referring agency.

Outreach agencies, however, often need to communicate with a treatment or other program over an ongoing period. In these cases, the agency making the referral and the program receiving it both must have the client sign a consent form permitting each to communicate with and release information to the other. Every conversation about a client between two programs that are covered by the Federal regulations must be authorized by such written consent, unless some other exception to the general rule applies (see "Other Exceptions to the General Rule" later in this chapter).

All communications by the outreach agency with outside persons or entities must be dealt with on an individual basis, either by the client's consent or by ensuring that the proposed disclosure falls within one of the narrow exceptions permitted by the Federal regulations. (These exceptions are explained later in this chapter.) As with other types of communications described in this section, outreach agencies that need to communicate with other programs about clients' HIV or AIDS information must comply with the requirements of State law.

Reporting Child Abuse and Neglect

All 50 States and the District of Columbia have statutes that require reporting when there is reasonable cause to believe or suspect child abuse or neglect. Although many of these State statutes are similar, each has different rules about what kinds of conditions must be reported, who must report them, and when and how reports must be made.

Most States require not only physicians but also educators and social service workers to report suspected child abuse. Most States require an immediate oral (usually telephone) report, and many now have toll-free numbers to facilitate reporting. (Half of the States require both oral and written reports to be made.) All States extend immunity from prosecution to persons who report child abuse and neglect, meaning that a person who reports child abuse or neglect cannot be brought into court. Most States provide for penalties for failure to report.

The Federal confidentiality regulations permit programs to comply with State laws that require the reporting of child abuse and neglect. Thus, if a client reveals to program staff that he or she has neglected or abused children - or is a neglected or abused child - that fact may have to be reported to State authorities.

However, this exception to the general rule prohibiting disclosure of any information about a client applies only to initial reports of child abuse or neglect. Programs may not respond to followup requests for information, or even subpoenas for additional information - even if the records are sought for use in civil or criminal proceedings resulting from the program's initial report - unless the client gives consent or the appropriate court issues an order under subpart E of the regulations. This means that child protection authorities cannot have access to clinical records without the client's consent or a court order.

Because State laws vary, programs should consult an attorney who is familiar with State laws to ensure that their reporting practices are in compliance with those laws and that any report of child abuse that reveals infectious disease information about a client is made in accordance with them.

Other Exceptions to the General Rule

Communications Not Disclosing Client-Identifying Information

The Federal regulations permit programs to disclose information about a client if the program reveals no client-identifying information. This is information that identifies someone as an AOD abuser. Thus, a program may disclose information about a client if that information does not identify him or her as an AOD abuser or support anyone else's identification of the client as an AOD abuser. There are two ways in which this may be accomplished.

First, a program can report aggregate data about all or a portion of its client population (i.e., summarizing information that gives an overview of the clients served in the program). Thus, for example, a program may tell a news agency that in the last 6 months, it screened 43 clients - 10 female and 33 male.

Second, a program can communicate information about a client in a way that does not reveal the client's status as an AOD abuse patient (§2.12(a) (i)). For example, a program that provides services to clients with other problems or illnesses in addition to AOD abuse may disclose information about a particular client as long as it does not reveal that the client has an AOD problem or is receiving services for AOD abuse. A program that is part of a general hospital, for instance, may contact the police about a threat made by a client, as long as it does not reveal that the client has an AOD abuse problem or is a client of the treatment program.

Programs that provide only AOD services, however, may not be able to use this latter approach, since letting someone know that one is calling from a drug outreach program will necessarily identify the client as someone receiving services from the program. A free-standing program, however, can sometimes make anonymous disclosures - that is, disclosures in which the client's name or status as an AOD client is not mentioned. Programs using this exception to disclose information related to HIV infection or other infectious diseases must also consult State laws to determine whether a disclosure is permitted.

Internal Program Communications

The Federal regulations permit some AOD information to be shared among workers within the same program. Staff who have access to clients' records because of the nature of their responsibilities, including full- or part-time employees and unpaid volunteers, may consult among themselves or otherwise share information about clients if their work so requires (§2.12(c) (3)).

A question that often arises is whether this exception allows a program that provides AOD services as part of a larger entity - such as a health department or mental health agency - to share confidential information with others who are not part of the AOD program itself. The answer is among the most complicated in this area. In brief, such disclosures are permitted under certain circumstances, but it is essential that an expert be consulted before these communications are made. Programs should consult an attorney who is familiar with State law to learn whether it similarly restricts staff within an infectious-disease program in regard to HIV-related information about clients.

Qualified Service Organization Agreements

Programs often need to share information about clients with outside agencies that provide services to the program. Examples of such an outside agency is a laboratory performing AOD analyses or a company providing data processing. When communication needs to take place on a routine basis with such an outside agency, the program can enter into a qualified service organization agreement (QSOA).

A QSOA is a written agreement between a program and a person providing services to the program, in which that person:

(1) Acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the program, he or she is fully bound by [the Federal confidentiality] regulations; and

(2) Promises that, if necessary, he or she will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations (§§2.11, 2.12(c) (4)).

A QSOA should be used only when an agency or official outside of the program is providing a service to the program itself. It is not a substitute for obtaining individual consent in other situations.

Disclosures that are made under a QSOA must be limited to information that is needed by the outside agency so that it can perform its services for the program and so that the program can function effectively. QSOAs may not be used between two programs that provide AOD abuse services.

Programs that share information with outside agencies by using QSOAs must take care that, if any information related to infectious diseases (including HIV infection) is to be transmitted, it is done in accordance with State law.

Medical Emergencies

A program may make disclosures to public or private medical personnel "who have a need for information about a client for the purpose of treating a condition which poses an immediate threat to the health" of the client or any other individual. The regulations define a medical emergency as a situation that poses an immediate threat to health and requires immediate medical intervention (§2.51).

The exception concerning medical emergencies permits disclosure only to medical personnel. This means that it cannot be used as the basis for a disclosure to family or the police or other nonmedical personnel.

Whenever a disclosure is made to cope with a medical emergency, the program must document the following information in the client's records:

  • The name and affiliation of the recipient of the information
  • The name of the individual making the disclosure
  • The date and time of the disclosure
  • The nature of the emergency.

Programs using the medical-emergency exception to disclose information about clients in relation to infectious diseases, including HIV infection and AIDS, must also consult State laws to determine whether a disclosure is permitted.

Crimes on Program Premises or Against Program Personnel

If a client has committed or threatened to commit a crime on program premises or against program personnel, the regulations permit the program to report the crime or threat to a law enforcement agency or to seek its assistance. In such a situation, without any special authorization, the program can disclose the circumstances of the incident, including the suspect's name, address, last known whereabouts, and status as a client at the program (§2.12(c)5)). Programs should consult a local lawyer to determine how to report a crime on program premises or against program personnel if the report will reveal information about a client's HIV infection or AIDS.

Court-Ordered Disclosures

A State or Federal court may issue an order that will permit a program to make a disclosure about a client that would otherwise be forbidden. A court may issue such an authorizing order, however, only after it follows certain special procedures and makes particular determinations required by the regulations. A subpoena, search warrant, or arrest warrant, even when signed by a judge, is not sufficient, standing alone, to require or even to permit a program to disclose information (§2.61).

Before a court can issue an order authorizing a disclosure about a client, the program and any clients whose records are sought must be given notice of the application for the order and an opportunity to make an oral or written statement to the court. 9 Generally, the application and any court order must use fictitious names for any known client, and all court proceedings in connection with the application must remain confidential unless the client requests otherwise (§§2.64(a), (b), 2.65, 2.66).

Before issuing an authorizing order, a court must find that there is "good cause" for the disclosure. A court can find good cause only if it determines that the public interest and the need for disclosure outweigh any negative effect that the disclosure will have on the client, the relationship between the client and his or her physician or counselor, and the effectiveness of the program's treatment services. Before it may issue an order, the court must also find that other ways of obtaining the information are not available or would be ineffective (§2.64(d)). 10

Programs using the court order exception to disclose information relating to HIV infection or other infectious diseases must also consult State law to determine whether such a disclosure is permitted.

Research, Audit, or Evaluation

The confidentiality regulations also permit programs to disclose client-identifying information to researchers, auditors, and evaluators without client consent, provided that certain safeguards are met (§§2.52, 2.53). 11 State law must be consulted to ensure that any audit that inspects information about a client's HIV status is done in accordance with State law.

Other Rules About Confidentiality

Client Notice and Access to Records

The Federal AOD confidentiality regulations require a program to notify a client of his or her right to confidentiality and to give him or her a written summary of the regulations' requirements. The notice and summary should be handed to clients when they begin participating in the program or soon thereafter (§2.22(a)). The regulations also contain a sample notice.

Programs can use their own judgment to decide when to permit clients to view or obtain copies of their records, unless State law grants clients the right of access to records. The Federal regulations do not require programs to obtain written consent from clients before permitting them to see their own records.

Security of Records

The Federal regulations require programs to keep written records in a secure room, a locked file cabinet, a safe, or other similarly secure location. This requirement can pose a particular challenge to street outreach workers, who sometimes carry clients' records with them. Workers may be concerned that if their possessions are stolen on the street, clients' names will be disclosed.

Two precautions may be taken by programs to deal with this problem. First, clients' records should be transferred to a secure room as often as possible, preferably at the end of each day. Second, workers could use coded forms to record client information and keep clients' names in a separate location, such as in a small notebook kept in a breast pocket. This will reduce the risk that if a worker's bag is stolen, client-identifying information will be disclosed. Each day, the list of clients seen should be torn out of the notebook and placed in a secure room or locked file cabinet.

The program should establish written procedures that regulate access to and use of clients' records. Either the program director or a single staff person should be designated to process inquiries and requests for information (§2.16).

A Final Note

State laws govern many issues of concern to outreach programs. All outreach programs should try to find a lawyer who is familiar with State laws affecting their programs. A local practitioner is the best source for advice on such issues, particularly since many areas of the law are still developing.



This chapter was written for the consensus panel by Margaret K. Brooks, Esq.


Citations in the form "§2§" refer to specific sections of 42 C.F.R. Part 2.


Only clients who have "applied for or received" services from a program are protected. If a client has not yet been assessed or counseled by a program and has not sought help from the program, the program is free to discuss the client's AOD problems with others. However, from the time the client applies for or receives services, or the program first conducts an assessment or begins to counsel the client, the Federal regulations govern.


Note, however, that no information obtained from a program (even if a client consents) may be used in a criminal investigation or prosecution of a client unless a court order has been issued under the special circumstances set forth in §2.65 (42 U.S.C. §§290dd-3(c); 42 C.F.R. §2.12(a), (d)).


The regulations state that "acting in reliance" includes services that were provided while the program was relying on the consent form to permit disclosures to a third-party payer. (Third-party payers are health insurance companies, Medicaid, or any party, other than the patient's family or the treatment agency, that pays the bills.) Thus, a program can bill the third-party payer for past services that were provided before the consent was revoked. However, a program that continues to provide services after a client has revoked a consent authorizing disclosure to a third-party payer does so at its own financial risk.


It seems unlikely that State law will require parental consent for outreach programs to provide services to minors. Outreach programs should know, however, that the Federal AOD regulations contain an exception permitting a program director to communicate with a minor's parents, even when the minor does not consent, when both of the following two conditions are met: (1) The program director believes that a minor who is applying for services, because of extreme AOD use or a medical condition, does not have the capacity to decide rationally whether to consent to the notification of his or her parents or guardian, and (2) The program director believes that the disclosure is necessary to cope with a substantial threat to the life or well-being of the minor or of someone else. Thus, if a minor applies for services in a State where parental consent is required to provide services, but the minor refuses to consent to the program's notification of his or her parent or guardian, the regulations permit the program to contact a parent without the minor's consent only if these two conditions are met. Otherwise, the program must explain to the minor that, although he or she has the right to refuse to consent to any communication with a parent, the program cannot provide any services without such communication and parental consent [§2.14(d)].


For an explanation of how to handle subpoenas and search and arrest warrants, see Confidentiality: A Guide to the Federal Laws and Regulations, published in 1990 by the Legal Action Center, 153 Waverly Place, New York, NY 10014.


Note that if the client is a minor and State law requires the outreach program to obtain parental consent in order to provide services, then parental consent is required to disclose information about the minor. Programs providing outreach services should determine whether State law requires that they obtain parental consent to offer services to minors.


However, if the information is being sought to investigate or prosecute a client for a crime, only the program need be notified (§2.65). If the information is sought to investigate or prosecute the program, no prior notice at all is required (§2.66).


If the purpose of seeking the court order is to obtain authorization to disclose information in order to investigate or prosecute a client for a crime, the court must also find, in addition to these two criteria, that the crime involved is extremely serious (such as an act causing or threatening to cause death or serious injury) and that the records sought are likely to contain information of significance to the investigation or prosecution. When law enforcement personnel seek the order, the court must also find that the program had an opportunity to be represented by independent counsel. (If the program is a governmental entity, it must be represented by counsel.) (§2.65(d))


For a more complete explanation of the requirements of §§2.52 and 2.53, see Confidentiality: A Guide to the Federal Laws and Regulations (cited in note 6).


  • PubReader
  • Print View
  • Cite this Page

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...