This article has been reviewed for accuracy by our peer review team which includes clinicians and medical professionals. Learn more about our peer review process.
Rehab confidentiality can be a concern for those considering addiction and mental health treatment. They want to know whether their privacy will be preserved— not just when they are away in rehab receiving care at our facility, but in the lead-up to their admission into our programs and upon discharge. But patients looking for private, confidential treatment don’t have to worry: thanks to certain patient consent requirements and regulations like HIPAA and 42 CFR, Part 2, which govern the release of medical records (among other things), patients can have a completely confidential rehab experience.
As Chief Compliance and Operations Officer at FHE Health, Rami Sleiman should know. He’s not just certified in Healthcare Compliance (CHC)— it’s part of his job to ensure that FHE Health is in full operational compliance with the healthcare laws that are in place to protect your privacy and confidentiality as a patient with us. In a rare interview, we had the opportunity to mine Sleiman’s expertise on issues of patient privacy. What follows are patients’ most commonly asked questions, with Sleiman’s answers in quotation marks.
Privacy with Your Employer and Insurance When Exploring Treatment Coverage and Rehab Options
Can I check to see if treatment is covered without alerting my insurance or employer?
“You can check to see if treatment is covered without alerting your employer or insurance. To do so, simply request from your carrier your policy terms and conditions. Within it, it will list all services covered under your health plan. This is a way to determine coverage without specifically telling your employer or insurance that you are seeking treatment.” – Mr. Sleiman
Can my employer retaliate against me for seeking addiction treatment? Do I have to tell them why I need a leave of absence?
“Retaliation against seeking treatment violates protections detailed by The Americans with Disabilities Act (ADA). This federal regulation expressly prohibits discrimination against employees who have a disability. A substance use disorder or mental health condition is considered a disability under the ADA. However, the ADA does not protect the employee from termination should the reason for termination be using drugs or alcohol while on duty, poor performance as a result of substance use, or if substance use results in unsafe work conditions. The caveat is that if an employee voluntarily seeks treatment, any past employment issues related to substance use cannot be utilized to terminate the employee, as ADA protection applies.
The employer must determine if the employee falls under one of the qualifying conditions of the Family Medical Leave Act (FMLA). If the employee falls under the conditions of the FMLA, then the employee can take a maximum of 12 unpaid weeks off without risking job loss. Under this filing, the employee will retain his/her health benefits and coverage through the employer.
An employee does not need to detail what type of treatment he/she needs nor does he/she need to tell the employer the specific diagnosis that would trigger the FMLA. However, there must be sufficient information regarding the nature and severity of the health condition for the employer to determine qualification. In other words, while your employer cannot mandate diagnosis of your specific condition that requires leave, adequate information must be provided to determine if the symptoms qualify as a medical condition under the FMLA.” – Mr. Sleiman
Ensuring Your Privacy While You’re in Rehab
Who has to know about my treatment? Can I keep it a secret?
“Under most circumstances, no one who you do not authorize has to know about your treatment, and treatment centers are obligated to uphold your confidentiality. Chapter 42, Part 2 of the Code of Federal Regulations (C.F.R) details that the patient must expressly consent to the use or disclosure of his/her health information. However, there are conditions under which Protected Health Information (PHI) can be revealed to Law Enforcement or the Department of Health, such as imminent risk to self or others or infectious disease outbreak. In addition, PHI may be disclosed due to emergency situations, such as a medical emergency.
The State Regulatory body or national organization that licenses or accredits the treatment center is also entitled to a patient’s PHI to perform their obligations. The Department of Health and Human Services (DHHS) have rights to disclosure of PHI for rule enforcement. However, these agencies are also obligated to protect the health information of the individual and only require the minimum necessary information to accomplish the task.
Under the Health Insurance Portability and Accountability Act (‘HIPAA,’ 45 C.F.R), the ‘Treatment, Payment, and Operations’ (TPO) exception allows covered entities, such as treatment centers, business associates, insurance companies, and primary policy holders to share minimum necessary health information to accomplish tasks related to the treatment of the patient, the payment for the patient’s treatment, or operations related to either of the above.
As an individual seeking treatment, you can determine what specific health information you want to disclose to those you authorize, should none of the above exceptions apply. You are also entitled to know what PHI was disclosed by the covered entity and to whom it was disclosed.
In no way is this a complete accounting of the laws governing confidentiality. Should you want further information, please visit www.hhs.gov.”
Once I’m in treatment, who can find out where I am?
“Only those you expressly consent to know, or those that fall under the exceptions specified above in the previous question.”
Rehab Confidentiality Concerns with Your Family
What If I don’t want to talk to family while I’m in treatment— can they pull me out of treatment?
“If you are over 18 without guardianship, you are not required to talk to family while in treatment regardless of any exceptions mentioned. You can expressly prohibit the treatment center from sharing any information with family as well. However, if a family member is the primary policyholder of your insurance, discontinuing the health coverage for you may render the treatment center unable to provide continuing care. If you are not over 18 or the family member has guardianship over you, while you do not have to speak to them, the treatment center is obligated to inform them of anything that requires decision-making.
While it is not required to talk to family, the family is an integral part of the treatment process. Often, the family system and environment contribute to the advancement of the substance use disorder or mental health condition. In addition, substance use disorder also impacts the health and wellness of the family members. Consequently, the family’s participation in the treatment process is critical for effective treatment that promotes sobriety well after graduation.”
Can family and friends come and visit me in rehab against my will?
“As a voluntarily admitted adult over the age of 18 without guardianship, you have the right to determine who is allowed to visit you while in rehab. If you do not provide consent, your family and friends cannot visit you against your will.”
How We Prioritize the Privacy of Your Medical Records
Do you have to divulge to my company or family what my diagnosis is?
“No, as stated earlier, the treatment center is not permitted to divulge diagnosis information to your employer or family without your expressed consent to do so.”
Will anyone be able to get my medical records?
“Only those that fall under the TPO exception or other exceptions discussed above will be able to access your medical records without your expressed consent. However, depending upon the obligation of the specified party, treatment centers are required to only provide the minimum necessary protected health information to accomplish the task. In any other circumstance, disclosure of your medical records requires your authorization. A treatment center that truly cares about protecting your confidentiality will be sure to obtain your written consent, often with a notary, regardless of the situation.”
Will I have access to my medical records?
“You are entitled under HIPAA to reasonable and unburdened access to copies of your medical records within 30 days of the request. You also have the right to view the original medical records as well as the right to request alteration of the records. As stated previously, you also have the right to an accounting of the disclosures of your PHI. The provider is required to notify you of the reason for a delay should it take more than 30 days. However, some states have stricter regulations that require medical records be provided sooner.
There are certain types of medical records that a healthcare provider may withhold. These include psychotherapy notes, information related to lawsuits, and any medical information that the provider reasonably believes could endanger you or others. However, you also maintain a right to appeal any denial of your medical records. Your medical records must be maintained for seven years under the False Claims Act (31 USC 3729), at which point they can be destroyed.”
Other Steps That FHE Health Takes to Protect Patient Privacy
What other steps are taken to ensure patient privacy?
“Quality facilities will require your written consent, often with a notary, before disclosing any of your health information. Other steps to ensure compliance with the HIPAA Privacy and Security rules (45 CFR Part 160 and Subparts A and C of Part 164) are defined by administrative and technical safeguards. Facility Access Controls, Workstation Use, Workstation Security and Devices and Media Controls are categories of physical safeguards that must be upheld. Some of these safeguards are as follows:
- requiring two-factor authentication to log-in to software programs that contain PHI
- implementation of cyber-security software
- HIPAA compliant servers and encryption services
- data Back-Up and Restoration
- password protection
- timed locks of computer screens.
- employee identification requirements (i.e. badges) to affirm right to access.
- maintaining locked, secure areas where PHI resides
- not leaving PHI in an area that can be accessible by unauthorized individuals (such as in a car or public location)
- computer screen filters for privacy
- ensuring PHI is only accessible to those who need to know, which is critically important because not all employees of a healthcare organization need to know every aspect of a patient’s condition.
Internal Privacy and Security policies in line with HIPAA and signed attestations by employees to uphold them are also critical to implement to mitigate against the risk of privacy and security violations. Compliance is an obligation of each member of an organization. Some policies include:
- not discussing PHI in unprotected areas such as social media platforms
- not sharing PHI to friends or family
- restriction and encryption of PHI on mobile devices
- institution of non-disclosure and confidentiality agreements upon hire
- requiring that all copies of PHI be destroyed in a fashion that makes it inaccessible (i.e. shredding papers)
- regular audits by Compliance to review access and controls and documentation of any findings and changes to policy
The DHHS also imposes monetary penalties for violations of privacy or security, which encourages healthcare providers to take all necessary steps to protect your privacy with strategies like those outlined above.
This is in no way a complete list of steps taken to ensure privacy and security. Should you want further information, please visit www.hhs.gov.”
State and Federal Laws That Encourage Rehab Confidentiality
What, if any, legal protections are in place to ensure that FHE Health takes my privacy seriously?
“State and federal regulatory guidelines govern how FHE protects patient privacy, confidentiality, and security. In particular, they govern how PHI is used and disclosed and the steps we must take to secure your information. State regulations such as 65d.30 in the Florida Administrative Code for the Department of Children and Families (DCF) or the Aspen Regulations detailed by the Florida Agency of Healthcare Administration detail how privacy should be upheld.
In addition, federal guidelines such as 42 C.F.R and HIPAA (45 C.F.R) reveal in even further detail how privacy should be protected, the security provisions necessary, and how data must be stored shared electronically. The Department of Health and Human Services (DHHS) have the greatest oversight to ensure privacy and security is upheld. Each agency, among others, can impose significant monetary penalties, probation, terminate licensure to operate, and even place a provider on an exclusion list from participation in Medicare. (This is not a complete list of sanctions.) Should a provider violate any aspect of the privacy and security rules, there are provisions that the organization must take to ensure that the appropriate parties are informed within a particular time frame of a breach. Breaches of PHI can result in further penalties against the provider.”
Still concerned about your privacy in rehab? One of our caring and knowledgeable admissions counselors would be glad to put your worries to rest.