Skip to main content
Categories

Published: 02/21/24

Author: Kirsten Leloudis

Last summer, the legislature passed Session Law (S.L.) 2023-95, which amended G.S. 122C-53(a), the North Carolina statute governing the release of confidential information about patients receiving behavioral health services, including mental health and substance use disorder (SUD) care. Specifically, the new law aligns state legal requirements for disclosing patient information with requirements found in federal law. The new law went into effect on October 1, 2023, and is expected to help reduce the administrative burden for behavioral health professionals who may need to share patient information to deliver, coordinate, and monitor patient care. This blog post, co-written by SOG faculty members Kirsten Leloudis and Mark Botts, addresses the requirements of the new law and its implementation.

Background

Public health departments, mental health care providers, hospital systems, and other health care providers, as well as family and juvenile courts and social services agencies, may need to share or receive patient information to provide, coordinate, and monitor patient care and treatment in a way that enhances the efficacy of treatment, the coordination of multiple services, and the efficient use of resources. The most common, legally valid mechanism for these entities to share patient information is through the patient’s signed, written consent for the release of the patient’s information.[1]

Three different confidentiality laws apply to a patient’s behavioral health information:

  1. The federal HIPAA Privacy Rule governing health care information, 45 C.F.R. 164;
  2. The federal confidentiality law governing SUD patient records, 42 C.F.R. 2; and
  3. The NC laws governing mental health and substance use services information, G.S. 122C, 10A N.C.A.C. 26B .0200.

Historically, the requirements for consent to release a patient’s behavioral health information were not uniform across these three laws- but that is starting to change. Pursuant to recent federal legislation[2] and rulemaking, the federal law governing SUD records (42 C.F.R. Part 2) is being brought into conformity with the federal HIPAA Privacy Rule as it applies to consent to release patient information.

However, North Carolina’s rule governing the release of mental health and SUD records- 10A N.C.A.C. 26B .0202– imposes requirements for consent forms that the federal laws do not, including the following:

  • An automatic one-year expiration date on all authorizations to release patient information. The federal law allows the consent form to simply state a date or event upon which the consent will expire- e.g., when probation ends, when I terminate treatment, when my protective services case ends, etc. Under the federal law, the event needs to relate to the individual patient or the purpose of the disclosure, and the patient could choose a date or event that extends beyond one year.[3]
  • A requirement to specify, by name, the individual or agency to receive the information. Federal law permits this but also allows the authorization to identify the recipient more broadly by “class of persons”- e.g., my doctors, my nurses, my dermatologist, my mental health counselor, etc.[4]

These two requirements in 10A N.C.A.C. 26B .0202 are more restrictive than federal law and may present challenges for providers and their patients. For example, the automatic annual expiration means that providers must keep track of forms’ expiration dates and ensure that all patients sign a new form each year to avoid the disruption of important information sharing. A similar issue arises when, for example, a patient identifies their provider who will receive their records by name (e.g., Dr. Doe), but then changes providers shortly after- in which case, the prior consent form can no longer be used to support information sharing and a new form must be signed.

S.L. 2023-95, which is discussed in the next section of this blog post, addresses these challenges by allowing providers to use and accept a consent form that includes the core elements of a HIPAA authorization.

Impact of S.L. 2023-95

S.L. 2023-95 amended G.S. 122C-53(a) as follows (underlines indicate new text and strikethroughs indicate removed text):

“(a) A facility may disclose confidential information regarding a client if the client or the legally responsible person consents in writing to the release of the information to a specified person. This release is valid for a specified length of time and which is subject to revocation by the consenting individual. A written release that contains the core elements for authorizations as set forth in Subpart E of Part 164 of Title 45 of the Code of Federal Regulations shall be valid for the purposes of this subsection.”

The required core elements of a HIPAA authorization are described at 45 C.F.R. 164.508(c)(1) and include:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  • The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (Emphasis added).
  • A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. (Emphasis added).
  • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

The option to list a “class of persons” who can receive the patient’s information differs from the stricter requirement at 10A N.C.A.C. 26B .0202, which mandates that the recipient be identified by name. Similarly, the option under HIPAA to write in an “expiration date or an expiration event” is less limiting than the expiration requirement at 10A N.C.A.C. 26B .0202, which mandates that the consent form automatically expire one year after the form is signed.

What does all of this mean for providers? The requirements in Rule 10A N.C.A.C. 26B .0202—that a patient’s written consent for release of information must designate recipients by name and the consent automatically expires after one year—no longer apply. With respect to these elements of a consent form, it is sufficient for a provider to use a form that complies with HIPAA’s specifications for core elements. For those who already must comply with HIPAA, and who are preparing to implement the changes to  42 C.F.R. 2 that will align the federal SUD confidentiality regulations with HIPAA, the change to G.S. 122C-53(a) should mean fewer forms and less administrative burden related to tracking consent form expiration dates and asking patients to sign new forms.

Implementing S.L. 2023-95

It is not enough for a provider to use a consent for the release of information that includes the HIPAA core elements and call it a day. Other state laws contain provisions relating to the release of information with consent that go beyond the required elements for a consent form. These other provisions still apply. For example, the Rule 10A N.C.A.C. 26B .0203 contains provisions addressing who may sign the consent form; Rule 10A N.C.A.C. 26B .0205 includes a requirement to inform the client or legally responsible person that provision of services is not contingent upon signing a consent for release of information; and Rule 10A N.C.A.C. 26B .0207 requires that a copy of the signed consent form be placed in the patient’s record.

Many providers of behavioral health services (mental health, SUD, and developmental disability services) are also HIPAA covered entities. Therefore, a consent form used for the disclosure of information that is confidential under G.S. 122C will often need to conform to the HIPAA privacy rule requirements for patient authorization. In addition to setting out the core elements of a consent form, HIPAA requires the inclusion of other statements about how the patient’s information may be used or disclosed. A provider that is a HIPAA covered entity will need to use a form that—in addition to adhering to HIPAA’s core elements—contains these required statements. A comprehensive list of the requirements for an authorization under the HIPAA Privacy Rule can be found at 45 C.F.R. 164.508(b)-(c).

Finally, a provider that offers SUD services and is subject to 42 C.F.R. 2 should bear in mind that the changes to 42 C.F.R. 2 that align the regulations with the HIPAA Privacy Rule are not effective until 60 days after the publication of the final rule on February 16, 2024.  Until the changes are effective, these providers must continue to comply with the current requirements in 42 C.F.R. 2 for the release of a patient’s confidential SUD information. Once effective, providers have a two-year window of time to come into compliance with the revised federal regulations.

Questions?

Do you have questions about S.L. 2023-95 and its implementation? Please contact Kirsten Leloudis (kirsten@sog.unc.edu) or Mark Botts (botts@sog.unc.edu).


Notes

[1] The terms “consent form,” “consent for release of information,” “release of information,” and “authorization” are used interchangeably in this blog post.

[2] Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) requires the United States Department of Health and Human Services (HHS) to amend 42 C.F.R. Part 2 to make the regulations align with existing requirements under HIPAA. See pg. 95 at https://www.congress.gov/116/bills/hr748/BILLS-116hr748enr.pdf.

[3] 42 C.F.R. 2.31(a)(7); 45 C.F.R 164.508(c)(v).

[4] Effective February 16, 2024, the federal regulations governing SUD treatment information were changed from requiring the name of the individual or entities to whom a disclosure would be made to requiring the “name(s) of the person(s), or class of persons, to which a disclosure is to be made.” (Emphasis added). For a consent for uses and disclosures for treatment, payment, and health care operations, the recipient may be described as “my treating providers, health plans, third-party payors, and people helping to operate this program” or similar statement. See 42 CFR 2.31(a)(4)(i).

This blog post is published and posted online by the School of Government for educational purposes. For more information, visit the School’s website at www.sog.unc.edu.

Coates Canons
All rights reserved.
This site is registered on Toolset.com as a development site.