Select Page

Welcome to the Behavioral Health Data Sharing Toolkit!


While the legal issues may seem daunting, it’s helpful to remember why taking the extra effort to share data is so important: when health information is safely and legally shared between health care providers, patients see improved outcomes and improved overall satisfaction and organizations see improved efficiency and reduced costs. More directly, people want coordinated care and understand the importance of sharing information: a survey conducted by the Office of the National Coordinator for Health IT in 2012 and 2013 found that more than 90 percent of respondents would not withhold information from a health care provider over privacy worries, and that a large majority support the use of EHRs and health information exchange.



Print Friendly, PDF & Email

Legal Issues

The legal framework for sharing behavioral health data depends on Federal and State Law.

At the Federal level, the issues are addressed in two key places:

  • The Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • 42 C.F.R. Part 2, which imposes stringent restrictions on the disclosure of identifiable patient records by “federally assisted alcohol and drug abuse treatment programs.”

In March of 2017, SAMHSA released revised versions of the 42 C.F.R. Part 2 regulations, available here.  The push to revise the regulations came in part from the recognition by SAMHSA and its constituents in the field that the integration of primary care, mental health and substance use services was rapidly expanding in communities.   In addition, health and mental health delivery agencies, hospitals, health plans and in some community’s social service providers are increasingly participating in collaborations and integration efforts to improve behavioral health systems in their communities.  The need to update and clarify rules and obligations around the rights of consumers and expectations of providers led to a year long revision process by SAMHSA.

To disseminate information about the new rules and clarifications around certain provisions of the revised regulations, IBHP held an informational webinar featuring a legal expert from the Legal Action Center and reactions from substance use providers in CA.  The webinar recording is available here and slides can be found here.

Under California law, the issues span many areas:

  • Confidentiality of Medical Information Act
  • Lanterman-Petris-Short Act
  • Alcohol and Drug Abuse Treatment Records
  • Minors

With funding from the California Healthcare Foundation, The California Office of Health Information Integrity (CalOHII) has created the State Health Information Guidance (SHIG). The State Health Information Guidance (SHIG) is an authoritative but non-binding guidance from the State of California written in lay language for a general audience. The SHIG explains when, where, and why mental health and substance use disorder information can be exchanged. It also provides clarification of state and federal laws for non-state entities. It is worth noting that CalOHII has statutory authority to interpret and clarify state law.

Data Sharing Legal Resources

Additional resources that may be useful in understanding legal issues are available from the following sources:

  • choirThe Accountable Communities for Health Data Sharing Toolkit was produced by the Center for Healthcare and Organizational and Innovative Research (COACH) in Berkeley. This toolkit is designed to assist communities working to share data across sectors to improve health as part of the CA Accountable Communities of Health concept.  The toolkit begins by introducing the Accountable Communities for Health concept, and then provide seven parameters for framing a community’s current data-sharing maturity along a continuum from beginner to advanced.  A chapter on Governance and Privacy covers additional considerations for providers trying to coordinate care, particularly across sectors or to address social determinants of health.  It includes discussion of issues such as anti-trust laws, how to build buy-in and develop relationships with other organizations, funding considerations, technological infrastructure and analytical infrastructure issues.  Each section also has CA and national case studies/examples of work underway in communities that address the topics discussed and offers a “barrier/strategy” grid containing the barriers providers are likely to encounter and a strategy for addressing for each topic covered.

Federal Framework for Sharing Behavioral Health Information

The information included here is from the California Healthcare Foundation report prepared by Manatt, Phelps & Phillips, LLP: Fine Print: Rules for Exchanging Behavioral Health Information in California.


not-hipposThe Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) restricts covered entities such as health care providers and health plans from using or disclosing an individual patient’s protected health information without his or her written authorization. While health care organizations seeking to exchange patient information to improve quality or control costs often raise concerns about HIPAA, it is rarely a legal obstacle to achieving these objectives. This is because HIPAA contains broad exceptions that permit the use or disclosure of protected health information without the patient’s authorization for treatment, payment, and health care operations. Health care operations include care management and quality-improvement activities such as outcomes evaluation and development of clinical guidelines.

Unlike some of the other privacy laws discussed below, HIPAA applies the same standards to all protected health information, whether related to behavioral or physical health services. The primary exception to this rule relates to psychotherapy notes, which generally may not be disclosed for treatment, payment, or health care operations without the client’s authorization. Psychotherapy notes are notes of counseling sessions recorded by a mental health professional that are maintained separately from the rest of the individual’s medical record. Given the fact that providers rarely seek to share psychotherapy notes with one another, the exception does not serve as an obstacle to most data exchange initiatives.

HIPAA provides a baseline level of protection for behavioral health information, meaning providers in a state must comply with its privacy protections even if the state’s privacy law protections are more lenient than HIPAA. But HIPAA does not pre-empt state or federal laws that provide stronger privacy protections, such as laws that require individual consent or authorization before certain types of more sensitive health information can be disclosed. Thus, it is necessary to evaluate applicable federal and California laws and regulations that may be more stringent than HIPAA.

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.

Click here to view the combined regulation text of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164.

Part 2 — Substance Abuse Records

Federal regulations at 42 C.F.R. Part 2 impose stringent restrictions on the disclosure of identifiable patient records by “federally assisted alcohol and drug abuse treatment programs.” Part 2 programs are generally those that are specially licensed to provide, or hold themselves out to the public as providing, substance abuse treatment services. For example, a methadone clinic is subject to Part 2 but a general hospital is not, even if the hospital’s emergency department provides detoxification services. Most programs that hold themselves out to the public as providing substance abuse services qualify as being federally assisted, since the definition of federal assistance is extremely broad: It includes both providers that receive any federal funds or federal tax benefits (such as tax-exempt status) as well as providers licensed by a federal agency (such as providers certified under Medicare). While the Part 2 rules apply directly only to Part 2 programs, any party that receives information from such a program must also comply with Part 2 if it seeks to disclose that information to someone else.

There are very few exceptions under Part 2. One exception covers disclosure in a medical emergency, but there is no general treatment exception. There is also no exception for quality improvement or care management.

Absent an exception, any identifiable information from a Part 2-covered program (“Part 2 data”) may be disclosed only with the patient’s written consent. Part 2 data includes any information that identifies an individual as a drug or alcohol abuser, including his or her receipt of services from a Part 2-covered program as well as diagnoses and treatment plans related to substance abuse. The Part 2 rules specify the elements of a valid consent form. Among other things, the consent must explicitly name the individual or entity authorized to receive the Part 2 information. A description of a class of individuals or entities (such as “all providers participating in the XYZ Health Information Exchange”) is insufficient for this purpose.

California Legal and Policy Issues

The information included here is from the California Healthcare Foundation report prepared by Manatt, Phelps & Phillips, LLP: Fine Print: Rules for Exchanging Behavioral Health Information in California.

California’s privacy laws largely follow the pattern of federal privacy laws. Most types of clinical information, including mental health records, typically can be exchanged between providers for the purpose of treating the patient. But there are greater restrictions on the disclosure of substance abuse treatment records, which generally may be shared only with patient authorization. These regulations apply to various types of providers of physical and behavioral health care and do not vary based on the source of payment for that care.

Confidentiality of Medical Information Act

Outpatient mental health treatment provided by private (non-governmental) clinics, including federally qualified health centers (FQHCs), is typically subject to California’s general privacy statute, the Confidentiality of Medical Information Act. The CMIA mirrors HIPAA in many respects.

  • Like HIPAA, the CMIA treats medical information as confidential and prohibits its disclosure unless a specific exception under the law applies.
  • For providers seeking to integrate care, an important exception allows providers to disclose information without the individual’s authorization to other providers, health plans, or contractors (which includes independent practice associations and pharmacy benefit managers) for purposes of diagnosis or treatment. Consequently, mental health providers who are not subject to more restrictive state privacy laws (see below) may share information for treatment purposes to the same extent that physical health providers may share treatment information.

Lanterman-Petris-Short Act

The Lanterman-Petris-Short (LPS) Act, rather than the CMIA, governs the exchange of patient information by some mental health providers. The LPS Act applies to:

  • federal, state, and county mental hospitals;
  • institutions that treat involuntarily detained mental health patients; and
  • residential programs such as mental health rehabilitation centers and community residential treatment systems.
  • The LPS Act can also apply to outpatient providers to the extent they participate in certain government-funded programs covered under the Act, such as gambling treatment programs, homeless outreach programs, or the provision of care to judicially committed people under the Forensic Conditional Release Program.

Execeptions to LPS Act

Like HIPAA and the CMIA, the LPS Act contains an exception that allows for the exchange of mental health information for treatment purposes. “Qualified professional persons” may share patient medical information with one another in the course of providing services without obtaining patient consent. The statute does not define a “qualified professional person.” This language is potentially narrower than the language in the treatment exception of the CMIA, which makes clear that a provider may share information with a broad range of health care organizations and professionals treating the patient. At a minimum, the LPS Act allows a health care professional to share patient information with another health care professional who treats that patient, even if the two professionals work at different facilities or locations.

In practice, the exception appears to be interpreted more broadly to permit the sharing of information by mental health facilities or programs at the organizational level, with access by nonprofessional personnel who provide support for the professional’s activities. Indeed, given the way in which data are shared between institutions, there may be no other practical way to interpret the exception. But the precise scope of the exception is subject to interpretation, and this lack of clarity likely leads to different interpretations across the state with respect to the type of sharing that is permitted. As noted below, existing California initiatives have implemented different approaches to sharing mental health data, with some requiring prior patient consent and some not.

The LPS Act allows information to be exchanged pursuant to a patient’s consent but is silent as to the form of consent needed. The CMIA, however, does prescribe the form of consent and therefore serves as a useful guide for mental health providers even where the LPS Act rather than the CMIA is technically applicable. Among other requirements, the CMIA mandates that the consent form describe the functions of the disclosing party and the recipient of the information, explain the use and limitations of the information disclosed, provide an end date of the authorization, and be executed by a signature that serves no other purpose than to execute the authorization.

Alcohol and Drug Abuse Treatment Records

In contrast to the general flexibility granted to providers when sharing mental health information, California’s substance abuse law is stricter than its mental health law when it comes to the disclosure of records. California’s statute governing alcohol and drug abuse programs requires records relating to those programs to be kept confidential except under limited circumstances.

  • A qualified professional employed by a substance abuse program may share a patient’s records with other professionals employed by the same program without obtaining the patient’s consent.
  • If the practitioner seeks to share the information with others working at a different program, generally the patient’s consent will be required except in limited circumstances such as in a medical emergency.
  • These restrictions apply to any alcohol or drug abuse “treatment or prevention effort or function conducted, regulated, or directly or indirectly assisted” by the California Department of Health Care Services (DHCS).
  • This provision mirrors the language of the federal Public Health Service Act that is the basis for the Part 2 rules, but with one key difference: the federal law applies to substance abuse treatment regulated or assisted by a federal agency, not treatment assisted or regulated by DHCS. Thus, a private substance program that is not federally assisted is subject to California’s substance abuse privacy rules if it is licensed by DHCS.

Transfer of Authority from Alcohol and Drug Programs to Department of Health Care Services

Historically, many hospital emergency departments, FQHCs, and other providers that offer limited substance abuse treatment have not been covered by California’s substance abuse privacy law. Prior to 2013, it was the California Department of Alcohol and Drug Programs (ADP) that was responsible for regulating and funding the state’s substance abuse programs. At the time, California’s substance abuse privacy protection applied to programs that were “conducted, regulated, or directly or indirectly assisted” by ADP. Since many providers were not regulated or funded by ADP, they did not fall within the scope of this rule. In 2013, however, California transferred all of ADP’s powers to DHCS, and statutory references to ADP were changed to references to DHCS.

While the number of providers funded by ADP was relatively small, the universe of providers supported by DHCS is much larger, since DHCS is the agency responsible for administering Medi-Cal. Presumably, the state did not intend to expand the scope of its substance abuse privacy protections in making this administrative change. Nevertheless, the switch introduces uncertainty as to whether hospital emergency departments and other providers who occasionally treat patients for substance abuse must comply with the state’s substance abuse privacy protection law.

Given the restrictions in California’s substance abuse privacy provision:

  • California providers will often need to obtain an individual’s consent prior to sharing his or her substance abuse treatment record with another provider, even in cases where the two providers jointly manage the patient’s care.
  • California law requires that the consent be in written form and identify the purposes for the release of the protected information and the circumstances under which the information can be released.
  • California law does not specify whether a patient can agree to a program’s disclosure to multiple providers through the signing of a single consent form, but the statute’s similarity to federal law suggests that the same Part 2 restrictions apply.
  • Moreover, if the program is subject to Part 2, the provider would have to comply with the consent for requirement of Part 2 rules anyway. The lack of flexibility in the federal and state rules governing the sharing of substance abuse treatment data has made the sharing of this data a daunting challenge.

Sharing between the minor and other medical providers

California’s privacy laws do not distinguish between minor and adult medical information in regards to providers sharing medical records for treatment. Thus, providers that are delivering mental health care or substance abuse care to a minor can share the child’s medical records with other providers under the same circumstances under which such sharing is allowed for adult patients.

Sharing with the minor’s parent or guardian and consent for treatment

When providers treat a minor, they often confront the issue of whether they may share medical records with the minor and/or the minor’s parent or guardian. For most types of medical treatment, it is the parent or guardian who grants consent to the minor’s treatment, and therefore providers may disclose a minor’s medical information and records to the minor’s caretaker. However, minors who are 12 or older may consent to mental health care if the provider determines that “the minor is mature enough to participate intelligently in the mental health treatment or counseling services.” Minors who are 12 or older also may consent to substance abuse care. In cases where minors who are authorized to consent for services, it is the minor, not the parent or guardian, who has a right to review the treatment records. Nevertheless, even in these circumstances, providers are supposed to involve the parent or guardian in the minor’s treatment plan if appropriate.

Explore the Behavioral Health Data Sharing Toolkit!