Protecting Patient Privacy in the Age of Information Sharing

With the advent of Qualified Health Information Networks (QHINs) and expanded data sharing, it’s essential that healthcare providers understand how to protect patient privacy while giving clinicians access to essential information.  

In this blog, we’ll take a quick look at the evolution of data sharing regulations and then explore how to manage exceptions efficiently and effectively.  

HIPPA – the Health Insurance Portability and Privacy Act 

HIPAA was signed in 1996. The key implementing rules everyone is familiar with became effective later: the Privacy Rule in 2003 and the Security Rule in 2005. The Health Insurance Portability and Accountability Act (HIPAA) regulations established national standards to safeguard the privacy and security of patients’ protected health information (PHI), which includes individually identifiable health information. They limit how and when PHI can be used or disclosed by healthcare providers, health plans and other covered entities. All organizations sharing healthcare records, including QHINs, must comply with HIPAA.

42 CFR, Part 2 

Enacted in 1975, this provision was created to restrict access to records for treatment of substance use disorder (SUD). The goal was to prevent those records from having a negative impact on individuals in non-treatment situations, such as employment, criminal courts or housing.  

In its original form, 42 CFR, Part 2 was opt-in only and extremely restrictive. It required written consent for each specific use. In today’s digital age, obtaining written consent is hard. Managing access to this information became even more challenging with increased emphasis on interoperability.  

In 2024, the CARES Act defined significant changes in 42 CFR Part 2 to align requirements with HIPAA redisclosure provisions: 

• A single consent permits disclosure for all current and future treatment, payment and operations (TPO) uses and disclosures  
• Allow patients flexibility when identifying recipients and create a permissible categories and use  
• Some separate consents are still required outside of TPO “blanket” consent, including SUD counseling notes and use in legal proceedings against patients 
  
  

These changes simplify managing exceptions in data sharing. Netsmart has long advocated for these changes, as the drive to interoperability gained momentum, it was difficult to ensure consent to share SUD patient records was documented correctly and that we could share it. 
 

Managing Consents and Preserving Patient Privacy 

According to the National Institutes of Health, 88% of patients believe sharing data electronically improves their care. And that’s not too surprising. Benefits include convenient access to their care data by cell phone via a patient portal, data sharing between providers that means not repeating symptoms or issues and care teams that are focused on them instead of sorting through stacks of paper to find test results or medication lists.  

To illustrate, let’s take a high level look at how Netsmart handles requests for records to make sure provider partners get what they need, but patients are still protected. 

As noted, 42 CFR Part 2 is now aligned with HIPAA, but still allows for granular consent to be documented. Those exceptions exist and we must be able to enforce them. 

When a data request is received, the first step is to determine if the organization has seen the patient. Next, it’s determined if the individual is covered by 42 CFR, Part 2 and if there are relevant consent forms to allow sharing those documents.  

Consent checks take place at various levels throughout queries. For individuals covered by 42 CFR, Part 2, we don’t even want to say we have a relationship with patients who have opted out, so we completely hide that information as well from the organization that has initiated the query.  

Levels of Consent 

Netsmart interoperability technology uses four main types of consent to determine whether information can be shared.  

• Patient to organization – an individual permits or denies consent to share their information with a specific entity, e.g., a hospital or clinic.  
• Patient to network – an individual permits or denies consent to share information with a specific network, e.g., Carequality.  
• Organization to organization – we see this in the behavioral health world, where a client is using Netsmart software, but they're part of a larger hospital organization that uses a different platform, such as Epic. This consent level allows a single legal entity to share information despite being on two different software systems.  
• Organization to network – as a requirement for treatment, agencies may require individuals to consent to share information with all the networks the provider is connected to as long as it’s part of what is allowed from a regulatory perspective. This consent type covers that approach and is a best practice recommendation for sharing information.  
   

Netsmart consent logic starts with the most granular level to ensure that we cover the federal and local requirements. This approach also allows clients using our systems to document consent in the way that meets their needs and the privacy needs of the individuals they serve.  

Ongoing strategies for protecting patient privacy 

Training your staff on data security and current data sharing regulations will help protect the privacy of individuals in your care. 

As data sharing requirements continue to evolve and change, your choice of technology partners is particularly important, especially regarding changes to 42 CFR, Part 2. Netsmart has been serving the technology needs of organizations in the human services ecosystem for decades. Our clients include providers of addiction treatment, inpatient and outpatient behavioral health services, foster care, child and family services, intellectual and developmental disabilities and much more.  

As mentioned previously, Netsmart has been a strong advocate for changes to 42 CFR, Part 2, as well as a proponent of interoperability as a means to support integrated care for human services and post-acute providers. Our ONC-certified solutions adhere to privacy and security requirements and offer organizations the tools needed to comply with regulations as they change.

Learn more about interoperability