Stimulant Abuse and HIPAA: Case Example

Edmund S. Higgins, MD, and R. Allan Powell, JD

Mr. Powell is assistant general counsel in the Department of Mental Health in Columbia, South Carolina.

Disclosure: Dr. Higgins is on the speakers’ bureaus of Cephalon, Eli Lilly, Pfizer, and Wyeth. Mr. Powell reports no affiliation with or financial interest in any organization that may pose a conflict of interest.

Please direct all correspondence to: Edmund S. Higgins, MD, Department of Psychiatry, 1 Poston Rd, Suite 145, Charleston, SC 29407; Tel: 843-556-4157; Fax: 843-763-8747; E-mail: [email protected].

Abstract

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a multi-faceted federal law affecting the privacy of healthcare information. Unfortunately, there are some circumstances where privacy and appropriate clinical care conflict. The case presented describes a patient who was abusing his stimulant medication and did not want the attending physician to alert other physicians about this misbehavior. The analysis and discussion address the issues physicians should consider when confronted with such a situation. HIPAA guidelines are not intended to prevent the dissemination of clinical information that can affect important treatment decisions. In light of the serious medical concerns regarding stimulant abuse the prescribing physician can be alerted without violating HIPAA guidelines in such cases.

Introduction

Abuse of prescription medications, especially controlled substances, is a common reality. The recent results of a survey conducted by the Substance Abuse and Mental Health Services Administration (SAMHSA) of the Department of Health and Human Services showed that nonmedical use of prescription medications were the second most common category of illicit drug use. Anti-anxiety medications and stimulants were used for nonmedical reasons by 1.8 million and 1.4 million respectively.¹ In light of the greater frequency of prescriptions written for anti-anxiety medications, stimulants may be the most common psychiatric medication abused in the United States.

The stimulant medications, such as methylphenidate and racemic mixtures of dextroamphetamine, are classified by the Drug Enforcement Administration (DEA) as schedule II controlled medications due to their “high potential for abuse” and their potential to “lead to severe psychological or physical dependence.”² The stimulants are highly reinforcing due to their activation of the nucleus accumbens or what some call the “pleasure center.”^3,4 Methylphenidate and cocaine display a similar distribution in the brain and induce a similar “high” as they bind the receptor.⁵

The nature of substance abuse is such that the user is secretive and deceptive about his or her illicit use of the substance.⁶ Well-meaning physicians can unknowingly be supporting substance abuse with prescription medication. Given all the facts about a particular patient’s illicit use of a medication, most of these physicians would stop the medication. However, recent changes in federal laws raise questions about patient confidentiality and the sharing of private information between clinicians.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a multi-faceted federal law that affects the portability of health care by an employee from one employer to the other, the electronic transaction of healthcare information, and the privacy of healthcare information.⁷ Because HIPAA fosters the use of electronic exchange of individually identifiable health information (and thereby substantially increases the potential harm of an unpermitted disclosure), it also creates a national standard for the protection of the privacy of that information.

The HIPAA privacy rule creates a federal, national minimum standard of confidentiality and accountability for medical information. Although HIPAA creates a national “floor” for healthcare privacy and will make privacy requirements and practices more uniform nation wide, HIPAA must also be read in context with other federal and state laws that may be more restrictive as to specific identifying information (eg, alcohol and drug use, mental health, human immunodeficiency virus, etc.) If another law is more stringent, that other law applies.

The HIPAA regulations regarding patient privacy have raised concerns among physicians who worry that further restrictions are being placed on the way they practice psychiatry.^8,9 However, HIPAA is not intended to impede good clinical care and actually has the potential to enhance the dissemination of treatment information among healthcare providers.¹⁰

The following is a case study that illustrates the conflict between confidentiality and appropriate clinical care with a patient who is abusing his stimulant medication. Included is a description of the steps clinicians can take to determine if HIPAA or other regulations prohibit the sharing of important confidential information even if the patient objects.

Case Report

A 30-year-old white male was incarcerated at the Charleston County Detention Center for a misdemeanor unrelated to the situation described below. He was complaining of anxiety and insomnia and requested a visit with the psychiatrist. He described his treatment history to the jail psychiatrist and with minimal prodding, gave extensive details about his abuse of stimulant medication.

The inmate described a history of extensive abuse of mixed amphetamine salts, Adderall specifically, that started in early adolescence when he was treated for attention-deficit/hyperactivity disorder (ADHD). In high school he progressed to “street” drugs, but maintained a great interest in dextroamphetamine that he described as his second favorite only to “Ecstasy.” He described how he obtained the mediation by seeking out accommodating physicians, explaining that he had recently moved to the area and would like a refill of his treatment for ADHD. He would state that the only treatment that worked was Adderall and Wellbutrin (bupropion). He mentioned bupropion as a decoy, although he was only interested in obtaining the stimulant.

When the inmate was able to get a prescription for Adderall, he would take 60 mg as a loading dose and then take an additional 10 mg every 1–2 hours throughout the day. He usually stopped the medication after a total dose of 180–200 mg in one binge. He typically felt sick after reaching this total dose, but had not experienced any serious medical problems.

During the psychiatric evaluation in the jail it became apparent that the prescribing physician was unaware of the inmate’s pattern of abuse. Since the inmate would be in jail for only a short stay, the jail psychiatrist wanted to alert the outside physician about the true nature of the inmate’s abuse of the stimulants. The inmate objected to the disclosure of this information to his outside physician.

How should a clinician proceed in light of the new HIPAA privacy requirements?

Analysis: When, Where and How Does HIPAA Apply?

Below are the steps that a clinician should take when determining the appropriateness of disclosing or withholding confidential information.

Step 1: Do HIPAA Privacy Regulations Apply to this Facility?

HIPAA is a federal law and therefore applicable in all states. However, HIPAA applies to “covered entities” only. So the very first question is to determine if the detention facility is a HIPAA “covered entity.”

For this scenario, the detention facility as a healthcare provider, would be a “covered entity” if as a healthcare provider to detainees or inmates it not only provides health care but also bills or makes claims for payment for such services electronically. If the facility meets these requirements, the physicians employed there are “covered entity” healthcare providers under HIPAA, and are subject to HIPAA regulations pertaining to not only the electronic transfer itself, but also the privacy and security of the individually identifiable healthcare information that is used and/or disclosed.

All health information in any form at a “covered entity” is protected by HIPAA privacy and subject to all administrative requirements, including establishing ones own privacy practices, appointing a HIPAA compliance officer, training staff on privacy practices, receiving grievances from patients concerning their medical information, responding to requests to inmate access to his/her own information, requesting for an amendment to his/her information, and copies of an accounting of certain disclosures made by the clinicians and any “business associate.”

Step 2: Are There Exceptions Where HIPAA Permits at Least Limited
Disclosure?

The accompanying Table lists exceptions from HIPAA that allow and or mandate the release of confidential patient information.

In addition to the enumerated permitted disclosures applicable to all covered entity providers listed in the Table, protected health information may be disclosed to correctional facilities and other law enforcement officials having lawful custody of the inmate if the information is needed to provide health care to the individual; for the health and safety of the inmate or others in the facility or those transporting the inmate; or for law enforcement or the administration and maintenance of safety, security, and good order.

Step 3: Do Other Laws Also Apply to this Situation?

Other federal or state laws may apply to further limit the use or disclosure of confidential information, or to provide greater patient control over his or her own information. For example, information pertaining to patients in federally assisted alcohol and drug abuse treatment programs is subject to additional privacy protection to encourage patients to seek treatment.¹¹ In general, the privacy protections of alcohol and drug treatment program information are much stricter than HIPAA. State law pertaining to specific types of information (eg, contagious diseases, child abuse investigation, etc.) may also be stricter than HIPAA. Alternatively, if HIPAA prohibits a disclosure, other laws may also apply to then require disclosure, such as mandatory reporting of child abuse, domestic violence, certain types of wounds, etc.

Step 4: Are There State Laws with Stricter Limitations on Patient Privacy?

HIPAA is a federal minimum standard and states have the right to impose stricter standards.

Step 5: Does the Facility or Group Require Stricter Limitations on Patient Privacy?

A group or facility also has the right to impose stricter requirements on confidentiality than are mandated by HIPAA.

Discussion
Step 1

In this particular case the inmate was being treated at a facility that is not a “covered entity.” Since the jail does not bill or make claims for payment electronically for health care that it provides, the jail is not a “covered entity” and HIPAA does not apply to it.

However, if this patient had been provided health care by a hospital, physician, or other healthcare provider, including a contractor of such services to the jail, and that provider bills or otherwise files claims electronically, then HIPAA would apply to information (both medical and financial records) identifying the patient. The patient would have been given the opportunity to review the written privacy practices for that particular provider and would have had a general right to request restrictions on disclosures, including limitations on disclosures related to treatment.

Step 2

Even if the HIPAA guidelines did apply to this case, the exception of treatment (Table) would allow limited disclosure of confidential information. Stimulant abuse puts this patient at risk for seizures, psychosis, dysrhythmias, and even death.¹² It is in the patient’s best interest to have this behavior eliminated. Withholding this information from the prescribing physician could put the patient at risk for serious health hazards.

If this patient were in a covered entity and therefore subject to HIPAA, he would have the opportunity to request restrictions of disclosure of some types of information, including for treatment purposes. However, a covered entity is not required to agree to a requested restriction. The basis for refusal would be that the request was not practical and/or that the request would compromise treatment. While there is a presumed right for a patient to request a restriction, including a restriction on sharing for treatment purposes, this is not a barrier in sharing this type of specific and limited information in this type of scenario.

HIPAA is, in part, intended to further protect patient confidentiality, but paradoxically, in also enhancing the efficiency provision of health care and payment for health care by the expanded use of electronic transactions, it also opens the doors for greater potential dissemination of private information, including the risk of unintended or other disclosures not permitted under the law.¹⁰ The case presented is a good example of kind of confidential information that can be communicated to other healthcare providers even after the patient has reviewed the facility’s privacy practices and requested a restriction.

Step 3

The question of other federal restrictions on confidentiality is relevant in this case as the patient has a substance abuse problem. However, in this scenario the inmate is not seeking or receiving substance abuse treatment nor is he in a federally assisted alcohol and drug program. Consequently, this potential restriction is not a concern in this situation.

Step 4

All states have laws protecting the privacy of healthcare information. Since no federal laws apply to the above case, the next step in the process of determining the appropriate action to take in this situation falls to the state level. In South Carolina, clinicians are prohibited from disseminating confidential information without the patient’s consent with a few exceptions, such as court order, child abuse, contagious disease, etc.

South Carolina, like most states, also allows exceptions to the maintenance of confidentiality if it impedes good clinical care.¹³ Alerting the prescribing physician about abuse of the prescription medication would appear to meet this exception.

Step 5

The Charleston jail has additional rules regarding confidentiality above and beyond the federal and state laws. For example, the psychiatrist is not allowed to conduct court evaluations (eg, competency or insanity) on inmates that he is also treating. In the above case the psychiatrist is not relaying information that involves the patient’s criminal charges to law enforcement or the prosecuting attorneys and therefore he is not restricted by the jail’s own limitations.

Conclusion

The HIPAA guidelines are intended to protect the patient’s right to maintain confidential healthcare interactions in this age of rapid electronic transfer of information. However, HIPAA is not intended to limit good clinical care. The above case highlights the thought process that clinicians should use when patients refuse to consent to a breach of confidentiality.

In this case, the patient had been abusing his stimulant medication and it appears that no federal, state, or facility rules limit the clinician from altering the prescribing physicians about the illicit use of the medication. PP

References

1. News releases page. Substance Abuse Mental Health Services Administration Web site. 22 million in US suffer from substance dependence or abuse. Available at: http://www.samhsa.gov/news/newsreleases/030905nr_NSDUH.htm. Accessed: December 12, 2004.

2. Controlled Substances Act page. DEA Web site. Available at: http://www.usdoj.gov:80/dea/agency/csa.htm. Accessed: November 2004.

3. Morton AW, Stockton GG. Methylphenidate abuse and psychiatric side effects. Prim Care Companion J Clin Psychiatry. 2000;2:159-164.

4. McLeman ER, Warsh JJ, Ang L, et al. The human nucleus accumbens is highly susceptible to G protein down-regulation by methamphetamine and heroin. J Neurochem. 2000; 74:2120-2126.

5. Volkow ND, Ding YS, Fowler JS, et al. Is methylphenidate like cocaine? Studies on their pharmacokinetics and distribution in the human brain. Arch Gen Psychiatry. 1995;52:456-463.

6. Ross SM, Chappel JN. Substance use disorders. Difficulties in diagnoses. Psychiatr Clin North Am. 1998;21:803-828.

7. 45 Code of Federal Regulations (CFR). Parts 160 and 164.

8. Imperio WA. HIPAA boosts protections for psychotherapy notes. Two sets of records will be required. Clinical Psychiatry News. 2001;29:1.

9. Evans J. HIPAA rules could put a chill on office-based research. Clinical Psychiatry News. 2003;31:68.

10. Appelbaum PS. Privacy in psychiatric treatment: threats and responses. Am J Psychiatry. 2002;159:1809-1818.

11. 42 Code of Federal Regulations (CFR) Part 2.

12. Klein-Schwartz W. Abuse and toxicity of methylphenidate. Curr Opin Pediatr. 2002;14:219-23.

13. S.C. Code Ann. Section 44-22-100. West Group Publishing; 2002.