This is a preprint version of the publication; the formal version of the publication can be found here https://doi.org/10.1016/j.jval.2023.05.008

Privacy laws represent the values and needs of a culture around sensitive information, such as medical files or records of substance use treatment. Prior to the 21st century, simple methods of sharing (such as copying paper files from a hospital or general practitioner for the receiving specialist) were relatively simple to anticipate and protect. Technological advances now provide the opportunity for ongoing, real-time access to electronic health records between multiple sources and recipients. Practitioners are expected to approach patient needs in a more holistic manner, realizing the best outcomes are supported by a well-coordinated system of integrated care. The justice system incorporates a growing number of health and community service models for those suffering with substance use disorders and mental health conditions. These relatively new programs also require data to conduct research and evaluation to examine operations and effectiveness.

We will describe the challenges of data privacy in the context of deflection – an emerging and rapidly growing field that emphasizes collaboration and shared action between law enforcement, health, and behavioral health. Communities across the country have implemented deflection initiatives in which police, other first responders, or co-responder teams link people to evidence-based care and services to deflect them from emergency services, crisis interventions, and justice involvement. In police-based deflection programs, police officers encounter persons in need of substance use disorder treatment or other services and make a warm hand-off to social service and healthcare providers to provide needed services.[1] Deflection has been found to improve public health and public safety outcomes by routing individuals away from arrest, conviction, and/or punishment to community-based treatment, health care and other supportive services.[2] Deflection provides interesting insights into how multisystem collaboration. While the “right” thing to do, programs must work within existing privacy laws and protections that pose implementation barriers and challenges.

Deflection: A Tale of Two (or More) Cultures

Deflection brings together cultures with vastly different relationships to data privacy. Law enforcement information is often public record. Health services are documented through private electronic medical records. The United States protects health records through data privacy laws which restrict or prohibit sharing without consent. Additional regulations address data sharing for human subjects of research.

Implementing effective data privacy protections within one system requires significant resources and training. Collaborative needs for data sharing supported by scientific inquiry across various systems is deeply complex. In police-led deflection, engagement is (by definition) a shared law enforcement and healthcare activity, and the client (and information) are then referred to healthcare or community-based treatment services. Deflection initiatives often struggle to understand which entity “owns” the encounter, how services should be documented, what privacy restrictions govern the data and records, and how information can be shared. This is particularly challenging when information needs to be shared to expedite access to services, or to understand the impact of interventions. It is a bit of a paradox: collaboration between health and criminal justice system improves access to care and community outcomes; however, the complexity of data sharing makes it more difficult to expedite access to care, link individuals with appropriate services, or measure meaningful outcomes.

Exploring the Unintended Consequences of Data Privacy through the Lens of Deflection

Uncertainty around data protections and sharing has implications for the day-to-day work of deflection across all stages of client engagement, but particularly as it comes to receiving referrals and facilitating warm handoffs to care. Starting with the identification of or initial outreach to potential clients, deflection programs typically lack information on individuals’ medical history and reported medical needs when deciding who to approach and engage with deflection services. Some programs may have knowledge about recent critical medical events (e.g., post-overdose outreach programs featuring police officers who responded to the original overdose call) but would still likely have no further information about the individual or the services they received after being transported to the emergency department.

Once a client has accepted help from the deflection program, the same lack of information serves as an obstacle to a quick identification of the most appropriate services that would be best responsive to the client’s needs. Some deflection programs utilize a single assessment site where all incoming clients are referred, which to a large extent obviates this challenge. In programs with multiple service options and pathways, however, the lack of information sharing acts as a barrier to quick connection to appropriate care.

Due to privacy protections around health data, many deflection programs and participating law enforcement agencies are unable to receive reliable feedback on the success of their referrals from their health care partners. This means they do not know the status or outcomes for clients after they are referred to care unless clients reenter the program again in the future. Some deflection programs run a follow-up system whereby participants are recontacted at certain intervals (e.g., 30/90/180 days) and can therefore self-report on their outcomes. However, this is a comparatively labor-intensive option that is likely available only to well-resourced programs, such as those with dedicated administrative and managerial staff.

Health providers are similarly affected by gaps in information sharing. They rarely have access to meaningful information about their client outside of the health or treatment setting. Certainly, information about individuals’ interactions with law enforcement or other community partners could be useful in providing health care or other treatment. For example, a healthcare provider could use information about a patient’s engagement with law enforcement to assess levels of clinical risk more accurately, or information about a patient’s housing situation to recommend a course of treatment that requires fewer visits; in this way, improvements in information sharing can improve patient care and health services.

The Evolving Landscape of Health and Data Privacy in the United States

Over the past half century, we can see how the balance between restricting and facilitating disclosure of sensitive information is shifting in the United States, as demonstrated through its federal legislation and rulemaking.

Expanding Protection for Substance Use Records

The United States first offered protection for substance use disorder records in the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970. This landed firmly on the side of privacy protection, requiring “persons engaged in research on, or treatment with respect to, alcohol abuse and alcoholism to protect the privacy of individuals who [were] the subject of such research or treatment … by withholding identifying information.”

Within a couple of years, the statute soon expanded to cover “alcoholism, alcohol abuse, and drug abuse prevention,” and incorporated a few permitted disclosures, including:

  • prior patient written consent (if otherwise permitted under the regulations);
  • bona fide medical emergencies;
  • to qualified personnel for conducting certain activities, such as scientific research or financial audit or program evaluation, as long as the patient is not identified in any reports;
  • within the Armed Forces and components of the U.S. Department of Veterans Affairs; and
  • as authorized by court order granted after application showing good cause.

Confidentiality of Records

Two decades later, the Confidentiality of Records was added (the statute and its rules are known as “Part 2”). In general, the protections were expanded to include a broader range of activities, disclosures were narrowed, and accountability was added.

  • Scope of coverage: expanded to include diagnosis, treatment, and referral for treatment for substance use disorders.
  • Court orders restricted: to avert a substantial risk of death or serious bodily harm.
  • Enforcement: criminal penalties for violations
  • Rulemaking: provide safeguards and procedures to support the statute

Disclosures were defined broadly as “a means to communicate any information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.”

As indicated by the new provision, protections extended to the entire record. Prior written consent required the name of the individual to receive records. Redisclosure of protected records was strictly forbidden.

HPAA: Health Information Protection

Perhaps the best known (though still misunderstood) privacy law is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and its accompanying Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules). This collection of protections was demanded as health care providers were transitioning from a long tradition of keeping paper files and sending written invoices via the postal service, to completely electronic record and billing systems. While the legislation initiated with the need for uniform formatting for electronic billing, the general public was much more concerned with the potential for unintentional distribution of its private health information. This was in an era that lacked social media, an expansive wireless internet, or even the confidence that electronic systems could survive the transition to the 21st century (does Y2K ring a bell?).

HIPAA set out to establish detailed standards for sharing Protected Health Information(PHI). It sought to strike a balance between protecting sensitive information and the health care system’s need for access full medical histories. These restrictions apply to health care providers (who conduct covered health care transactions electronically), health plans, and health care clearinghouses (collectively referred to as covered entities). Excluded from these restrictions is data that has been aggregated or de-identified as provided for in the rules, so it cannot be traced to individuals.

HIPAA’s Framework for Disclosures

HIPAA starts with the premise that use and disclosures of PHI are prohibited, with only two exceptions: patient written authorization OR as required or permitted under the Privacy Rule. Even when disclosures are permitted, patients retain the right restrict or object. Patients must receive a Notice of Privacy Practices, are entitled to access their PHI and an accounting of its disclosures. Disclosures are generally limited to the “minimum necessary” needed to achieve the specified purpose. Their rights are protected through enforcement actions that can include civil monetary penalties and criminal charges.

Disclosure of PHI without patient authorization

The Privacy Rule then articulates those areas when PHI may be disclosed without patient authorization. These include disclosures to individuals or their personal representatives (specifically when they request access to, or an accounting of disclosures of, their PHI), and to Health and Human Services when it is undertaking a compliance investigation or review or enforcement action. Permitted disclosures also include disclosures for treatment, payment, and health care operations, disclosures incident to an otherwise permitted use and disclosure, disclosures as permitted with opportunity to agree or object, and disclosures for specific public interest and benefit activities, including part of a limited data set for the purposes of research, public health or health care operations.

Use and disclosures that are fundamental to the patient care relationship are permitted without prior authorization. This is most commonly seen when covered entities disclose PHI for treatment, payment, and health care operations (TPO). Business Associates that perform or provide functions, activities, or services for a covered entity may also receive PHI, once the required compliance agreements are in place.

The greater public good is also facilitated though permitted disclosures without patient consent for areas such as public health purposes, research, Privacy Board or Institutional Review Board. These specific circumstances are narrowly defined. Finally, compliance investigations and enforcement actions that may result in criminal charges and civil monetary penalties do not require patient permission.

Health & Substance Use Disorders

The current day-to-day challenges of operating comprehensive, holistic treatment and care under two inconsistent privacy protection landscapes (one for health and one for substance use disorders) was most recently revisited during the COVID pandemic. It became increasingly clear that substance use disorder interventions, care, and treatment relied upon collaborations with the health, community, and (at times) justice systems. While individuals with any history of a substance use disorder still suffer stigma that can impede health care, employment, insurance,and the like – the need for care coordination requires more fluid disclosure and integration of records.

Important strides were made to provide more consistency in the application of privacy protection between health and SUD providers. Key definitions are now consistently applied to both PHI and Part 2 records, including de-identification standards. Patient privacy rights have been updated and must be provided in advance of services. Guidance regarding the implications of adding SUD patient records to health care records is now available. We also note that with new opportunities to disclose Part 2 records (primarily with prior written consent), the protection from unintended use of that information and enforcement for violations with enhanced.

Key Proposed Updates to Part 2

In November 2022, the U.S. Department of Health and Human Services proposed key updates to increase care coordination for individuals with addictions and substance use disorders [3]. Those changes include:

  • Patient records protected under this rule are shielded from use in criminal, civil, administrative, and legislative proceedings without consent or court order;
  • Anti-discrimination rules (forthcoming) protect patients from adverse actions based upon their SUD status;
  • Clarity around written consent for ongoing disclosures to general categories of organizations, and specific providers, will more easily facilitate connecting patients with ongoing treatment and resources they so critically need and desire;
  • Substance use disorder records must meet security standards under HIPAA’s HITECH rules, with required breach notifications [4];
  • Written patient consents can now include the treatment, payment, and operations standard found in HIPAA, with limited redisclosures permitted to qualifying organizations; and
  • Enforcement activities were expanded to include civil monetary penalties and criminal charges, with clearer expectations and oversight.

Implications of Data Privacy for Researchers

Challenges in data sharing also have significant implications for the evaluation of and research surrounding deflection programs. The United States outlines protections and permissions around the sharing of personal information though the Title 45 Code of Federal Regulations part 46 (45 CFR 46). These regulations outline data privacy rules for research. Under current rules, researchers must adhere to strict data-protection protocols, backed by criminal penalties and protections to promote sound scientific research that benefits the field of study. Federal regulations further clarify boundaries around sharing sensitive information, including information about substance use disorder treatment and diagnosis (24 CFR 2.52) or other protected health information covered by HIPAA.

42 CFR Part 2 offers exceptions to the requirement of written consent for qualified scientific research. The law states that identifiable data on substance-use disorders “may be disclosed,” even without patient consent, “to qualified personnel for the purpose of conducting scientific research.” The law states researchers must have the research request approved by an IRB and the data cannot be provided to a law enforcement agency.

Under HIPAA, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule. The Privacy Rule offers special provisions regarding access to date for research.

Research Use/Disclosure Without Authorization

To use or disclose protected health information without authorization by the research participant, a covered entity must obtain documentation that an alteration or waiver of research participants’ authorization for use/disclosure of information about them for research purposes has been approved by an IRB or a Privacy Board [see 45 CFR 164.512(i)(1)(i)]. This provision of the Privacy Rule might be used, for example, to conduct records research, when researchers are unable to use de-identified nformation, and the research could not practicably be conducted if research participants’ authorization were required.

Implications for Deflection Research

The principles discussed above have a fundamental implication for research on deflection programs, particularly with respect to evaluating their impacts. Besides the general observation that health outcome data related to substance use pose challenges not experienced with other types of data, the obstacles to information sharing between partner organizations involved in deflection programs mean researchers need to work across multiple data repositories and with multiple data owners. While criminal justice data can be reasonably expected to be available from a single data source (though multi-agency deflection programs may have some data collection and management differences across participating entities), the same is rarely the case for health outcome data. Instead, research projects need to obtain care-related data individually from every organization working with clients.

This is very costly because of the need to establish and maintain multiple research partnerships and manage associated administrative requirements. Further costs are likely incurred because of the need to combine data from multiple providers with differing formats. Most importantly, however, the need to work with multiple data owners also exposes the research study to serious threats to internal validity. For instance, failure to get some providers onboard can mean a serious risk of selection bias. The quality of data recording and collection across providers can vary, raising the possibility of instrumentation and measurement biases. It is not surprising that, in light of these challenges, population-level outcome studies are seen as a potential alternative. However, while population-level studies may indeed be the only study design that is feasible within the confines of a given research project, they too are subject to notable limitations.

A Balancing Act: Facilitating Access to Care While Protecting Data Privacy

The United States is learning that rigid limitations against sharing health and substance use disorder information can impede integrated treatment and supportive care, discourage collaborations that offer effective alternatives to incarceration, and make it difficult to evaluate the effectiveness of promising practices. Individuals must remain the ultimate decision makers regarding disclosure of sensitive information without requiring an unwieldy process that restricts care. Striking a balance requires input from all impacted stakeholders, workable definitions and processes, levels of information disclosures designed to facilitate patient care, and accountability for misuse.

  1. Charlier, J. A., & Reichert, J. (2020). Introduction: Deflection—Police-led responses to behavioral health challenges. Journal of Advancing Justice, 3, 1-13. https://www.nadcp.org/wp-content/uploads/2020/10/Journal-for-Advancing-Justice-Volume-III_final.pdf ↩︎

  2. Blais, E., Brisson, J., Gagnon, F., & Lemay, S. A. (2022). Diverting people who use drugs from the criminal justice system: A systematic review of police-based diversion measures. International Journal of Drug Policy, 105, 103697. https://doi.org/10.1016/j.drugpo.2022.103697; Labriola, M. M., Peterson, S., Taylor, J., Sobol, D., Reichert, R., Ross, R., Charlier, J., & Juarez, S. (2023). A multi-site evaluation of law enforcement deflection in the United States. RAND Corporation. https://www.rand.org/pubs/research_reports/RRA2491-1.html; Lindquist-Grantz, R., Mallow, P., Dean, L., Lydenberg, M., & Chubinski, J. (2021). Diversion programs for individuals who use substances: A review of the literature. Journal of Drug Issues, 51(3), 483-503. https://doi.org/10.1177/00220426211000330 ↩︎

  3. U.S. Department of Health and Human Services. (2022). HHS proposes new protections to increase care coordination and confidentiality for patients with substance use disorder challenges. https://www.hhs.gov/about/news/2022/11/28/hhsproposes-new-protections-increase-care-coordination-confidentiality-patients-substanceuse-challenges.html ↩︎

  4. U.S. Department of Health and Human Services (2017). HITEC Act Enforcement Interim Final Rule. https://www.hhs.gov/hipaa/for-professionals/specialtopics/hitech-act-enforcement-interim-final-rule/index.html ↩︎