The laws governing confidentiality of individual health care information are numerous and complex. This website offers links to and a brief explanation of some of the laws most likely to apply to confidential health care information of Maine's citizens.
Confidentiality of Health Care Information - State Law
The principal state law that protects the confidentiality of medical records appears in 22 M.R.S.A. § 1711‑C. The general rule is that a health care practitioner or facility may not disclose an individual's health care information except as provided in the statute. The statute allows disclosure to the individual and to those persons or entities for which the individual gives a written authorization. The statute allows disclosure without consent of the individual for treatment and for payment and other health care operations. It also allows disclosure to family members unless the individual objects. It allows disclosure without consent under circumstances listed in the statute, including in response to a court order; in order to protect the public health or welfare; and for other specified government purposes.
The confidentiality provisions of § 1711-C do not apply to health care information that is subject to other provisions of state or federal law, including information governed by federal substance abuse laws (see below); state HIV laws (see below); state organ donor laws; the Maine Health Security Act, 24 M.R.S.A. § 2510 of the Maine Insurance Code; state mental health confidentiality law (see below); and Maine's workers' compensation law.
State law on confidentiality of mental health records appears in 34-B M.R.S.A. § 1207 and implementing regulations called the Rights of Recipients of Mental Health Services and the Rights of Recipients of Mental Health Services who are Children in Need of Treatment. The general rule is that all medical and administrative records pertaining to people served through state funds or by state licensed agencies cannot be disclosed except as provided in statute. The statute allows disclosure to the individual and to those for whom the individual gives a written authorization. It also allows disclosure without consent in response to a court order, for certain lawful government purposes (including providing continuity of treatment and care), and in other instances listed in the statute. Disclosure for child protective mandatory reporting, investigations, and proceedings is also allowed. 22 M.R.S.A. § 4015.
The implementing regulations also allow disclosure so that a person who is the subject of a specific threat of immediate harm by a person whose mental health information would otherwise be protected, as well as law enforcement, can be told of the threat.
The Maine Substance Abuse Prevention and Treatment Act makes records of treatment facilities confidential and privileged. Title 5 M.R.S.A. § 20047. State insurance law requires confidential treatment of all alcoholism and drug treatment patient records by nonprofit hospitals. Title 24 M.R.S.A. § 2329.
The state regulations for substance abuse treatment programs require that the programs comply with the federal confidentiality requirements. Me. Dept. of Health & Hum. Serv., 14-118 CMR chapter 5. (http://www.maine.gov/sos/cec/rules/14/118/118c005.doc) (requires Microsoft Word, or a Word viewer, to access)
State law on confidentiality of HIV information appears in 5 M.R.S.A. §§ 19201-19208. The general rule is that testing for HIV requires informed consent, and no information about HIV test results may be disclosed without authorization of the individual who is subject to the test. Insurance coverage and, in most cases, employment cannot be conditioned on information about HIV.
The statute allows disclosure without consent in some circumstances, including in communicable disease proceedings, adult or child protection proceedings, involuntary commitment proceedings, and by court order for good cause.
Confidentiality of Health Care Information - Federal Law
Health Insurance Portability and Accountability Act (HIPAA)
The principle federal law related to privacy of medical records appears in 45 CFR Parts 160, 162 and 164, which are the regulations implementing the privacy portion of HIPAA, P.L. 104-191, 110 Stat. 1936, (42 U.S.C. 1320d - 1320d-8). The regulations provide standards for the protection and disclosure of health information in health care contexts. The general rule for disclosures is that a covered entity may not disclose protected health care information except (i) to the individual, (ii) for treatment, payment or health care operations, (iii) incident to permitted uses, (iv) under an authorization from the individual, (v) in some instances after giving the individual an opportunity to object, and (vi) in accordance with exceptions set out in the regulation. Those exceptions include disclosures necessary to carry out various public purposes described in the regulation, such as public health activities, law enforcement activities, judicial and administrative proceedings, or satisfaction of state abuse and neglect laws. Disclosures that are protected by HIPAA and that have not been authorized by the individual must be the minimum disclosure necessary to address the disclosure standard under which the disclosure is authorized.
If another applicable law protecting medical records provides more protection than HIPAA does, then the other law controls.
Federal substance abuse law appears in 42 USC § 290dd-2 and implementing regulations at 42 CFR, Part 2. The law applies broadly to patient records maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation or research that is regulated or directly or indirectly assisted by the United States government. The statute allows the content of confidential records to be disclosed by prior written consent that complies with regulations or if disclosure is authorized by an appropriate court order based on good cause.
The federal substance abuse regulations that implement the statutes are extremely restrictive. Unlike other confidentiality statutes that may have a broad range of exceptions, these regulations provide that disclosures without patient consent may occur only for medical emergencies, certain research activities, certain audit and evaluation activities, and, in limited circumstances, by court order.