Confidentiality of North Carolina Medical Database Commission Records

Subject:

Requested By: James E. Long Commissioner of Insurance

Question: Is Article 11 of Chapter 131E (North Carolina Database Commission) as amended by Chapter 592, 1987 Session Laws, in accordance with the federal regulations as provided in CFR 2.52 and 2.53(c)(d)?

Conclusion: Yes.

At its 1985 Session, the North Carolina General Assembly expressly determined that there was an urgent need to understand patterns and trends in the use and cost of medical services in this State. See G.S. 131E-210. Therefore, in order to establish an information base so as to improve the appropriate and efficient usage of medical care services and to maintain an acceptable quality of such services, it enacted legislation effective July 1, 1985. That legislation (codified as Article 11 of Chapter 131E of the North Carolina General Statutes) created the Medical Database Commission as a responsible agency to receive necessary data from public and private providers and third-party payers. This 1985 legislation specifically stated that ". . . patient confidentiality shall be protected." See G.S. 131E-210(b). It also prescribed that a limited amount of nonidentifying data be required of reporting agencies, required the formulation of procedures to assure confidentiality of records, restricted the permissible use of information secured and the sharing of it with other agencies, and, with the exception of final reports containing no "patient’s individual personal identifiers", excluded the data collected from application of the provisions of Chapter 132, North Carolina General Statutes, dealing with public records. See G.S. 131E-212, 213.

In its 1987 Session, after finding as a matter of fact that limited use of patients’ social security numbers was necessary for insuring the accuracy of the database, the General Assembly ratified Chapter 592 of the 1987 Session Laws; this legislation, which resulted in the amendment of G.S. 131E-210(b), 212 and 213, was designed to remedy the recognized shortcomings. In view of the widespread receipt and utilization of federal funds in the treatment of alcohol and drug abuse patients, the thrust of the present inquiry is directed toward ascertaining whether the provisions of Article 11, Chapter 131E (including this year’s amendments which became effective on July 10, 1987) comply with the federal regulations. Further, the obtaining of this written opinion of the Attorney General is necessary in order for the Commission to comply with the requirements of 42 CFR 2.53(d)(1).

By way of general background information relative to the Federal requirements, 42 USC 290dd-3 imposes rigid requirements relative to maintaining the confidentiality of records involved in alcoholism or alcohol abuse programs which are ". . . conducted, regulated or directly or indirectly assisted by any department or agency of the United States." Additionally, 42 USC 290ee-3 contains the same rigid requirements for patients involved in drug abuse programs. 42 USC 290dd-3(b)(2)(B) and 290ee-3(b)(2)(B), respectively, authorize the release of confidential records in the areas described above to ". . . qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation. . ." However, these two statutes prohibit the recipients thereof from identifying any patients, directly or indirectly, in any report made by these recipients.

The federal regulations implementing these provisions of the United States Code are contained in Part 2 of Subchapter A of Title 42 of the Code of Federal Regulations. These regulations, as might be expected, adhere to the same strict confidentiality standards as their progenitor statutes. Understandably, though, these regulations also contain or amplify upon the same authorizations for release, with or without patient consent, of records to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, with the proviso that individual patients shall not be identified in any report made by such personnel. See 42 CFR 2.52. However, the following significant language expresses a clear intent to mandate a sensible, realistic approach (such as that taken by the North Carolina General Assembly) to the interpretation of these federal regulations:

"General Purpose. Paragraph (a) of this section is adapted directly from subsection (b)(2)(B) of the authorizing legislation. The purpose of each is the same: To facilitate the search for truth, whether in the context of scientific investigation, administrative management, or broad issues of public policy, while at the same time safeguarding the personal privacy of the individuals who are the intended beneficiaries of the process or program under investigation. This subpart in particular, and this part as a whole, are intended to aid in carrying out that purpose." 42 CFR 2.52.1(a).

With this background in mind, the issue of compliance of Article 11, Chapter 131E, North Carolina General Statutes (in their present form) with the pertinent federal regulations and statutes will be considered. Inasmuch as the amendments to Article 11 constitute the first requirement for the divulgence of identifying information to the Database Commission, this opinion will be primarily directed toward the sufficiency of these amendments to effect compliance with the federal requirements. However, it should be noted that even prior to its amendment, Article 11 contained requirements for the observance of confidentiality —e.g. G.S. 131E-210(b), G.S. 131E-211(a), G.S. 131E-212(b)(5)(6), G.S. 131E-212(f) and G.S. 131E-213.

Perhaps the best method of analysis is to set forth the exact language of each 1987 amendment to Article 11 coupled with a citation to the appropriate federal authorization for that amendment through federal statutes and regulations, with such citations being not limited to those regulations cited in the question posed here.

G.S. 131E-210(b)

"However, the limited use of the social security numbers of patients as provided in G.S. 131E212(b)(5) and (6) and G.S. 131E-213 is vital to insuring the degree of accuracy of the information base contemplated by this Article and to achieve the purposes of the General Assembly in enacting this Article."

AUTHORIZATION

42 CFR 2.18 merely requires that any disclosure of confidential information "shall be limited to information necessary in the light of the need or purpose of the disclosure." Implicit in the amendatory language of G.S. 131E-210(b) is a finding of fact by the General Assembly as to the vital necessity for access to this information by the Database Commission.

G.S. 131E-212(b)(2)

"In accordance with the findings of the General Assembly set forth in G.S. 131E-210(b), data provided to the Commission may include the patient’s social security number but the handling and disclosure of such number will be in accordance with G.S. 131E-212(b)(5) and (6) and G.S. 131E-213."

AUTHORIZATION

42 CFR 2.18 and 42 CFR 2.52(a) clearly permit the disclosure of a patient’s record to qualified personnel for the type of endeavors expected of the Database Commission.

G.S. 131E-212(b)(5)

"For purposes of this section, the social security numbers of patients shall not be considered to be patient identifying information, although further dissemination of such numbers shall be governed by the provisions of G.S. 131E-212(b)(6) and G.S. 131E-213." Further, the term "patient identifying information" was substituted for "personal identifiers" in order to conform with the terminology defined in 42 CFR 2.11(j).

AUTHORIZATION

The language of 42 CFR 2.18 and 42 CFR 2.52(a) serve as authorization for this amendment.

G.S. 131E-212(b)(6)

"In no event may a data provider obtain data regarding the social security number of a patient except in instances when that data was originally submitted by the requesting provider."

AUTHORIZATION

Notwithstanding the prohibitions on disclosure found in 42 CFR 2.18 and 42 CFR 2.52(a), the provisions of 42 CFR 2.52(b) permit the inclusion of patient identifying information in any written or oral communication between a person to whom such disclosure has been made under 42 CFR 2.52(a) and the program which originally made the disclosure.

G.S. 131E-213

"The confidentiality of patient identifying information is to be protected and the pertinent statutes, rules, and regulations of the State of North Carolina and of the Federal Government relative to patient confidentiality shall apply. For purposes of this section, patient identifying information means the name, address, social security number or similar information by which the identity of the patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information The term does not include a patient identifying number assigned by a program. In any event, the patient identifying information (as defined in this section) obtained shall not be further disclosed, and may not be used in connection with any legal, administrative, supervisory, or other action whatsoever with respect to such patient. The Commission shall hold such information in confidence, is prohibited from taking any administrative, investigative, or other action with respect to any individual patient on the basis of such information, and is prohibited from identifying, directly or indirectly, any individual patient in any report of scientific research or long-term evaluation, or otherwise disclosing patient identities in any manner. Further, patient identifying information submitted to the Commission which would directly or indirectly identify any patient may not be disclosed by the Commission either voluntarily or in response to any legal process whether federal or State unless authorized by an appropriate court of competent jurisdiction granted after application showing good cause therefor. In assessing good cause the court shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician-patient relationship, and to the treatment services. Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure."

AUTHORIZATION

The first sentence of the amendment to G.S. 131E-213 requires compliance with 42 CFR 2.23. That regulation provides that federal law does not preempt state law unless in conflict therewith. 42 CFR 2.23. It permits disclosure only as authorized by the Federal Regulations. The second sentence fulfills the requirement of 42 CFR 2.11(j) which defines the term "patient identifying information". The third sentence reflects an exemption from confidentiality requirements expressly made by 42 CFR 2.11(j) regarding patient identifying numbers assigned by programs. The fourth sentence accommodates the requirements of 42 CFR 2.13(a) and (b). The fifth sentence reflects recognition of the prohibition in 42 CFR 2.52(a) and (b)(1) which precludes disclosure or the use of the type of confidential information described in the fashion set forth in that sentence. The sixth sentence accommodates the procedures contained in 42 CFR 2.56 which prohibits divulgence of the type of information described absent an appropriate court order. Further, the sixth sentence requires compliance with 42 USC 290dd-3(b)(2)(C) and 42 USC 290ee-3(b)(2)(C), which require a showing of good cause before authorization for disclosure of confidential information will be ordered by a court of competent jurisdiction. The seventh sentence is also based upon the provisions of 42 USC 290dd-3(b)(2)(C) and 42 USC 290ee-3(b)(2)(C) which prescribe the standard to be utilized in evaluating the propriety of release of confidential information. The eighth sentence requires compliance with the mandates of 42 USC 290dd-3(b)(2)(C) and 42 USC 290ee-3(b)(2)(C) which require the imposition of appropriate safeguards against unauthorized disclosure of information released.

In summary, Article 11 of Chapter 131E in its present form is in full compliance with the Code of Federal Regulations and all pertinent federal statutes.

LACY H. THORNBURG Attorney General

William F. O’Connell Senior Deputy Attorney General