Get help today 888-287-0471 or sign up for 24/7 text support.
American Addiction Centers National Rehabs Directory

Understanding Confidentiality & Privacy Guidelines

If you are ready to enter drug rehab and are worried about how your privacy might be affected, it may be comforting to know that there are laws and regulations in place to protect you. And know that before you enter any treatment center, you can call it directly and ask about its privacy policies. You should always feel empowered to make a decision about whether or not you feel comfortable with how a given program handles patient information before entering it.


The Federal government created confidentiality laws to protect your information under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which all federally assisted drug and alcohol treatment centers must follow. They cannot release patient information unless you give consent or it is authorized under qualifying regulations. Treatment centers that violate these regulations may face a fine of as much as $500 for the first offense and as much as $5,000 for additional offenses. Licensed or State-certified employees (this includes nearly all programs and their employees) run the risk of losing their license or certification if they violate these privacy laws. Further, as a patient, you can sue anyone who discloses your information without your consent.1

The more confident people are that the details of their treatment or diagnosis will not be shared to others without their consent, the more likely they may be to enter (and successfully complete) treatment. This is the guiding principle that led to the establishment of these confidentiality laws in the first place.

After a person completes their intake interviews, they should receive a copy of the facility’s confidentiality and privacy guidelines, which outline their rights as a patient. In almost all cases, rehab center employees must also sign these confidentiality agreements.1

Learn More About Insurance for Rehab

Which US law protects the privacy of a person’s medical health records?shutterstock_566003920

In the United States, your medical records are protected through these laws:2-4

  • The Health Insurance and Portability and Accountability Act of 1996 (HIPAA): HIPAA protects all identifying information about a person who has applied for, been given a diagnosis of, or received treatment for alcohol or drug abuse at a federally assisted program. Programs cannot legally disclose any information about a patient unless they have given written consent, or unless their case qualifies for another exception that is specified in the HIPPA policy. If medical information is disclosed, it must only be the bare minimum required to carry out the purpose of the disclosure. The same regulations apply to minors who must give written consent before a program will release information to their parent or guardian.
  • The Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR Part 2) issued in 1975 and revised in 1987: This regulation specifies that substance abuse treatment programs are not allowed to share any patient information that would directly or indirectly identify someone having previous or current alcohol or drug abuse problems, unless the patient gives written consent. A few exceptions to the law’s requirement of written consent exist, including court-ordered criminal investigation against patients, suspected child abuse or neglect, medical emergencies, scientific research, and audit or program evaluation.

HIPAA was designed to give patients more control over their health information and privacy whenever they seek medical care. It sets boundaries on the use and release of medical records and gives patients the right to obtain copies of their own health information.5

Under HIPAA, hospitals, rehab centers, and similar organizations must:5

  • Use safeguards that protect their clients’ information.
  • Use procedures that keep the number of people who are aware of confidential information to a minimum.
  • Train employees about the best ways to maintain confidentiality.
  • Post guidelines about their privacy practices and provide copies for clients.

Under What Circumstances Could Information Protected by HIPAA be Disclosed?

Part 2 of HIPAA protects all information that could be used to identity a person, and it permits a patient to revoke their consent orally if they want to. Substance abuse programs must honor any verbal revocation.

According to Part 2 of HIPAA and the Privacy Rule, people within the same treatment program or hospital can communicate patient health information (PHI) on a “need to know” basis. The Privacy Rule requires that programs identify which employees need access to PHI, as well as the appropriate conditions of access to it. After determining which employees have a legitimate need for access, the treatment program must limit access of PHI to these employees only.

There are extenuating circumstances that may arise, which will permit the disclosure of limited patient information, including but not limited to:2

  • Crimes: If a patient commits a crime at the treatment center or against employees of the treatment center, Part 2 permits the release of limited patient information to the police. The information is limited to the patient’s name, address, last known whereabouts, and the circumstances of the incident.
  • Child abuse: Part 2 allows programs to comply with State laws that require reporting on child abuse and neglect. However, programs may only make an initial report; they may not respond to follow-up requests for information unless the patient has given consent to do so.
  • Medical emergencies: Part 2 allows for identifying information to be shared with medical personnel if they need to treat the patient for an immediate medical emergency. The information shared must be limited only to that which is necessary to treat the medical emergency.
  • Court-ordered release: If a patient is subpoenaed and signs a consent permitting the release of the information requested in the subpoena, then the program may release it. They may not release information in this case, however, unless the court issues an order that complies with Part 2.

Patients’ Rights Over Information under HIPAA

HIPAA gives patients a number of rights over their personal information, including:

  • The right to be informed about how their personal information may be shared.
  • The right to withhold permission from their information being used in certain ways.
  • The right to receive a report on why and when health practitioners shared their information.
  • The right to file a complaint if they believe their health information has not been protected.

When you know your rights and that reputable drug rehabs abide by these confidentiality laws, you can be free of the worry about privacy issues and focus on the most important thing: overcoming your addiction.

Learn More About Addiction Treatment

Was this page helpful?
Thank you for your feedback.

American Addiction Centers (AAC) is committed to delivering original, truthful, accurate, unbiased, and medically current information. We strive to create content that is clear, concise, and easy to understand.

Read our full editorial policy

While we are unable to respond to your feedback directly, we'll use this information to improve our online help.