Oklahoma Bar Journal

Finding the Keys to Unlock Behavioral Health Records

By Robin Moore

© Mark Kostich | #208013095 | stock.adobe.com

Have you ever submitted a subpoena to an alcohol and drug counselor, a licensed professional counselor or a psychiatric facility and received a form letter denying you the records you requested? Perhaps you’ve submitted what you thought was a properly executed consent for release of medical records only to receive a similar denial?

When it comes to medical records, our analysis often begins and ends with the Health Insurance Portability and Accountability Act (HIPAA). However, we often fail to realize that other federal and state laws have been adopted in addition to (and sometimes conflicting with) HIPAA or that different and/or additional procedural steps are required to obtain mental health and substance abuse records. While HIPAA is a good place to start for unlocking the disclosure of behavioral health and substance use disorder information, one must also become familiar with 42 C.F.R. Part 2, 43A O.S. §1-109 and O.A.C. 450:15-3-20.1.


Hypertension may not affect one’s employment, their right to own a firearm or visitation with their children; however, diagnosis and treatment of bipolar disorder may affect all these areas. Approximately one in five Americans with mental health conditions do not receive the treatment they need, in large part due to stigma.1 When a person receives treatment, documentation of the illness can not only deter initial diagnosis but also continued treatment compliance. To see the stigma it perpetuates, one only needs to look at one of the most popular holidays in America: Halloween. Images of haunted asylums or terms like “psycho” are prevalent during this holiday. These images aren’t just limited to Halloween. This past season, I attended a highly competitive band competition. One Oklahoma school’s performance was titled Insanity, where the students wore straitjackets, mimicked being physically restrained and rolled their heads around. Stigma is one of the largest barriers to treatment in the U.S., including in Oklahoma.


Section 42 C.F.R. Part 2 (Part 2) refers to 42 U.S.C. §290dd and its implementing regulations. The HIPAA Privacy Rule is found in 45 C.F.R. Parts 160, 162 and 164. The Privacy Rule and Part 2 are two separate, distinct and sometimes conflicting bodies of law. Part 2 protects the privacy of substance use disorder records and applies to any individual or program that is federally assisted and holds itself out as providing alcohol or drug abuse diagnosis, treatment or referral for treatment.2 Part 2 originated in the 1970s as an effort to encourage individuals to enter and stay in substance use disorder treatment.3

When HIPAA was enacted in 1996, the Privacy Rule covered all medical records. The main objective of HIPAA was to protect health insurance coverage for individuals when they changed jobs. A related objective was to streamline healthcare transactions between providers and insurance companies, and therefore, privacy rules were also implemented to protect patient health records. When the Privacy Rule was first issued, the Department of Health and Human Services (HHS) determined that HIPAA and Part 2 do not conflict in most situations.4 As electronic medical records (EMRs) became more prevalent, the Health Information Technology (HITECH) Act was enacted in 2009 to promote the growth of EMRs and set forth standards of how medical records are shared and provided penalties for unauthorized disclosures. The HITECH Act did not change the Privacy Rule as far as the circumstances of when and under what circumstances disclosure is allowed, such as consent, disclosures during medical emergencies and disclosures for abuse reporting.5


One common area where the bodies of law conflict is whether a subpoena is sufficient to disclose records that would otherwise be protected. Although it is frustrating being denied access to records after sending a subpoena, the added protection is necessary to maintain the sensitive nature of behavioral health and substance use disorder records. The release of substance use disorder records pursuant to Part 2 is more stringent than HIPAA when considering if records can be disclosed pursuant to a subpoena. While HIPAA allows the disclosure of medical records, which includes behavioral health records pursuant to a subpoena,6 Part 2 provides that a subpoena is not sufficient to compel substance use disorder records.7 Thus, if someone requesting records only considered HIPAA in their analysis of when disclosure is permitted, their conclusion would not be correct if the records they are requesting contain information relating to a substance use disorder.

An additional twist that further complicates the pursuit of behavioral health or substance use disorder records are requirements for obtaining such records under state law. HIPAA is the federal “floor” for privacy protections; it allows states to have laws that are contrary to the Privacy Rule in certain circumstances.8 HIPAA provides that state confidentiality laws will control if they are more restrictive or protective than HIPAA. Section 45 C.F.R. Part 160, Subpart B contains the requirements for state law preemption and provides four ways state law can preempt the Privacy Rule. Section 45 C.F.R. §106.203(b) is the applicable authority for state law preemption:

§160.203 General rule and exceptions. A standard, requirement or implementation specification adopted under this subchapter that is contrary to a provision
of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met:
b) The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.9

Oklahoma has adopted the Part 2 subpoena rule for all behavioral health records.10 Section 43A O.S. §1-109(D) states:

Except as otherwise permitted, mental health and alcohol or substance abuse treatment information may not be disclosed without valid patient authorization or a valid court order issued by a court of competent jurisdiction. For purposes of this section, a subpoena by itself is not sufficient to authorize disclosure of mental health and alcohol or substance abuse treatment information.11

© terovesalainen | #232435916 | stock.adobe.com


If a subpoena is insufficient to obtain mental health and substance use disorder records and a request has not been authorized by a patient, a court order is necessary to obtain these records. What are the required elements for the order? Section 43A O.S. §1-109 does not specify the requirements for the order. The statute requires a “valid court order issued by a court of competent jurisdiction.”12 HIPAA does not have any standards or criteria for a court order, but Part 2 is more specific. For civil cases, Part 2 requires a requesting party to provide the patient whose records are sought and the provider both notice and an opportunity to respond.13 If the order is sought for release of the records for purposes of investigating or prosecuting a patient, only the program or provider needs to be notified.14 The application and hearing must also be done in a manner that does not disclose patient identifying information. Part 2 sets forth the following criteria for entry of an order in a civil proceeding:

  1. Other ways of obtaining the information are not available or would not be effective; and
  2. The public interest and need for the disclosure outweigh the potential injury to the patient, the physician-
    patient relationship and the treatment services.15

Although notice is only required to be given to the provider in criminal cases, Part 2 has more extensive criteria for entry of an order to disclose records in a criminal case:

  1. The crime involved is extremely serious, such as one that causes or directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon and child abuse and neglect.
  2. There is a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution.
  3. Other ways of obtaining the information are not available or would not be effective.
  4. The potential injury to the patient, to the physician-patient relationship and to the ability of the Part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure.
  5. If the applicant is a law enforcement agency or official that:
    1. The person holding the records has been afforded the opportunity to be represented by independent counsel; and
    2. Any person holding the records who is an entity within federal, state or local government has in fact been represented by counsel independent of the applicant.16

Furthermore, the content of the order must limit the disclosure of records to only the purpose specified, limit the release of records to only those “whose need for information is the basis for the order” and “include other measures as are necessary to limit disclosure for the protection of the patient, the physician-patient relationship and the treatment services.”17 Often, this is accomplished by sealing the application and order and holding the hearing in chambers or limiting courtroom access to only those parties necessary to the issue of disclosure of records.


Taking into account HIPAA, Part 2 and 43A O.S. §1-109, a party presents a properly executed court order and/or authorization for release of behavioral health or substance use disorder records. Upon receiving the records, the party realizes portions of the records are redacted, or they did not receive all the information they expected. An authorization for release of records (and depending on the language in your order) is not sufficient for the release of “psychotherapy notes” under the Privacy Rule.18 “Psychotherapy notes” are not progress notes. Progress notes are typically kept with medical records and are used by the entire treatment team in accessing an individual’s responsiveness to treatment. “Psychotherapy notes” are required to be kept separate from the individual’s medical and billing records and are for the therapist’s use. Records may also be redacted to protect the patient or another person if released.19 Prior to releasing the records, the treating physician may conduct a review to determine if there is any information that would “likely cause substantial harm to the individual or another person.”20 Therefore, obtaining these notes requires the court order to specifically provide for the release of psychotherapy notes or a separate consent form authorizing the release of psychotherapy notes.


Subpoenas and consent requirements are not the only differences in the bodies of law that govern access to mental health and substance use disorder records, but they are the most commonly encountered. Federal regulations are not set in stone, and change is on the horizon. SAMHSA promulgated a series of rule changes in 2016 to Part 2. The first set of changes was effective Feb. 17, 2017, and the second set of changes was effective Feb. 2, 2018. SAMHSA proposed additional rule changes in 2019, but those have not been promulgated. In a response to public comments, SAMHSA stated these proposed revisions “better reflect changes in the health care system, such as the increasing use of electronic health records and drive toward greater integration of physical and behavioral health care. Despite efforts to enhance integration, SAMHSA remains committed to protecting the confidentiality of patient records.”21

In 2019, lawmakers in both the House and Senate reintroduced legislation to align Part 2 with HIPAA. Identical bills have been introduced in previous sessions but have subsequently failed to pass due to opposition from privacy advocacy groups and a handful of congressmen. Proponents for changing Part 2 believe that making these records easier to share would enhance the coordination of patient care across various settings. The name of the House version was “The Overdose Prevention and Patient Safety Act.” In 2018, the effort to change Part 2 fizzled out when the American Medical Association warned congressional leadership such a change would deter patients from seeking treatment. However, the American Society of Addiction Medicine applauded the introduction of the legislation and other proponents believe keeping substance use disorder records separate from the rest of a patient’s medical record denies them a fully informed diagnosis and treatment, increases the chance of unintended prescribing errors and places patients at risk for dangerous drug interaction and overutilization.

COVID-19 has significantly changed the way behavioral health and substance use disorder services are rendered. To effectively treat Americans without disruption in services, Congress included previously proposed language to bring Part 2 more in line with HIPAA in the CARES Act. This legislation also incorporates parts of HIPAA with Part 2, such as breach notification, civil and criminal penalties, notice of privacy practices and accounting of disclosures.22 Although the “to whom” requirement has changed effective Aug. 17, 2020, the subpoena rule has not. Some new changes do not take effect until March 2021, and rulemaking will further define the scope of confidentiality in America.


Robin Moore serves as assistant general counsel with Oklahoma Mental Health and Substance Abuse Services. She is a member of the Juvenile Competency Evaluation Professional Committee through OCCY and is active with the Legal Division of the National Association of State Mental Health Program Directors. Ms. Moore received her J.D. from the OU College of Law in 1998.


  1. Allison Abrams, “The Catastrophic Effects of Mental Health Stigma.” Psychology Today, May 25, 2017.
  2. 42 C.F.R. §2.11.
  3. The Drug Abuse Office and Treatment Act of 1972.
  4. Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule), 65 Fed. Reg. 82480-83 (Dec. 28, 2000) (to be codified at 45 CFR Parts 160 and 164), available at www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf.
  5. The HITECH Act also increased penalties for breaches.
  6. 45 C.F.R. §164.512(f)(1).
  7. 42 C.F.R. §2.61(b).
  8. Does HIPAA Privacy Rules Preempt State Laws? www.hhs.gov/sites/default/files/adminsimpregtext.pdf. Accessed on April 16, 2020.
  9. 45 C.F.R §160.203.
  10. 43A O.S. §1-109.
  11. Id.
  12. 43A O.S. §1-109(D).
  13. 42 C.F.R. §2.64.
  14. 42 C.F.R. §2.65.
  15. 42 C.F.R. §2.64(d).
  16. 42 C.F.R. §2.65(d).
  17. 42 C.F.R. §2.64(e) and §2.65(e).
  18. 45 C.F.R. §164.524 and 43A O.S. §1-109(B)(1).
  19. 45 C.F.R. §164.524 and 43A O.S. §1-109(B)(4) and (7).
  20. 45 C.F.R. §164.524(a)(3)(ii).
  21. 83 F.R. 249.
  22. Adam J. Hepworth and Jennifer J. Hennessy, “COVID-19: CARES Act Overhauls Federal Substance Use Disorder Privacy Law,” Coronavirus Resource Center, Health Care Law Today, March 26, 2020, available at www.foley.com/en/insights/publications/2020/03/covid19-

Originally published in the Oklahoma Bar Journal -- OBJ 91 No. 7 (September 2020)