The opioid epidemic in the United States has been fraught with death by overdose, infections, and criminal justice involvement. In 2012, about 71% of opioid overdose deaths involved at least one other controlled or otherwise sedating substance (
1). In 2015, the Centers for Disease Control and Prevention (CDC) reported that 52,404 deaths due to drug overdose had occurred in the United States between 2010 and 2015 (
2). About 63% of these deaths involved an opioid, and half of those deaths involved an opioid prescription. According to a report by the Center of Behavioral Health Statistics and Quality, diversion of opioid prescriptions by a relative was the most common source of misuse (
3).
In 1973, the Bureau of Narcotics Enforcement (BNE) of New York State (NYS) established a prescription monitoring program (PMP). At the time, data collection was limited to schedule II controlled substances, but it was later expanded to include benzodiazepines (1989) and eventually all prescriptions for controlled substances (2007). Despite the program, reports of opioid overdoses increased significantly between 2003 and 2012. According to the Mortality and Morbidity Report released by the CDC in 2015, the number of deaths in NYS from drug poisoning increased from 750 in 2003 to 1,869 in 2012. Of note, deaths involving opioid analgesics increased from 179 in 2003 to 883 in 2012.
As a proposed solution, in 2011, NYS Attorney General Eric T. Schneiderman introduced a program bill to enhance the effectiveness of the PMP by increasing detection of prescription diversion, physician shopping, and “pill mills” (a term for clinics with loose prescribing practices for controlled substances, often patronized by individuals with substance use disorders). The attorney general also proposed the establishment of the Internet System for Tracking Over-Prescribing (I-STOP) (
4). In June 2012, the NYS legislature unanimously passed the bill, and in August 2012, it was signed into law by Governor Andrew Cuomo. On August 27, 2013, I-STOP went into full effect across NYS.
By June 2014, 49 states had passed legislation to establish PMPs and 25 of those states laid out the reasons for doing so. The most common reason was reducing inappropriate use or misuse of prescription medications (cited by 15 states), followed by addressing diversion of prescription medications (12 states) and assisting law enforcement actors in investigation or prevention of criminal activity. According to the Training and Technical Assistance Center, 49 states, the District of Columbia, and one U.S. territory (Guam) currently have an operational PMP that functions to collect data from dispensers and reports information from the database to authorized users. It is common for states to enter into reciprocal agreements to share their PMP data with other states. To date, Missouri is the only state that has not established a PMP.
Presently, the NY PMP collects data on all prescriptions for a schedule II, III, IV, and V controlled substance dispensed by every pharmacy licensed by NYS. Those pharmacy transmissions are required to be sent to BNE within the State Department of Health by the 15th day of the following month (
4). The BNE may share this information with other state agencies, including the professional boards of pharmacy and medicine and the Office of the Medicaid Inspector General, and with health care clinicians treating patients. Law enforcement agencies are excluded for the purpose of information sharing.
The establishment of a PMP by NYS was criticized by some as a violation of patients’ right to privacy. The law was challenged in New York District Court and was found unconstitutional, a ruling that was later appealed to the U.S. Supreme Court. In the Whalen v. Roe case in 1977, the Supreme Court held that the right to privacy was not absolute. The court found that in order to help prevent drug diversion, restrictions can legitimately be placed on citizens as part of NYS’s broad police power.
This column describes the I-STOP program and its compatibility with HIPAA and part 2 of 42 Code of Federal Regulations (CFR). We reviewed the I-STOP legislation as it appeared originally in the 2012 NY Acts (chapter 447) and the regulatory statements that relate to its implementation under part 80 of the Rules and Regulations on Controlled Substances. We also performed a literature review by using the following key words and medical subject heading (MeSH) terms: NY city/epidemiology, prescription drug misuse/legislation & jurisprudence, prescription drug misuse/mortality, inappropriate prescribing/prevention & control, and prescription drugs. Fictionalized clinical scenarios illustrate issues of privacy and disclosure that are commonly encountered by physicians during routine practice.
Review of I-STOP, HIPAA, and Part 2 of 42 CFR
I-STOP.
The NYS attorney general proposed the following goals for the mandatory I-STOP program (
3): decrease criminal diversion and abuse of controlled substances; minimize addiction and adverse drug events; reduce overdoses, violence and self-injury, and family conflicts arising from misuse of controlled substances; decrease costs to legal and health care systems; monitor patients and prescribers for illegal activity involving a controlled substance; and protect and promote access to controlled substances for patients with a legitimate medical need and improve patient care.
I-STOP mandates that prescribers and pharmacists consult the PMP registry before they prescribe or dispense a controlled substance. Furthermore, medical documentation must include PMP accession codes and note prescription discrepancies. All controlled substances must be prescribed electronically, and prescribing clinicians must obtain waivers if they cannot do so.
According to the final I-STOP report, current laws prohibit the viewing of all statutorily required data collected on the system by a practitioner, pharmacist, or the commissioner of health, unless authorized by law, and impose new civil penalties for violations. They also provide immunity for public officers acting in good faith and civil penalties for those persons who knowingly violate privacy provisions in the Public Health Law.
HIPAA.
HIPAA was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. Title II of HIPAA, known as the administrative simplification, makes provisions for the establishment of national standards for electronic health care transactions and national identifiers for clinicians, health insurance plans, and employers. Although it encourages widespread use of electronic data exchange, it also specifically addresses questions about the security and privacy of health data to prevent health care fraud and abuse. It comprises the privacy rule, transactions and code sets, the security rule, and the unique identifiers and enforcement rules, of which the first two are pertinent to this column.
The Privacy Rule or Standards for Privacy of Individually Identifiable Health Information establishes national standards for the protection of certain health information (
www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html). It regulates the use and disclosure of protected health information held by covered entities. A covered entity may disclose protected health information to facilitate treatment, payment, or health care operations without a patient's expressed written authorization. Treatment includes coordination of care between health care clinicians. Any other disclosures of protected health information require the covered entity to obtain written authorization from the individual. However, when a covered entity discloses any protected health information, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting health information that is held or transferred in electronic form (
www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html). It operationalizes the privacy rule by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic protected health information.
Part 2 of 42 CFR.
Under these regulations, written consent for the purposes of information sharing must include the specific names or general designations of entities or individuals permitted to make the disclosure and establish how much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information. The consent must also specify the individuals to whom a disclosure is being made and whether the recipient entity has a treating provider relationship with the patient whose information is being disclosed (
5).
Case Scenarios
Case 1.
A 35-year-old man is prescribed mixed amphetamine salts for attention-deficit hyperactivity disorder (ADHD) by his primary care physician (PCP), while his psychiatrist is concurrently treating him for alcohol and stimulant use disorders. The patient begins to show signs of psychosis. The psychiatrist suspects a relapse and orders urine toxicology. The patient tests positive for amphetamines and discloses that he has a prescription from his PCP. The psychiatrist does not check I-STOP because he was not prescribing a controlled substance. The patient declines to sign a release for the psychiatrist to contact the PCP, leading the psychiatrist to believe that he did not have an avenue to effectively treat the patient.
Case 2.
A 25-year-old female with a self-reported history of ADHD relocates to NYS from Florida and presents to a psychiatrist’s office seeking “continuation of care.” Although she reports being stable on methylphenidate, she declines to allow the psychiatrist to speak to her physician in Florida, stating that it is irrelevant to her current care. The psychiatrist does not know whether he has any way to obtain this information so he can help the patient and establish care. The psychiatrist feels unable to confirm information relevant to the patient’s prior treatment and declines to admit her to the clinic.
Discussion
In the first case, a BNE official clarified that a psychiatrist is mandated to contact the PCP and inform him or her of the potential harm that amphetamine salts are causing the patient and to coordinate his care accordingly. Even without the patient’s consent, such contact is not a HIPAA violation and is a necessary action for compliance with the I-STOP laws (
6).
In the second case, the psychiatrist is justified in deciding to decline to admit the patient to the clinic because at that stage, the physician and patient had not yet reached an agreement for establishing an ongoing patient-physician relationship. Also, the clinic would be justified in checking the PMP even though the patient did not provide permission to speak to the prior psychiatrist and even though she was not an established clinic patient. Realistically, the psychiatrist could have developed a therapeutic alliance by providing clinical care on the basis of the available information—while declining to write a stimulant prescription until the patient’s history could be confirmed from the previous psychiatrist.
The I-STOP laws permit physicians to contact other prescribers whose names are found in the PMP, even if the patient does not explicitly permit such collaboration or decline to authorize such contact (
7). Interstate agreements allow physicians to share information about controlled substances through their PMPs and make more informed decisions about mutual patients’ care. For example, NYS has interstate agreements with Connecticut, Indiana, Massachusetts, New Jersey, Rhode Island, Vermont, and Virginia that permit exchange of this information (
8). Furthermore, the U.S. Office of Civil Rights establishes that the covered entity or a business associate of a covered entity is permitted to obtain protected health information without patient consent or authorization for a subset of health care operation activities, which include supporting fraud and abuse detection (
9). NYS law also permits physicians to check the PMP even if they are not prescribing controlled substances to a patient (
7).
Specifications of HIPAA permit information sharing in all states under certain circumstances, even though it is contrary to the rule, according to 45 CFR §160.203(a). Disclosure is permitted under HIPAA if it is necessary to prevent fraud and abuse related to the provision of or payment for health care, is for the purposes of serving a compelling need related to public health, or has as its principal purpose in the regulation of the manufacture, registration, distribution, and dispensing of any controlled substance.
Physicians often cite “HIPAA violation” as the reason they are reluctant to contact another physician or prescriber to discuss a patient if they do not have the patient’s explicit permission to do so. The key implication for administrators is to train physicians to use PMPs and share information appropriately in medical practice. Clinical information sharing without patient authorization is permitted under HIPAA, and those in the position of shaping training and making recommendations should be explicit in explaining the circumstances under which these disclosures are acceptable.
Coordination of care improves clinical outcomes, patient satisfaction, and engagement in one’s own treatment, and it curbs the extent of diversion. It could ultimately result in reduction of relapses, coprescribing of controlled substances such as opioids and benzodiazepines, and ultimately, lethal overdoses.