Behavioral Health Care Compliance Toolbox

 
Behavioral health care compliance toolbox header image

Substance Abuse and Mental Health Services Administration (SAMHSA) was established by the U.S. Congress in 1992 to make substance use and mental disorder information, services, and research more accessible. SAMHSA is a public agency within the U.S. Department of Health and Human Services (HHS).The Office of Behavioral Health (OBH) promotes the prevention, detection and resolution of actions that do not conform to legal, policy or business standards.

Office of Behavioral Health rules require compliance with state and federal rules and laws (see 2 Code of Colorado Regulations (CCR) 502-1, Rule 21.110.B.1, Governance, Rule 21.170.1.A, Records Care and Retention, General Provisions, and 21.170.2.A Confidentiality). Violation of federal confidentiality statutes is a violation of OBH rules.

The following resources are provided to assist applicants and licensed/designated treatment agencies to develop policies and practices that comply with federal law. There is no "one size fits all" compliance program. There are many diverse organizations, both in size and scope of services provided. This page offers resources to mental health and substance use disorder providers in a variety of health care compliance areas.

Definitions
  • The Health Information Portability and Accountability Act (HIPAA) contains requirements that govern the sharing of private information that identifies patients in medical settings, including behavioral health.

  • 42 Code of Federal Regulations Part 2 (i.e., 42 CFR Part 2 or Part 2) is the federal confidentiality statute that protects the identities of individuals receiving substance use disorder treatment. The regulations ensure that a patient receiving treatment for a substance use disorder in a Part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.

  • Substance Abuse and Mental Health Services Administration (SAMHSA) was established by the U.S. Congress in 1992 to make substance use and mental disorder information, services, and research more accessible. SAMHSA is a public agency within the U.S. Department of Health and Human Services (HHS).

  • The Office of Civil Rights is charged with administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules.

  • The Office of the Inspector General (OIG) is charged with fighting waste, fraud and abuse in Medicare, Medicaid and more than 100 other U.S. Department of Health and Human Services programs.

  • Protected Health Information - The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

    "Individually identifiable health information" is information, including demographic data, that relates to:

    • the individual's past, present or future physical or mental health or condition,
    • the provision of health care to the individual, or
    • the past, present, or future payment for the provision of health care to the individual,
    • and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
  • Personal Identifying Information (PII), as defined in C.R.S. § 6-1-716,includes social security numbers, personal identification numbers, passwords, pass codes, official state or government-issued driver's license or identification card numbers, government passport numbers, biometric data, employer, student, or military identification numbers, and financial transaction devices, including financial account numbers.

 

Toolbox

Behavioral Health Care Compliance Toolbox

Tool Purpose
State of Colorado Resources
OBH Rules Read OBH Rules in their entirety.
Office of Information (OIT) Technology Security Policies OIT rules and policies issued under the authority of Colorado Revised Statutes 24-37.5-401 et seq.
Colorado Department of Human Services HIPAA Page Access to HIPAA-related forms and the CDHS HIPAA Notice of Privacy Practices.

Federal Regulation
42 CFR Part 2 and SAMHSA's Guidance Related to Part 2

42 CFR Part 2 - Confidentiality of Substance Use Disorder Patient Records Read the federal regulation in its entirety.
SAMHSA Substance Abuse Confidentiality Regulations Frequently Asked Questions (FAQs) regarding the Substance Abuse Confidentiality Regulations
Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me? Explains the definition of a 42 CFR Part 2 Program and how healthcare providers can determine if 42 CFR Part 2 applies to them.
Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data? Describes how 42 CFR Part 2 applies to the electronic exchange of healthcare records with a Part 2 Program.
42 CFR Part 2 Elements of a Valid Consent: Elements and Requirements Providers should use this checklist to determine if the consent they are using contains the elements required in 42 CFR Part 2 regulations.
CDHS Authorization/Informed Consent for Use and Disclosure of Health Care Information This sample form is both HIPAA and 42 CFR compliant.
Fast Facts - What requirements impact an OBH-licensed or designated facility that is ceasing operations? Regulations that providers who are closing need to follow.
Fast Facts - What allows OBH to receive PHI from grantee programs without a Business Associate Addendum or a Qualified Service Organization Agreement? Explains OBH's authority to request PHI from programs.
Federal Alcohol & Drug Confidentiality Rules and SBIRT Services Tools explaining how the federal alcohol and drug confidentiality rules apply to Screening, Brief Intervention and Referral to Treatment (SBIRT) services for youth.
SAMHSA-Funded Center of Excellence for Protected Health Information

Resources to promote awareness and strengthen knowledge and skills for professionals seeking to understand and apply Protected Health Information (PHI) privacy laws and regulations on the job and for individuals and families when accessing services.

Health Insurance Portability and Accountability Act
and Related Resources

HIPAA - Health Insurance Portability and Accountability Act PL 104-191 Read this federal regulation in its entirety.
Office of Civil Rights (OCR) Resources
  1. HIPAA for Professionals
  2. HIPAA Enforcement

These pages contain detailed information on the HIPAA regulations, including tools and training materials for providers.

HIPAA Elements of a Valid Authorization - Uses and Disclosures for which an Authorization is Required: Core Elements and Requirements

Providers can use this checklist to determine if the authorization they are using contains the required elements in HIPAA regulations.

Privacy Brief -HIPAA Privacy Rule Offers a summary of the Privacy Rule, its requirements and who is covered.
HIPAA Security Regulations
and Related Resources
HIPAA Security Standards Matrix HIPAA Security policies required and addressable (if you don't have a policy on addressable policies you must document why)
Threats and Protecting Patients Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Resources to aid health care and public health organizations to develop meaningful cybersecurity objectives and outcomes. The publication includes a main document, two technical volumes, and resources and templates.
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Resources developed by the Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services (HHS) Office for Civil Rights, and other HHS agencies to help you integrate HIPAA and other federal health information privacy and security into your practice.
HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules Fact sheet containing HIPAA rules, who must comply with the rules, and how the rules are enforced.

Fraud, Waste and Abuse Regulations
and Related Resources

Federal Health Care Fraud and Abuse Laws Compiled list of resources provided by the Office of the Inspector General.
Office of the Inspector General(OIG) This page provides links to handy resources for the public that can help ensure that you are in compliance with federal health care laws.
OIG Measuring Compliance Program Effectiveness Tool to measure the effectiveness of your Compliance Program

Colorado-Specific Regulations

Colorado Consumer Protection Data Law C.R.S.§ 6-1-716

State law requiring notification to consumers in the event of a data breach. This includes notification to any person, commercial entity, or governmental entity that maintains, owns, or licenses personal identifying information ("PII") of Colorado residents in the course of its business, vocation, or occupation.
Colorado's Consumer Data Protection Laws: FAQs for Businesses The Colorado Attorney General Office is charged with enforcing this law and maintains a web page with an overview of the law's requirements.
Colorado False Claims Act The law that allows whistle blowers to bring suit in the name of the State of Colorado where a wrongdoer engages in conduct that defrauds the State or local government of its health care dollars. This statute is designed to address Medicaid fraud.

C.R.S. § 25-1-801

  • Part 8 - Patient Records
  • Part 12 - Medical Record Confidentiality
Colorado laws regarding patient records and medical record confidentiality.

Criminal Justice Resources

Information Sharing in Criminal Justice - Mental Health Collaborations Individuals with mental illnesses are overrepresented at every stage of the criminal justice process. In response, many jurisdictions have developed a range of policy and programmatic responses that depend on collaboration among the criminal justice, mental health, and substance abuse treatment systems.
CDHS Forensic Services

The Colorado Department of Human Services, Office of Behavioral Health (OBH) provides evaluation, treatment and other services to the forensic population statewide. Forensic clients are individuals who are diagnosed with mental health disorders, involved in the criminal justice system, and are either currently incarcerated or living in the community. In order to best serve this population, OBH's Forensic Services team works across all settings, including the Mental Health Institutes, jails, and the community.