Navigating Confidentiality in First Responder Deflection

First responders often gain access to sensitive information about people’s substance use disorders (SUD) and treatment. Protecting the privacy of this information is key to these individuals’ recovery. It also is required by law.

This resource explains the limited circumstances under which two federal privacy laws apply to SUD information obtained by first responders. It also describes how these laws permit first responders to share protected health information.

Key Points

• First responders only are required to follow HIPAA if they are a “covered entity.” To be a covered entity, they need to provide healthcare and transmit health information electronically for certain transactions, such as billing.
• Part 2 only applies to “Part 2 programs” and “lawful holders.” First responders will rarely be a Part 2 program, which generally is a program that primarily provides SUD treatment.
• First responders who receive patient records from a Part 2 program will become a “lawful holder.” As a lawful holder, they must follow Part 2’s privacy and security restrictions for that information.