Editor’s Note: Medicaid programs across the country are exploring approaches for effectively integrating the delivery of physical and behavioral health services. Coordinating care between these two historically balkanized sectors requires robust data exchange among physical and behavioral health providers. Many providers, however, are reluctant to share data for fear of violating health information privacy laws. In a new issue brief for State Health and Value Strategies, a program funded by the Robert Wood Johnson Foundation, Manatt Health discusses the strategies states are using to address the barriers that impede the data sharing critical to physical and behavioral health integration. Below is a summary of key points. To download the full brief, click here.

A growing number of Medicaid officials believe that coordinating care across the physical and behavioral health sectors is critical to improving outcomes and decreasing costs. States interested in more and better data exchange to support physical and behavioral healthcare integration, however, must first understand the legal barriers to sharing that information. They then must address the misperceptions that providers, health plans and other stakeholders have about those barriers, overcoming the common concern that freely sharing data means violating health information privacy laws.

Identifying the Real Legal Obstacles to Data Sharing?

There is no single obstacle to data sharing between physical and behavioral healthcare providers. Federal and state health information privacy laws create a complex network of requirements governing the use and disclosure of health information.

The Health Insurance Portability and Accountability Act (HIPAA) is the legal foundation for health information privacy in the United States. The HIPAA privacy rule restricts the use and disclosure of “protected health information” maintained by covered entities, which include most physical and behavioral healthcare providers. Due in part to broad exceptions covering disclosures by providers for treatment and care management activities, HIPAA is generally not a legal impediment to data exchange between physical and behavioral healthcare providers.

There are other laws, however, that can—and often do—stand in the way of effective data sharing and care coordination between the physical and behavioral healthcare sectors. For example, the federal alcohol and drug abuse treatment confidentiality rules, commonly referred to as the “Part 2 regulations,” create potential legal obstacles to data sharing that providers and states must carefully navigate. In addition, some states have created limitations on sharing behavioral health information, both across providers and between providers and insurers.

Debunking Misperceptions that Impede Data Sharing

Given the range of state and federal laws governing health information privacy, the nature of the real or perceived legal barriers to data sharing between physical and behavioral health providers will vary among situations and states. A state’s strategy for reducing barriers must be tailored to its particular obstacles. Certainly, one of the most common barriers to data exchange is provider confusion over the complex web of state and federal privacy laws. In the absence of a single, comprehensive health information privacy legal framework that governs all data exchange activities, providers are left to figure out for themselves how the patchwork of laws applies to their activities. Some of the most common provider misconceptions about health privacy laws include:

  • Misconception: HIPAA requires patient authorization for disclosures for treatment purposes.
  • Actual Legal Rule: No patient authorization is required.
  • Misconception: HIPAA’s minimum necessary provision forces providers to determine which parts of their medical records they can share with other providers for treatment purposes.
  • Actual Legal Rule: The minimum necessary rule does not apply to disclosures for treatment purposes.
  • Misconception: A provider may not disclose information to another provider for treatment purposes unless the receiving provider has a preexisting relationship with the patient.
  • Actual Legal Rule: No preexisting relationship is required to receive information for treatment purposes. (A prior relationship is required to receive information for quality improvement purposes.)
  • Misconception: HIPAA’s restriction on the disclosure of psychotherapy notes applies to all notes from counseling sessions that are part of the patient’s medical record.
  • Actual Legal Rule: A clinician’s notes qualify as psychotherapy notes under HIPAA only if they are maintained separately from the patient’s medical record.
  • Misconception: The Part 2 regulations restrict the disclosure of all substance abuse treatment information.
  • Actual Legal Rule: The Part 2 regulations apply only to specialized substance abuse providers, not general medical providers who deliver substance abuse services.
  • Misconception: A consent for the release of a Part 2 provider’s records must be a separate document and cannot be combined with any other type of patient consent.
  • Actual Legal Rule: A Part 2 consent can be combined with another patient consent form, if the form contains all of the elements required under Part 2 regulations.

In addition to the misunderstandings about the laws, other common hurdles to data exchange include disagreements over ambiguities in the law, concerns about the reliance on the privacy and security practices of other providers, and obstacles to obtaining patient consent. To support care integration, states should work with providers and managed care plans to debunk the misconceptions about legal privacy rules, as well as to overcome all the barriers that impede data sharing between physical and behavioral health providers.

Reducing Barriers

The extent to which providers engage in electronic data sharing—and the mechanisms they use to do it—will affect the feasibility and success of data exchange strategies. To reduce barriers effectively, state leaders must understand the nature of data exchange initiatives and develop strategies for both electronic and non-electronic communication that are appropriate for current data sharing methods and practices. States seeking to promote innovative care delivery models that rely on increased information exchange between physical and behavioral healthcare providers can use the following six strategies to eliminate barriers:

  • Clarify state law through agency guidance.
  • Enact state legislation or regulations to streamline privacy standards governing exchange.
  • Create standardized consent forms.
  • Provide information exchange implementation advice.
  • Enact immunity laws to protect providers engaging in information exchange.
  • Promote technological solutions to data segmentation that allow healthcare providers to share some data but not others.


States should use several different tools and approaches to eliminate barriers to data sharing while working within the patchwork of federal and state privacy laws. In addition, to improve integration between physical and behavioral healthcare, it is imperative that states foster a dialogue on actual vs. perceived barriers to data sharing and actively address misconceptions. Finally, states must understand data sharing initiatives within their states and develop relevant strategies for all communication, whether electronic or nonelectronic.

The most critical step for states to take is to get started. The sooner states create strategies to facilitate data sharing in support of care integration, the more productive electronic data exchange can occur—and the earlier patient care will improve.