Ezel / AG Opinions / NC
NC NC AG Advisory Opinion (1987-09-24) 1987-09-24

Does North Carolina's Medical Database Commission, after 1987 amendments allowing collection of patient social security numbers, comply with federal alcohol and drug abuse patient confidentiality regulations?

Short answer: Yes. Article 11 of Chapter 131E was amended in 1987 (Session Laws ch. 592) to allow the Medical Database Commission to receive social security numbers for accuracy in linking patient data across providers, while keeping patient identifying information confidential. The amendments are sentence-by-sentence aligned with the federal 42 C.F.R. Part 2 requirements: limited disclosure under § 2.18, qualified-personnel program-evaluation use under § 2.52, federal court order requirements under § 2.56, and patient anonymization in published reports. The amendments meet 42 USC §§ 290dd-3 and 290ee-3 and the Part 2 regulations, including 42 C.F.R. § 2.53(d)(1) which requires a written attorney general opinion before the Commission can receive these records.
Currency note: this opinion is from 1987
Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: This is an official North Carolina Attorney General advisory opinion. AG opinions are persuasive authority but not binding precedent like a court ruling. This summary is for informational purposes only and is not legal advice. Consult a licensed North Carolina attorney for advice on your specific situation.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official AG opinion. The original opinion (linked at the bottom of this page) is the authoritative source for any reliance.

Plain-English summary

In 1985 the North Carolina General Assembly created the Medical Database Commission. The goal was to build a statewide data system tracking patterns and costs of medical services to support better quality and more efficient care delivery. The 1985 statute (Article 11 of Chapter 131E) required confidentiality of patient information and excluded the collected data from public records access.

By 1987 the Commission realized it could not get accurate data linkages without using social security numbers. A patient with multiple encounters across multiple providers could appear as multiple distinct patients in the database without a common identifier. The General Assembly responded by enacting Chapter 592 of the 1987 Session Laws, which amended Article 11 to allow limited use of patient social security numbers while still protecting patient identity.

The amendments triggered a federal compliance question. Federal law (42 U.S.C. §§ 290dd-3 and 290ee-3) and federal regulations (42 C.F.R. Part 2) strictly limit disclosure of patient records from federally funded alcohol and drug abuse treatment programs. Because many North Carolina alcohol and drug treatment programs receive federal funding, their patient records are subject to federal confidentiality rules. Did the 1987 North Carolina amendments allowing SSN collection comply with the federal rules?

Senior Deputy Attorney General William F. O'Connell answered yes, walking through each amendment sentence-by-sentence and identifying the federal authorization for each. The written AG opinion itself was required by 42 C.F.R. § 2.53(d)(1) as a prerequisite for the Commission to receive these federally protected records.

The structural compliance framework:

42 C.F.R. § 2.18 permits disclosure of confidential information limited to what is "necessary in the light of the need or purpose of the disclosure." The General Assembly's express finding in § 131E-210(b) that SSN use is "vital to insuring the degree of accuracy of the information base" provides the necessity finding the federal regulation requires.

42 C.F.R. § 2.52(a) permits disclosure to "qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation," provided individual patients are not identified in any report by those personnel. The Commission's data-analysis function falls within this authorization.

42 C.F.R. § 2.52(b) permits the qualified personnel to communicate patient identifying information back to the originating program. The amendment to § 131E-212(b)(6) reflects this by allowing data providers to obtain SSN data they originally submitted, but not other providers' data.

42 C.F.R. § 2.11(j) defines "patient identifying information." The amendments use the term "patient identifying information" instead of the old "personal identifiers," aligning with the federal definition. A patient identifying number assigned by the program (an internal patient ID) is excluded from the federal definition; the amendments reflect that exclusion.

42 C.F.R. § 2.56 requires a court order before patient identifying information can be disclosed. The amendments to § 131E-213 include this requirement: the Commission may not disclose patient identifying information except by court order issued after a good-cause showing, with the court required to weigh the public interest against the harm to the patient.

42 C.F.R. § 2.23 says federal law does not preempt state law unless they conflict. The state's confidentiality regime is allowed to be stricter than the federal one (and in places, the North Carolina rules are stricter); it just cannot allow disclosures the federal rules prohibit.

The AG concluded that Article 11, in its post-1987 form, was "in full compliance with the Code of Federal Regulations and all pertinent federal statutes." That conclusion gave the Commission the federal-regulation green light to begin receiving SSN-tagged data from federally funded alcohol and drug treatment providers.

Currency note

This opinion was issued in 1987. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here. 42 C.F.R. Part 2 has been substantially revised multiple times, most recently in 2017-2020 reform packages aligning Part 2 more closely with HIPAA. The Medical Database Commission's authority has also been modified (the Commission was renamed, restructured, or its functions reassigned across decades, including to the Department of Health and Human Services). HIPAA (1996) and HITECH (2009) created additional federal confidentiality and breach notification rules that overlay the Part 2 framework for substance abuse providers. Modern researchers should consult the current Part 2 regulations and the current state Medical Database Commission (or successor agency) statutes.

Background and statutory framework

The Medical Database Commission was North Carolina's first comprehensive state-level health data aggregation effort. Modeled on similar programs in other states, it was meant to fill an information gap: nobody at the state level knew, with any precision, the patterns of medical service utilization, the costs, the quality variations, or the access disparities across the state. Building a database that could answer these questions required collecting data from hospitals, physicians, third-party payers, and treatment programs.

The federal-state interaction was the structural challenge. State data aggregation programs operate under state law, but they receive data from health providers many of whom are subject to federal confidentiality rules. The federal rules (especially the substance-abuse-records rules in 42 C.F.R. Part 2) were drafted before state data programs were common, and the federal regulators were concerned that lax state programs would undermine the federal confidentiality framework.

42 C.F.R. § 2.53 created a specific compliance mechanism for state program evaluation: a "qualified service organization" or qualified personnel could receive substance abuse records for evaluation purposes if certain conditions were met, including a written legal opinion (typically from the state attorney general) confirming state-law compliance with federal requirements. The 1987 North Carolina AG opinion was that legal opinion for the Medical Database Commission.

The substantive 1987 amendments addressed a specific functional problem. Without SSNs, the database could not link the same patient's records across different providers. A diabetic admitted to one hospital and then to another would appear as two separate database entries. The Commission could analyze the entries individually but could not analyze the patient's overall care path. SSN linkage solved this technical problem at the cost of introducing patient identifying information into the database. The 1987 amendments were structured to (a) allow the SSN collection, (b) keep the SSNs confidential within the Commission, and (c) prevent the SSNs from being shared with other providers (only the originating provider could see its own data linked back to its patients).

The opinion's sentence-by-sentence federal mapping is unusual and reflects the formal nature of the § 2.53(d)(1) opinion. The federal regulators wanted explicit assurance that each piece of the state law had a federal-rule counterpart. The AG complied by walking through the amendments line by line.

Common questions

Can a third party obtain identified data from the Commission with the patient's consent?

The opinion does not address consent disclosures. 42 C.F.R. Part 2 generally allows patient-consent disclosures, with strict consent-form requirements. State law's confidentiality regime under § 131E-213 is stricter in some respects than federal law. A third party seeking identified data would need to navigate both layers; in practice this is rare.

Can law enforcement get database records with a search warrant?

The opinion identifies the only disclosure mechanism for identified data: a court order issued after a good-cause showing. A search warrant is a court order, but the good-cause showing under federal Part 2 is more stringent than the probable-cause showing for a search warrant. State law incorporates the federal good-cause standard. Most law enforcement requests for substance abuse treatment records are denied without an explicit good-cause finding.

Are the published Medical Database Commission reports public records under Chapter 132?

The 1985 statute (§ 131E-212(f), among others) excluded the collected data from the public records statute except for final reports containing no patient identifiers. The published aggregated reports are public records (and indeed are the point of the database); the underlying data is confidential.

What's the difference between "patient identifying information" and "personal identifiers"?

The 1985 statute used "personal identifiers" but the 1987 amendments switched to "patient identifying information" to match the federal Part 2 terminology in § 2.11(j). Federal Part 2 defines patient identifying information narrowly to focus on data that can identify the patient as having received alcohol or drug treatment. The 1987 terminology change does not significantly change the substantive coverage but aligns the state and federal definitions.

Does the Commission's data-sharing with researchers require IRB review?

The opinion does not address Institutional Review Board oversight, which is a separate federal research-protection framework (45 C.F.R. Part 46 for federally funded research). Modern Commission (or successor) data sharing with researchers typically requires both Part 2 compliance and IRB review where applicable.

Source

Citations

  • N.C.G.S. Article 11 of Chapter 131E (Medical Database Commission)
  • N.C.G.S. § 131E-210, -211, -212, -213
  • 1987 Session Laws Chapter 592
  • N.C.G.S. Chapter 132 (public records)
  • 42 U.S.C. §§ 290dd-3, 290ee-3
  • 42 C.F.R. Part 2, §§ 2.11(j), 2.13, 2.18, 2.23, 2.52, 2.53, 2.56

Original opinion text

Requested By: James E. Long Commissioner of Insurance

Question: Is Article 11 of Chapter 131E (North Carolina Database Commission) as amended by Chapter 592, 1987 Session Laws, in accordance with the federal regulations as provided in CFR 2.52 and 2.53(c)(d)?

Conclusion: Yes.

At its 1985 Session, the North Carolina General Assembly expressly determined that there was an urgent need to understand patterns and trends in the use and cost of medical services in this State. See G.S. 131E-210. Therefore, in order to establish an information base so as to improve the appropriate and efficient usage of medical care services and to maintain an acceptable quality of such services, it enacted legislation effective July 1, 1985. That legislation (codified as Article 11 of Chapter 131E of the North Carolina General Statutes) created the Medical Database Commission as a responsible agency to receive necessary data from public and private providers and third-party payers. This 1985 legislation specifically stated that ". . . patient confidentiality shall be protected." See G.S. 131E-210(b). It also prescribed that a limited amount of nonidentifying data be required of reporting agencies, required the formulation of procedures to assure confidentiality of records, restricted the permissible use of information secured and the sharing of it with other agencies, and, with the exception of final reports containing no "patient's individual personal identifiers", excluded the data collected from application of the provisions of Chapter 132, North Carolina General Statutes, dealing with public records. See G.S. 131E-212, 213.

In its 1987 Session, after finding as a matter of fact that limited use of patients' social security numbers was necessary for insuring the accuracy of the database, the General Assembly ratified Chapter 592 of the 1987 Session Laws; this legislation, which resulted in the amendment of G.S. 131E-210(b), 212 and 213, was designed to remedy the recognized shortcomings. In view of the widespread receipt and utilization of federal funds in the treatment of alcohol and drug abuse patients, the thrust of the present inquiry is directed toward ascertaining whether the provisions of Article 11, Chapter 131E (including this year's amendments which became effective on July 10, 1987) comply with the federal regulations. Further, the obtaining of this written opinion of the Attorney General is necessary in order for the Commission to comply with the requirements of 42 CFR 2.53(d)(1).

By way of general background information relative to the Federal requirements, 42 USC 290dd-3 imposes rigid requirements relative to maintaining the confidentiality of records involved in alcoholism or alcohol abuse programs which are ". . . conducted, regulated or directly or indirectly assisted by any department or agency of the United States." Additionally, 42 USC 290ee-3 contains the same rigid requirements for patients involved in drug abuse programs. 42 USC 290dd-3(b)(2)(B) and 290ee-3(b)(2)(B), respectively, authorize the release of confidential records in the areas described above to ". . . qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation. . ." However, these two statutes prohibit the recipients thereof from identifying any patients, directly or indirectly, in any report made by these recipients.

The federal regulations implementing these provisions of the United States Code are contained in Part 2 of Subchapter A of Title 42 of the Code of Federal Regulations. These regulations, as might be expected, adhere to the same strict confidentiality standards as their progenitor statutes. Understandably, though, these regulations also contain or amplify upon the same authorizations for release, with or without patient consent, of records to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, with the proviso that individual patients shall not be identified in any report made by such personnel. See 42 CFR 2.52. However, the following significant language expresses a clear intent to mandate a sensible, realistic approach (such as that taken by the North Carolina General Assembly) to the interpretation of these federal regulations:

"General Purpose. Paragraph (a) of this section is adapted directly from subsection (b)(2)(B) of the authorizing legislation. The purpose of each is the same: To facilitate the search for truth, whether in the context of scientific investigation, administrative management, or broad issues of public policy, while at the same time safeguarding the personal privacy of the individuals who are the intended beneficiaries of the process or program under investigation. This subpart in particular, and this part as a whole, are intended to aid in carrying out that purpose." 42 CFR 2.52.1(a).

With this background in mind, the issue of compliance of Article 11, Chapter 131E, North Carolina General Statutes (in their present form) with the pertinent federal regulations and statutes will be considered. Inasmuch as the amendments to Article 11 constitute the first requirement for the divulgence of identifying information to the Database Commission, this opinion will be primarily directed toward the sufficiency of these amendments to effect compliance with the federal requirements. However, it should be noted that even prior to its amendment, Article 11 contained requirements for the observance of confidentiality — e.g. G.S. 131E-210(b), G.S. 131E-211(a), G.S. 131E-212(b)(5)(6), G.S. 131E-212(f) and G.S. 131E-213.

Perhaps the best method of analysis is to set forth the exact language of each 1987 amendment to Article 11 coupled with a citation to the appropriate federal authorization for that amendment through federal statutes and regulations, with such citations being not limited to those regulations cited in the question posed here.

G.S. 131E-210(b)

"However, the limited use of the social security numbers of patients as provided in G.S. 131E-212(b)(5) and (6) and G.S. 131E-213 is vital to insuring the degree of accuracy of the information base contemplated by this Article and to achieve the purposes of the General Assembly in enacting this Article."

AUTHORIZATION

42 CFR 2.18 merely requires that any disclosure of confidential information "shall be limited to information necessary in the light of the need or purpose of the disclosure." Implicit in the amendatory language of G.S. 131E-210(b) is a finding of fact by the General Assembly as to the vital necessity for access to this information by the Database Commission.

G.S. 131E-212(b)(2)

"In accordance with the findings of the General Assembly set forth in G.S. 131E-210(b), data provided to the Commission may include the patient's social security number but the handling and disclosure of such number will be in accordance with G.S. 131E-212(b)(5) and (6) and G.S. 131E-213."

AUTHORIZATION

42 CFR 2.18 and 42 CFR 2.52(a) clearly permit the disclosure of a patient's record to qualified personnel for the type of endeavors expected of the Database Commission.

G.S. 131E-212(b)(5)

"For purposes of this section, the social security numbers of patients shall not be considered to be patient identifying information, although further dissemination of such numbers shall be governed by the provisions of G.S. 131E-212(b)(6) and G.S. 131E-213." Further, the term "patient identifying information" was substituted for "personal identifiers" in order to conform with the terminology defined in 42 CFR 2.11(j).

AUTHORIZATION

The language of 42 CFR 2.18 and 42 CFR 2.52(a) serve as authorization for this amendment.

G.S. 131E-212(b)(6)

"In no event may a data provider obtain data regarding the social security number of a patient except in instances when that data was originally submitted by the requesting provider."

AUTHORIZATION

Notwithstanding the prohibitions on disclosure found in 42 CFR 2.18 and 42 CFR 2.52(a), the provisions of 42 CFR 2.52(b) permit the inclusion of patient identifying information in any written or oral communication between a person to whom such disclosure has been made under 42 CFR 2.52(a) and the program which originally made the disclosure.

G.S. 131E-213

"The confidentiality of patient identifying information is to be protected and the pertinent statutes, rules, and regulations of the State of North Carolina and of the Federal Government relative to patient confidentiality shall apply. For purposes of this section, patient identifying information means the name, address, social security number or similar information by which the identity of the patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information The term does not include a patient identifying number assigned by a program. In any event, the patient identifying information (as defined in this section) obtained shall not be further disclosed, and may not be used in connection with any legal, administrative, supervisory, or other action whatsoever with respect to such patient. The Commission shall hold such information in confidence, is prohibited from taking any administrative, investigative, or other action with respect to any individual patient on the basis of such information, and is prohibited from identifying, directly or indirectly, any individual patient in any report of scientific research or long-term evaluation, or otherwise disclosing patient identities in any manner. Further, patient identifying information submitted to the Commission which would directly or indirectly identify any patient may not be disclosed by the Commission either voluntarily or in response to any legal process whether federal or State unless authorized by an appropriate court of competent jurisdiction granted after application showing good cause therefor. In assessing good cause the court shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician-patient relationship, and to the treatment services. Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure."

AUTHORIZATION

The first sentence of the amendment to G.S. 131E-213 requires compliance with 42 CFR 2.23. That regulation provides that federal law does not preempt state law unless in conflict therewith. 42 CFR 2.23. It permits disclosure only as authorized by the Federal Regulations. The second sentence fulfills the requirement of 42 CFR 2.11(j) which defines the term "patient identifying information". The third sentence reflects an exemption from confidentiality requirements expressly made by 42 CFR 2.11(j) regarding patient identifying numbers assigned by programs. The fourth sentence accommodates the requirements of 42 CFR 2.13(a) and (b). The fifth sentence reflects recognition of the prohibition in 42 CFR 2.52(a) and (b)(1) which precludes disclosure or the use of the type of confidential information described in the fashion set forth in that sentence. The sixth sentence accommodates the procedures contained in 42 CFR 2.56 which prohibits divulgence of the type of information described absent an appropriate court order. Further, the sixth sentence requires compliance with 42 USC 290dd-3(b)(2)(C) and 42 USC 290ee-3(b)(2)(C), which require a showing of good cause before authorization for disclosure of confidential information will be ordered by a court of competent jurisdiction. The seventh sentence is also based upon the provisions of 42 USC 290dd-3(b)(2)(C) and 42 USC 290ee-3(b)(2)(C) which prescribe the standard to be utilized in evaluating the propriety of release of confidential information. The eighth sentence requires compliance with the mandates of 42 USC 290dd-3(b)(2)(C) and 42 USC 290ee-3(b)(2)(C) which require the imposition of appropriate safeguards against unauthorized disclosure of information released.

In summary, Article 11 of Chapter 131E in its present form is in full compliance with the Code of Federal Regulations and all pertinent federal statutes.

LACY H. THORNBURG Attorney General

William F. O'Connell Senior Deputy Attorney General