Intensive Outpatient Treatment for Alcohol and Other Drug Abuse
Treatment Improvement Protocol (TIP) Series 8

Programs Governed by the Regulations

Any program that specializes, in whole or in part, in providing treatment, counseling and/or assessment, and referral services for patients with AOD problems must comply with the Federal confidentiality regulations (§2.12(e)). Although the Federal regulations apply only to programs that receive Federal assistance, this includes indirect forms of Federal aid such as tax-exempt status, or State or local government funding coming (in whole or in part) from the Federal government.

Coverage under the Federal regulations does not depend on how a program characterizes its services. Calling itself a "prevention program" does not insulate a program from following the confidentiality rules. It is the kind of services, not the label, that determines whether the program must comply with the Federal law.

The General Rule

The Federal confidentiality laws and regulations protect any information about a client if the client has applied for or received any AOD-related services -- including assessment, diagnosis, counseling, group counseling, treatment or referral for treatment -- from a covered program. Only clients who have "applied for or received" services from a program are protected. If a client has not yet been evaluated or counseled by a program and has not him- or herself sought help from the program, the program is free to discuss the client's drug or alcohol problems with others. But, from the time the client applies for services or the program first conducts an evaluation or begins counseling, the Federal regulations govern patient information.

The restrictions on disclosure apply to any information that would identify the patient as an AOD abuser, either directly or by implication. The general rule applies from the time the patient makes an appointment. It also applies to clients who are civilly or involuntarily committed, clients who are mandated into treatment by the criminal justice system, and former clients. The rule applies whether or not the person making an inquiry already has the information, has other ways of getting it, enjoys official status, is authorized by State law, or comes armed with a subpoena or search warrant. (For an explanation regarding the response to persons with subpoenas and search and arrest warrants, see Confidentiality: A Guide to the Federal Laws and Regulations, published in 1991 by the Legal Action Center, 153 Waverly Place, New York, NY 10014.)

Consent

Most disclosures are permissible if a patient has signed a valid consent form that has not expired or been revoked (§2.31). However, no information that is obtained from a program (even if the patient consents) may be used in a criminal investigation or prosecution of a patient unless a court order has been issued under the special circumstances set forth in §2.65 (42 U.S.C. §§290dd-3(c), ee-3(c); 42 C.F.R. §2.12(a),(d)).

A proper consent form must be in writing and must contain each of the items contained in §2.31:

• The name or general description of the program(s) making the disclosure
• The name or title of the individual or organization that will receive the disclosure
• The name of the patient
• The purpose or need for the disclosure
• How much and what kind of information will be disclosed
• A statement that the patient may revoke the consent at any time, except to the extent that the program has already acted in reliance on it
• The date, event, or condition upon which the consent expires if not previously revoked
• The signature of the client (and, in some states, his or her parent)
• The date on which the consent is signed (§2.31(a)).

A general medical release form, or any consent form that does not contain all of the elements listed above, is not acceptable. (See Exhibit 7-1.)

Seeking Information from Collateral and Referral Sources

Making inquiries of employers, criminal justice agencies, schools, parents, doctors and other health care entities might seem at first glance to pose no risk to a patient's right to confidentiality, particularly if the person or entity approached for information referred the patient to treatment. But it does.

When a program that screens, assesses, or treats a patient asks an employer, doctor, school, or parent to verify information it has obtained from the patient, it is making a patient-identifying disclosure that the patient has sought its services. In other words, when program staff seek information from other sources, they are letting the sources know that the patient has asked for AOD services. The Federal regulations generally prohibit this kind of disclosure unless the patient consents.

How then is a program to proceed? The easiest way is to get the client's consent to contact the employer, school, health care facility, and so forth.

As noted above, when filling out the consent form, thought should be given to the "purpose of the disclosure" and "how much and what kind of information will be disclosed." For example, if a program is assessing a client for treatment and seeks records from a mental health provider, the purpose of the disclosure would be "to obtain mental health treatment records to complete the assessment." The "kind of information disclosed" would then be limited to a statement that "Katherine Sampson (the patient) is being assessed by the XYZ Program." No other information about Katherine Sampson would be released to the mental health provider.

If the program seeks not only records, but seeks to discuss with the mental health provider the treatment it provided the patient, the purpose of the disclosure would be "to discuss mental health treatment provided to Katherine Sampson by the mental health program." If the program merely seeks information, the kind of information disclosed would, as in the example above, be limited to a statement that "Katherine Sampson is being assessed by the XYZ Program." However, if the program needs to disclose information it gained in its assessment of Katherine Sampson to the mental health provider in order to further the discussion, the kind of information disclosed would be "assessment information about Katherine Sampson."

A program that routinely seeks collateral information from many sources could consider asking the patient to sign a consent form that permits it to make a disclosure for purposes of seeking information from collateral sources to any one of a number of entities or persons listed on the consent form. Note that this combination form must still include "the name or title of the individual or the name of the organization" for each collateral source the program may contact.

It is important to keep in mind that even when information is disclosed over the telephone, the person disclosing it is still required to notify the recipient of the information of the prohibition on redisclosure. Mention should be made of this restriction during the conversation. For example, program staff could say, "I'll be sending you a written statement that the information I gave you about Ms. Sampson cannot be redisclosed."

Communications Among Agencies

IOT programs often need to be able to communicate on an ongoing basis with the referral source or with other agencies offering services to clients, such as mental health agencies or child welfare officials.

Again, the best way to proceed is to get the patient's consent. Care should be taken in wording the consent form to permit the kinds of communications necessary. For example, if the program needs ongoing communications with a mental health provider, the "purpose of the disclosure" would be "coordination of care for Sharon Dove" and "how much and what kind of information will be disclosed" might be "treatment status, treatment issues, and progress in treatment." If the program is treating a patient who is on probation at work and whose continued employment is contingent on treatment, the "purpose of disclosure" might be "to assist the patient to comply with employer's mandates" or to "supply periodic reports about treatment" and "how much and what kind of information will be disclosed" might be "progress in treatment." Note that the kinds of information that will be disclosed in the two examples are quite different. The program might well share detailed clinical information about a client with a mental health provider if that would assist in coordinating care. Disclosure to an employer would most likely be limited to a brief statement about the patient's progress in treatment. Disclosure of clinical information to an employer would, in most circumstances, be inappropriate.

When a client enters treatment voluntarily and not as a result of a referral from an employer, program staff should maintain an open mind about whether communications with an employer would be beneficial to the client. A client who tells program staff that his or her employers will not be sympathetic about the decision to enter treatment may well have an accurate picture of the employer's attitude. Insistence by program staff on communicating with the employer may cost a client his or her job. If such communication takes place without the client's consent, the program may find itself facing an unpleasant lawsuit.

The program should also give considerable thought to the expiration date or event the consent form should contain. For coordinating care with a mental health provider, it might be appropriate to have the consent form expire when treatment by either party ends. A consent form permitting disclosures to an employer might expire when the patient's probationary period at work ends.

Disclosure Rules Regarding Mandated Services

There are special rules about disclosing AOD information about patients mandated into treatment by the criminal justice system. Programs assessing and treating clients who are required to participate as part of a criminal justice sanction must follow the confidentiality rules. However, some special rules apply when a patient is in treatment as an official condition of probation, sentence, dismissal of charges, release from detention, or other disposition of any criminal proceeding, and information is being disclosed to the mandating agency.

A consent form (or court order) is still required before any disclosure can be made about an offender who is mandated into assessment or treatment. However, the rules concerning the length of time that a consent remains valid are different. Also, a "criminal justice system consent" cannot be revoked before its expiration event or date.

Specifically, the regulations require that the following factors be considered in determining how long a criminal justice system consent will remain in effect:

• The anticipated duration of treatment
• The type of criminal proceeding in which the offender is involved
• The need for treatment information in dealing with the proceeding
• When the final disposition will occur, and
• Anything else the patient, program or criminal justice agency believes is relevant.

These rules allow programs to continue to use a traditional expiration condition for a consent form that was formerly the only one allowed -- "when there is a substantial change in the patient's criminal justice system status." This formulation appears to work well. A substantial change in status occurs whenever the patient moves from one phase of the criminal justice system to the next. For example, if a patient is on probation or parole, there would be a change in criminal justice status when the probation or parole ends, either by successful completion or revocation. Thus, the program could provide an assessment or periodic reports to the probation or parole officer monitoring the client, and could even testify at a revocation hearing if it so desired, since no change in criminal justice status would occur until after that hearing.

As for the revocability of the consent (the rules under which the offender can take back his or her consent), the regulations provide that the consent form can state that consent cannot be revoked until a certain specified date or condition occurs. The regulations permit the criminal justice system consent form to be irrevocable so that a patient who has agreed to enter treatment in lieu of prosecution or punishment cannot then prevent the court, probation department, or other agency from monitoring his or her progress. Note that although a criminal justice system consent may be made irrevocable for a specified period of time, its irrevocability must end no later than the final disposition of the criminal proceeding. Thereafter, the patient may freely revoke consent.

Several other considerations relating to criminal justice system referrals are important. First, any information that an eligible criminal justice agency receives from a treatment program can be used by that justice agency only in connection with its official duties with respect to that particular criminal proceeding. The information may not be used in other proceedings, for other purposes, or with respect to other individuals (§2.34(d)).

Second, whenever possible, it is best to have the judge or referring agency require that a proper criminal justice system consent form be signed by the patient before he or she is referred to the treatment program. If that is not possible, the treatment program should have the client sign a criminal justice system consent form at his or her first appointment. With a proper criminal justice consent form signed, the AOD program can communicate with the referring criminal justice agency even if the patient appears for assessment or treatment only once. This avoids the unfortunate problems that can arise if a patient mandated into assessment or treatment does not sign a proper consent form and leaves before the assessment or treatment has been completed. Exhibit 7-3 is a consent form for the release of confidential information for a criminal justice referral.

If a program fails to have the patient sign a criminal justice system form and the client fails to complete the assessment process or treatment, the program has few options when faced with a request for information from the referring criminal justice agency. The program could attempt to locate the patient and ask him or her to sign a consent form, but that, of course, is unlikely to happen. And there is some question whether a court can issue an order to authorize the program to release information about a referral who has left the program in this type of case. This is because the regulations allow a court to order disclosure of treatment information for the purpose of investigating or prosecuting a patient for a crime only where the crime was "extremely serious," and a parole or probation violation generally will not meet that criterion.

Therefore, unless a consent form is obtained by the judge or criminal justice agency or by the treatment program at the very beginning of the assessment or treatment process, the program may end up in a position where it is prevented from providing any information to the criminal justice agency that referred the patient.

If a patient referred by a criminal justice agency never applies for or receives services from the program, that fact may be communicated to the referring agency without patient consent (§2.13(c)(2)). But once a client even makes an appointment to visit the program, consent or a court order is needed for any disclosures.

Disclosure to Parents About Minors

Although this TIP primarily addresses the treatment of adults in IOT programs, it is nonetheless useful to be aware of the confidentiality regulations that relate to minors. As has been noted above, programs may not communicate with the parents of a minor patient unless they get the minor's written consent.

In getting the minor's consent, the program should discuss with the minor whether the minor and the program want to be able to confer with the minor's mother and/or father a single time or periodically. This decision will affect how the program fills out the consent form.

If the counselor and/or the minor decide that the counselor should confer with the minor's mother or father only once, "the purpose of the disclosure" would be "to obtain information from Mary's parents in order to assist in the screening (or assessment) process" and "how much and what kind of information will be disclosed" would be "Mary's application for services." The expiration date should the date the counselor thinks screening or assessment will be completed.

If the program and Mary decide they want the program's counselor to freely speak with Mary's parents over a longer period of time, the program would fill out the consent form differently. The purpose of the disclosure would be "to provide periodic reports to Mary's parents" and the kind of information to be disclosed would be "Mary's progress in treatment." The expiration on this kind of open-ended consent form might be set at the date the program and Mary foresee her counseling ending or even "when Mary's participation in the program ends" (although Mary can revoke the consent at any time).

What if Mary refuses to consent? Since the Federal regulations prohibit disclosures without Mary's consent, the program cannot confer with her parents. Indeed, even if it had regular meetings with them, it must refuse to communicate any further information, including whether Mary is attending the program.

One special situation deserves mention. The Federal regulations contain an exception permitting a program director to communicate with a minor's parents in one limited circumstance: If a minor applies for services in a State where parental consent is required to provide services, but the minor refuses to consent to the program's notifying her parents, the regulations permit the program to contact a parent without consent, if two conditions are met:

• The program director believes that the minor, because of extreme youth or medical condition, does not have the capacity to decide rationally whether to consent to the notification; and
• The program director believes the disclosure is necessary to cope with a substantial threat to the life or well-being of the minor or someone else.

If these two conditions do not exist, the program must explain to the minor that while she has the right to refuse to consent to any communication with a parent, the program can provide no services without such communication and parental consent (§2.14(d)). In States where parental consent is not required for treatment, the regulations permit a program to withhold services if the minor will not authorize a disclosure that the program needs in order to obtain financial reimbursement for that minor's treatment. The regulations add a warning, however, that such action might violate a State or local law (§2.14(b)).

Section 2.14(d) applies only to applicants for services. It does not apply to minors who are already patients. Thus, programs cannot contact parents of patients without consent even if they are concerned about the behavior of their children.

Driving While Impaired

It is inevitable in an IOT program that at some point a patient will arrive at the treatment program intoxicated. If the patient is not in condition to participate appropriately in treatment or to drive home, what should the program do?

There are at least two strategies a program can use to prevent a patient impaired by AODs from driving. First, the program can offer the client a ride home or taxi fare for a ride home.

Second, the program can maintain a room where patients can "sleep it off" and urge patients who arrive at the program intoxicated to stay at the program until they are in a condition to drive. If the patient would not otherwise remain at the program for 8 to 10 hours, the program might be wise to alert the patient's family that he or she will be detained. Since the program must have written consent from the client to call the family in this kind of circumstance, it would also be wise to obtain consents from patients to permit calls to family members when the patients are detained, for whatever reasons.

What if the patient refuses either transportation home or a place to rest until the AODs wear off? What if the patient leaves the program intending to drive home? Does the program have a duty to call the police to prevent an accident? Does it risk a lawsuit if it fails to do so?

As mentioned above, this is a question of State law and can only be answered by an attorney familiar with the law in the State where the program operates. The program should consult an attorney to determine what its responsibility is in this area.

In most States, it is unlikely that the program would be liable, particularly if it had made an effort to stop the client from driving, using either the strategies outlined above or some other method. As noted above, in States that follow the Tarasoff doctrine, liability has generally been limited to those situations where a patient threatens to harm a specific person. Liability has generally not been imposed in situations where a patient poses a threat to the community in general.

Even if the program would not be liable if one of its patients leaves the program impaired and causes an accident, it may nonetheless feel an obligation to call the police if all other attempts to prevent the client from driving fail. However, caution must be exercised so that it does not unnecessarily violate the patient's confidentiality.

For example, the program can call the police and tell them that a person driving a 1991 red Ford Pinto with a license number "XYZ 123" is driving from the intersection of Maple and Third and heading toward downtown and is not in a condition to drive. The program should ask the police to respond immediately. What the program cannot do is tell the police that the patient has an AOD abuse problem. This means it cannot tell the police 1) that the patient is impaired by AODs or 2) the program's name (because that would tell the police that the client has an AOD abuse problem).

In order to get the patient's license number and a description of his or her car, it may be necessary to detain the patient for a few minutes. However, the program should avoid using force, since the patient could sue the program for battery or false imprisonment.

Discharging an Unstable Patient

Patients at IOT programs may include severely troubled individuals, some of whom may pose a threat to others, disrupt the program, or make little discernible progress. What should the staff of a program do if they believe that discharging a patient is the most appropriate disposition, but have concerns that, without ties to a program, the patient may deteriorate and pose a serious danger to others -- identifiable or not?

When a program seeks to involuntarily discharge an unstable patient, there are at least three questions that need to be answered:

• Can the program involuntarily discharge a patient -- whether the discharge is for being disruptive, for not making progress, or for nonpayment? This question can only be answered by an attorney familiar with the law of the State in which the program operates. In some States, the answer may vary depending upon the reason for discharge.
• If the program can involuntarily discharge the patient, does it have a duty do something about the patient -- ensuring that he or she gets continuing care by someone else? Again, the answer to this question lies in State law. Some States might hold a program liable for "dumping" a patient who had few resources to fend for him- or herself and suffered harm.
• Does the program have a duty to warn someone about the patient's instability and potential for harming him- or herself or another? Once again, State law governs this "duty to warn" question. However, note that in this instance, the program is no longer faced with an imminent threat of "serious danger of violence to another." The program is concerned about a patient who has the potential of deteriorating further and becoming a serious danger to another. It therefore seems unlikely that a program would be held responsible for discharging a patient who became more unstable and harmed someone unless there was good reason to believe that he or she would rapidly deteriorate and become a danger to a particular person.

For example, if there were a previous incident in which the patient harmed a particular person when he or she was discharged or left another treatment program, and the patient appears to be a continuing threat to that person, the program would be well advised to warn the person (or someone likely to apprise the person) that the patient is about to be discharged. Of course, it is best to do so without violating the Federal regulations.

Crimes on Premises or Against Personnel

When a client has committed or threatens to commit a crime on program premises or against program personnel, the regulations permit the program to report the crime to a law enforcement agency or to seek its assistance. In such a situation, without any special authorization, the program can disclose the circumstances of the incident, including the suspect's name, address, last known whereabouts, and status as a patient in the program (§2.12(c)(5)).

Communications Not Disclosing Patient-Identifying Information

The Federal regulations permit programs to disclose information about a patient if the program reveals no patient-identifying information. "Patient-identifying" information is information that identifies someone as an AOD abuser. Thus, a program may disclose information about a patient if that information does not identify the patient as an AOD abuser or verify anyone else's identification of the patient as an AOD abuser.

There are two basic ways a program may make a disclosure that does not identify a patient. The first way is obvious: a program can report aggregate data about its population (summing up information that gives an overview of the patients served in the program) or some portion of its population. Thus, for example, a program could tell the newspaper that in the last 6 months it had 43 patients, 10 female and 33 male.

The second way is trickier: A program can communicate information about a patient in a way that does not reveal the person's status as an AOD abuse patient (§ 2.12(a)(i)). For example, a program that provides services to patients with other problems or illnesses as well as AOD abuse may disclose information about a particular patient as long as the fact that the patient has an AOD abuse problem is not revealed. An even more specific example: A program that is part of a general hospital could have a counselor call the police about a threat a patient made, so long as the counselor does not disclose that the client has an AOD abuse problem or is a patient of the AOD abuse treatment program.

Programs that provide only AOD treatment services or that provide a full range of services but are identified by the general public as AOD programs cannot disclose information that identifies a patient under this exception, since letting someone know a counselor is calling from the "XYZ IOT Program" will automatically identify the patient as someone who received services from the program. However, a freestanding program can sometimes make "anonymous" disclosures, that is, disclosures that do not mention the name of the program or otherwise reveal the patient's status as an AOD abuser.

Court-Ordered Disclosures

A State or Federal court may issue an order that will permit a program to make a disclosure about a client that would otherwise be forbidden. A court may issue one of these authorizing orders, however, only after it follows certain special procedures and makes particular determinations required by the regulations. A subpoena, search warrant, or arrest warrant, even when signed by a judge, is not sufficient, standing alone, to require or even to permit a program to disclose information (§2.61). (For an explanation about how to deal with subpoenas and warrants, see Confidentiality: A Guide to the Federal Laws and Regulations, published in 1991 by the Legal Action Center, 153 Waverly Place, New York, NY 10014.)

Before a court can issue an authorizing court order, the program and any patient whose records are sought must be given notice of the application for the order and some opportunity to make an oral or written statement to the court. [However, if the information is being sought to investigate or prosecute a patient, only the program need be notified (§2.65). And if the information is sought to investigate or prosecute the program, no prior notice at all is required (§2.66).] Generally, the application and any court order must use fictitious names for any known patient, and all court proceedings in connection with the application must remain confidential unless the patient requests otherwise (§§2.64(a), (b), 2.65, 2.66).

Before issuing an authorizing order, the court must find that there is "good cause" for the disclosure. A court can find "good cause" only if it determines that the public interest and the need for disclosure outweigh any adverse effect that the disclosure will have on the patient, the doctor-patient relationship, and the effectiveness of the program's treatment services. Before it may issue an order, the court must also find that other ways of obtaining the information are not available or would be ineffective (§2.64(d)). The judge may examine the records before making a decision (§2.64(c)).

If the purpose of seeking the court order is to obtain authorization to disclose information in order to investigate or prosecute a client for a crime, the court must also find that 1) the crime involved is extremely serious, such as an act causing or threatening to cause death or serious injury; 2) the records sought are likely to contain information of significance to the investigation or prosecution; 3) there is no other practical way to obtain the information; and 4) the public interest in disclosure outweighs any actual or potential harm to the patient, the doctor-patient relationship, and the ability of the program to provide services to other patients. When law enforcement personnel seek the order, the court must also find that the program had an opportunity to be represented by independent counsel. If the program is a governmental entity, it must be represented by counsel (§2.65(d)).

There are also limits on the scope of disclosure that a court may authorize, even when it finds good cause. The disclosure must be limited to information essential to fulfill the purpose of the order, and disclosure must be restricted to those persons who need the information for that purpose. The court should also take any other steps that are necessary to protect the patient's confidentiality, including sealing court records from public scrutiny (§2.64(e)).

The court may order disclosure of "confidential communications" by a client to the program only if the disclosure a) is necessary to protect against a threat to life or of serious bodily injury, or b) is necessary to investigate or prosecute an extremely serious crime (including child abuse), or c) is in connection with a proceeding at which the patient has already presented evidence concerning confidential communications (§2.63).

Medical Emergencies

A program may make disclosures to public or private medical personnel "who have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual." The regulations define "medical emergency" as a situation that poses an immediate threat to health and requires immediate medical intervention (§2.51).

The medical emergency exception permits disclosure only to medical personnel. This means that this exception can not be used as the basis for a disclosure to the police or other nonmedical personnel, including parents.

Under this exception, however, a program could notify a private physician about a suicidal patient so that medical intervention can be arranged, and the physician could, in turn, notify a patient's parents or other relatives, so long as no mention is made of the patient's AOD abuse problem.

Whenever a disclosure is made to cope with a medical emergency, the program must document in the client's records the name and affiliation of the recipient of the information, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency.

Qualified Service Organization Agreements

If a program routinely needs to share certain information with an outside agency that provides services to the program, it can enter into what is known as a qualified service organization agreement (QSOA).

A QSOA is a written agreement between a program and a person providing services to the program, in which that person:

• Acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records from the program, it is fully bound by the Federal confidentiality regulations; and
• Promises that, if necessary, it will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations (§§2.11, 2.12(c)(4)).

A QSOA should only be used when an agency or official outside of the program is providing a service to the program itself. An example is when laboratory analyses or data processing is performed for the program by an outside agency.

A QSOA is not a substitute for individual consent in other situations. Disclosures under a QSOA must be limited to information that is needed by others so that the program can function effectively. QSOAs may not be used between programs providing AOD treatment services. A sample QSOA is provided in Exhibit 7-4.

Internal Program Communications

The Federal regulations permit some information to be disclosed to individuals within the same program.

• • The restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol or drug abuse if the communications are (i) within a program or (ii) between a program and an entity that has direct administrative control over that program (§2.12(c)(3)).

This means that staff who have access to patient records because they work for or administratively direct the program -- including full- or part-time employees and unpaid volunteers -- may consult among themselves or otherwise share information if their substance abuse work so requires.

Patient Notice and Access to Records

The Federal confidentiality regulations require programs to notify patients of their right to confidentiality and to give them a written summary of the regulations' requirements. The notice and summary should be handed to patients when they begin participating in the program or soon thereafter (§2.22(a)). The regulations also contain a sample notice.

Programs have the discretion to decide when to permit clients to view or obtain copies of their records, unless State law grants the right of access to records. The Federal regulations do not require programs to obtain written consent from clients before permitting them to see their own records.

Security of Records

The Federal regulations require programs to keep written records in a secure room, a locked file cabinet, a safe or other similar container. The program should establish written procedures that regulate access to and use of clients' records. Either the program director or a single staff person should be designated to process inquiries and requests for information (§2.16).

Research, Audit, or Evaluation

The confidentiality regulations also permit programs to disclose patient-identifying information to researchers, auditors and evaluators without patient consent, providing that certain safeguards described in Sections 2.52 and 2.53 of the Federal regulations are met (§§2.52, 2.53). (For a more complete explanation of the requirements of §§2.52 and 2.53, see Confidentiality: A Guide to the Federal Laws and Regulations, published in 1991 by the Legal Action Center, 153 Waverly Place, New York, NY 10014.)