Do Your Sober Living Homes Need HIPAA Compliance? A Practical Guide for Operators

Do Sober Living Homes Need to Follow HIPAA Rules?

Most sober living homes don't have to comply with HIPAA because they only provide housing and peer support, not billable healthcare services, according to Vanderburgh House.

You can charge whatever you want for a bed, right up until the state attorney general decides you're running an unlicensed treatment center. Privacy rules work the same way. Cross the line from housing into healthcare, and suddenly you're dealing with federal compliance requirements that can shut you down.

HIPAA applies to "covered entities" including health plans, most healthcare providers that bill electronically for services, and healthcare clearinghouses. If you're just renting beds and running house meetings, you're not billing insurance companies for medical services. No billing means no HIPAA coverage requirement, Vanderburgh House notes.

But here's where operators get confused.

The federal government has another set of rules for addiction treatment called 42 CFR Part 2. Under this regulation, patients' SUD treatment records can't be used to investigate or prosecute the patient without written patient consent or a court order, according to the U.S. Department of Health and Human Services.

Most sober living homes dodge this too. Part 2 applies to federally assisted programs providing substance use disorder diagnosis, treatment, or referral for treatment, per the American Society of Addiction Medicine. Pure housing with peer support doesn't typically qualify, as Sober Living School explains. The key word is "typically."

Some homes blur these lines. Get federal funding, coordinate treatment plans, or house court-ordered residents? The rules change. Recent updates to Part 2 align it more closely with HIPAA standards but maintain stricter consent requirements for SUD information, HHS reports.

Even if federal privacy laws don't apply to your operation, you still need policies. Sober Living School notes that most sober living homes lack federal or state licensing that would trigger HIPAA coverage, but that doesn't mean you can be careless with resident information.

Smart operators create formal confidentiality policies outlining what they'll do to ensure resident information privacy, resident expectations for privacy, and consistency with any agreements for releases of information with healthcare professionals. The Fletcher Group recommends keeping resident records in locked cabinets with access restricted to designated individuals and using password-protected computers.

The practical steps matter more than the legal technicalities. Put security measures in place: locked filing cabinets for physical records, password-protected electronic systems, limited access based on job responsibilities, and regular audits of record access, according to Sober Living School.

If you coordinate with treatment providers who are covered by Part 2, establish clear communication protocols, obtain proper authorizations before exchanging information, and document all exchanges. One mistake here can expose both you and the treatment center to violations.

The safest approach? Act like the rules apply even when they don't. The line between housing and healthcare keeps moving, and you don't want to find out you crossed it after a resident's family files a complaint.

Sources

• Vanderburgh House
• U.S. Department of Health and Human Services (HHS)
• American Society of Addiction Medicine (ASAM)
• Sober Living School
• Fletcher Group