Over the past two decades, healthcare has transitioned from primarily fee-for-service payment models to coordinated care that encourages and rewards collaboration and electronic exchange of patient information to improve health outcomes. Now, after more than thirty years, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) chose to update its regulations on confidentiality of patient records, 42 CFR Part 2 (“Part 2”), in order to facilitate the exchange of health information while addressing the privacy concerns of substance use disorder patients.1
The final rule, Confidentiality of Substance Use Disorder Patient Records (the “Rule”), was released on January 17, 2017, and went into effect on March 21, 2017. 2 In general, the Rule restricts disclosure of any information that can identify a patient as having or having had a substance abuse disorder, either directly, by reference to publicly available information, or through verification of such identification by another person.3 This article summarizes the Rule and some of the major changes for entities that may be required to comply with its requirements, such as Part 2 program participants, health information exchanges (“HIEs”), Accountable Care Organizations (“ACOs”), and third-party payers.
Part 2 Programs
Part 2 covers any information (including information on referral and intake) about patients receiving diagnosis, treatment, or referral for treatment for a substance use disorder created by a Part 2 program.4 Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, or referral for treatment.5
Restrictions on disclosure also apply to:
• Third-party payers specifically named in a consent form;
• Entities having direct administrative control over Part 2 programs with regard to information that is subject to the regulations in this part communicated to them by the Part 2 program; and
• Individuals or entities who receive patient records directly from a Part 2 program or other lawful holder of patient identifying information6 and who are notified of the prohibition on re-disclosure.7
Restrictions on disclosure do not apply to:
• Communications within a Part 2 program or between a Part 2 program and an entity having direct administrative control over that Part 2 program;
• Communications between a Part 2 program and a Qualified Service Organization;
• Crimes on Part 2 program premises or against Part 2 program personnel; and
• Reports of suspected child abuse and neglect.
The Rule also bars the disclosure of patient identifying information as evidence in a criminal proceeding and any other use of the information to prosecute a patient of a suspected crime.
Disclosures with Patient Consent
One of the major changes in Part 2 permits, in certain circumstances, a patient to include a general designation in the “To Whom” section of the consent form, in conjunction with requirements that the consent form include an explicit description of the amount and kind of substance use disorder treatment that may be disclosed.8 A patient who makes this designation on a consent form has the right to obtain, upon request, a complete list of entities (List of Disclosures) to which their information was disclosed pursuant to Part 2. The List of Disclosures applies to entities such as HIEs, ACOs, and other intermediaries that disclose patient information.
Disclosures Without Patient Consent
Certain disclosures may be made without patient consent (1) in the case of a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained; (2) for research purposes if a HIPAA-covered entity or business associate has obtained authorization or HHS regulations apply and the patient has given or waived consent; and (3) audits and evaluations as long as specific procedures are followed.
For audits and evaluations, any individual or entity that accesses patient records must agree in writing to limitations on disclosure and use under the Rule. Notably, one of the new provisions of the Rule is applicable to CMS-regulated ACOs who require audits and evaluations necessary to meet CMS requirements. In order to comply with the Rule, CMS-regulated ACOs must have a signed Participation Agreement or similar documentation with CMS, which provides, among other things, that the ACO: (1) agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and 42 C.F.R. Part 2; (2) ensures that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct identification (e.g., through the use of codes) of a patient as having or having had a substance use disorder; and (3) establishes policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in section 2.53 regarding disclosure of patient information.
Court Orders Authorizing Disclosure and Use
In order to disclose patient information under the Rule, a court order must be accompanied by a subpoena. An order only authorizes disclosure, but a valid subpoena compels disclosure. Furthermore, a valid subpoena alone does not compel disclosure. If a holder of patient information is subpoenaed, the person may not disclose until a court has entered an order under the Rule authorizing disclosure. This standard is more stringent than HIPAA which allows for disclosure of protected health information in response to an order, subpoena, discovery request, or other lawful purposes if a covered entity receives satisfactory assurances.9
Supplemental Notice of Proposed Rule Making (“SNPRM”)
SAMHSA also issued an SNPRM to clarify the Rule’s restrictions on lawful holders and their contractors’, subcontractors’, and legal representative’s use and disclosure of Part 2 covered data for purposes of carrying out payment, health care operations, and other healthcare related activities. SAMHSA also intends to provide examples of common pitfalls and practices as entities implement the Rule. This guidance is due to be published in the coming weeks. 9 45 C.F.R. § 164.512(e).