For the first time in nearly thirty years, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) has updated the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 C.F.R. Part 2). On January 18, 2017, SAMHSA published the Final Rule amending 42 C.F.R. Part 2. The changes were set to be effective February 17, 2017, but as discussed in greater detail below, the effective date has been delayed until no sooner than March 21, 2017.
Background and Overview
Since the rules were last amended in 1987, significant changes have occurred within the U.S. health care delivery system — development of new models of integrated care, creation of an electronic infrastructure for managing and exchanging patient information, and a new focus on performance measurement. With these system changes, however, have arisen previously unconsidered issues relative to information exchange, and the attendant patient privacy and security concerns. The Final Rule is aimed at modernizing the substance use disorder patient record regulatory framework by balancing patient participation and benefit from these system delivery improvements, with ensuring robust confidentiality protection of sensitive patient information.
Summary of Important Changes in Final Rule
Compliance with many of the existing provisions of 42 C.F.R. Part 2 presents numerous operational challenges for substance use disorder treatment providers. Generally, 42 C.F.R. Part 2 prohibits any disclosure of identifiable patient data reflecting substance use treatment without the express written consent from the individual. Complying with this requirement often curtails information exchange, which is critical to continuity of patient care, as well as other legitimate clinical and operational functions. The Final Rule makes a number of modifications to the outdated regulatory scheme, many of which are targeted at facilitating information exchange while maintaining appropriate patient confidentiality protections.
Notable changes in the Final Rule include:
- Applicability: In addition to applying to programs currently subject to the 42 C.F.R. Part 2 requirements and persons who receive the information from these programs, SAMHSA expanded the scope of applicability of 42 C.F.R. Part 2’s restrictions on disclosures to individuals or entities who receive patient records from “other lawful holders of patient identifying information.”
- Consent Requirements: One of the most restrictive aspects of the current law is that each entity / provider to whom patient-identifying was disclosed had to be specifically named on the consent (the “To Whom” provision). Significantly, the Final Rule allows a general designation in the “To Whom” section of the consent form in certain circumstances. A general consent may be provided to an entity without a treating provider relationship, such as a health information exchange (“HIE”), in order to permit disclosure to those participants in the HIE which do have a treating provider relationship with the patient. This change eliminates the requirement that the patient execute a new consent for each treating provider in the HIE. With respect to the “Amount and Kind” provision of the consent, the Final Rule requires the patient to “explicitly describe” the substance use disorder information to be disclosed. However, it is permissible to specify “all my substance use disorder information,” so long as more specific options are also included on the consent form.
- Disclosure Tracking: Upon request, patients who have included a general designation must be provided a list of entities to which their information has been disclosed, known as a “List of Disclosures.” The request must be in writing (paper or electronic), and is limited to disclosures within the past two years. The entity named on the consent form that discloses information pursuant to a general consent must respond within 30 days with a brief description of each disclosure.
- Security Protections: Section 2.16 has been modernized to address both paper and electronic records. Both Part 2 programs and other lawful holders of patient identifying information must have in place formal policies and procedures for the security of both paper and electronic health records. The expanded scope of this provision is consistent with the direct application of much of HIPAA to business associates. While this change is significant to the 42 C.F.R. Part 2 regulatory scheme, SAMHSA recognizes that entities already in compliance with the applicable HIPAA security requirements may not need to take any additional action.
- Prohibition on Re-Disclosure: The Final Rule makes two modifications to the content of the notice required to accompany all disclosures. First, the notice must provide that the prohibition applies only to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder. Second, it must make clear that the federal rules restrict any use of the information to criminally investigate or prosecute any patient with a substance use disorder, except as provided in sections 2.12(c)(5) (crimes on premises) and 2.65 (court orders).
- Research: The Final Rule permits patient identifying information to be disclosed by a Part 2 program or any other lawful holder of such data for the purpose of research to recipients in compliance with applicable protections for human subject research (such as the Common Rule and the HIPAA Privacy Rule). In addition, researchers may obtain data linkages to other data sets from a data repository subject to an Institutional Review Board (“IRB”) approval and other regulatory requirements.
- Qualified Service Organization: The Final Rule updates the definition of a qualified service organization (“QSO”) to include population health management in the list of examples of services a QSO may provide. In response to a large number of commenters requesting clarification of whether “population health management” should be a permitted QSO function, SAMHSA stated that permitted disclosures would be limited to the office or unit responsible for population health management in the organization (g., ACO, MCO), and not to the entire organization or its participants (e.g., case managers, hospitals, clinics). SAMHSA emphasized that the use of a QSO should not be used to avoid obtaining patient consent.
Along with the Final Rule, SAMHSA issued a supplemental notice of proposed rulemaking (“SNPRM”) to seek comment on additional clarifications. During the comment period for the Final Rule, SAMHSA received a number of questions concerning the existing restrictions on lawful holders and their contractors’ and subcontractors’ use and disclosure of data subject to 42 C.F.R. Part 2. As a result, SAMHSA is seeking further comments on a number of related proposals, including:
- Whether an abbreviated prohibition on re-disclosure notice is appropriate, and when such notice would be appropriate. For example, “Data is subject to 42 C.F.R. part 2. Use / disclose in conformance with part 2”;
- Whether it should explicitly list and limit specific types of activities for which any lawful holder of patient identifying information would be allowed to further disclose the minimal information for certain specific payment and health care operations activities. Examples include billing, utilization review, patient safety activities, and accreditation, to name only a few; and
- Whether to specify additional permitted disclosures for audit and evaluation purposes.
The SNPRM provides that comments on the proposed rule are due by February 17, 2017.
On January 20, 2017, the Trump administration issued a 60-day “regulatory freeze” on rules that have been published, but have yet to take effect. All executive department agencies were instructed to review “questions of fact, law, and policy” raised by such rules; where appropriate, they may also consider proposing for notice and comment a rule to delay the effective date beyond that 60-day period. As a result, the effective date for the Final Rule is delayed until no sooner than March 21, 2017. It remains unclear whether the comments to the SNPRM are likewise delayed.
Assuming the Final Rule is implemented, providers subject to 42 C.F.R. Part 2 need to take action. With a seemingly short amount of time to digest and implement these changes, much work needs to be done. Providers will need to revise their consent documents and prohibition on re-disclosure statements, as well as review and update their security policies and procedures. Policies regarding permitted disclosures should be revisited. And with the change to the QSO definition, now is a great time to inventory all vendors to ensure each is being appropriately categorized as a QSO, and that all appropriate contractual documentation is in place.
We will continue to monitor the effective date of the Final Rule, in addition to any other regulatory changes that might occur.