On January 18, 2017, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) published a final rule revising the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, commonly known as “Part 2” (the “Final Rule”), for the first time in 29 years. The Final Rule adds flexibility and facilitates information exchange within new health care models while maintaining patient confidentiality. This alert provides an overview of the major changes and clarifications in the Final Rule, as well as practical guidance for implementing the new requirements.

Applicability to Lawful Holders of Patient Identifying Information. An entity is a lawful holder of patient identifying information if it has received such information either via a Part 2-compliant consent or through an exception to the Part 2 consent requirements. For example, treating providers, insurance companies and individuals or entities conducting research could all be lawful holders. Lawful holders must comply with Part 2’s restrictions on disclosing patient identifying information, meaning they must obtain patient consent to disclose such information unless the disclosure is subject to an exception to the consent requirement. The Final Rule clarifies, but does not significantly alter, entities’ Part 2 responsibilities, because the longstanding prohibition on re-disclosure of information from Part 2 programs already prohibited recipients of patient identifying information, such as HIEs, from re-disclosing it without obtaining patient consent.

General Designation of Treating Providers Within Non-Treating Provider Entities. Prior to its revision, Part 2 posed problems for entities that are not treating providers, such as HIEs, CCOs and ACOs, that receive patient identifying information to facilitate information exchange and care coordination. For example, a patient could consent to a disclosure to an HIE, but, if a new provider joined the HIE after the patient signed the consent, Part 2 required the new provider to obtain consent to receive the patient’s information if the patient sought treatment from that provider. The Final Rule requires a patient, when consenting to disclosure to an HIE, to further designate treating providers in the HIE that can also receive the information. Of practical importance, the patient’s designation can be very general, such as to “all current and future treating providers.” The Final Rule resolves a practical issue for entities trying to improve information sharing by introducing additional flexibility with respect to the entities that may receive patient identifying information pursuant to a general designation.

List of Disclosures. With the revised consent and disclosure standard comes a related requirement. If a patient uses a general designation to consent to a disclosure to a non-treating provider entity, the recipient entity must, upon request, provide the patient with a List of Disclosures detailing to whom the entity has disclosed the patient’s information. The requirement applies to intermediaries such as HIEs, ACOs and CCOs, and SAMHSA has noted that “the general designation on a consent form may not be used until entities have the ability to comply with the List of Disclosures provision.” The disclosures are limited to those that occurred within two years of the request.

Disclosures for Research. The Final Rule now allows not only Part 2 programs, but also other lawful holders of patient identifying information, such as HIEs, CCOs and ACOs, to disclose such information to qualified personnel conducting research, under certain circumstances, without patient consent. To be eligible to receive information, a researcher must be a HIPAA covered entity or a business associate with an appropriate authorization or waiver, or an entity subject to the HHS Common Rule, again with an appropriate waiver or authorization. The Final Rule now allows researchers to link data sets from both federal and non-federal repositories, subject to certain conditions. The revisions should improve research capabilities by enhancing researcher access to substance use disorder data.

Prohibition on Re-Disclosure. The Final Rule clarifies that the prohibition on re-disclosure applies only to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment of a substance use disorder. This clarification means that the re-disclosure prohibition does not apply to health information pertaining to an unrelated health condition. The clarification is designed to minimize decisions by Part 2 programs to protect the entire patient record.

Practical Implications and Implementation Guidance

The Final Rule is effective February 17, 2017. Part 2 programs and other lawful holders of patient identifying information must comply with the Final Rule’s new requirements, including, but not limited to, the following:

  • When a patient consents to disclosure to a non-treating provider entity, the patient must further designate, for disclosure purposes, treating provider individuals or entities within the non-treating provider entity; consent forms must allow patients to make such designations.
  • A non-treating provider entity that discloses patient identifying information pursuant to a patient consent with a general designation must be able to provide, upon patient request, a List of Disclosures within 30 days of its receipt of the written request.
  • Consent forms must now identify a specific contact and provide contact information for reporting Part 2 violations.
  • Lawful holders of patient identifying information must have formal written policies and procedures to protect against unauthorized uses and disclosures of patient identifying information, and to protect its security.

In order to comply with these new requirements, Part 2 programs and lawful holders must take the following actions:

  • Revise consent forms to permit patients to designate individuals and entities within a non-treating provider entity to whom the patient is consenting to disclosure and to identify a contact, with contact information, for reporting Part 2 violations.
  • Develop a template List of Disclosures for tracking disclosures that must be provided pursuant to a patient request. The template must include the name of the entities to which disclosure was made, the date of disclosure, and a brief description of the patient identifying information disclosed.
  • Draft or augment formal written security policies and procedures to reflect the Part 2 security measures.
  • Implement security measures that comply with the Part 2 requirements.

Finally, at the same time it issued the new rule, SAMHSA issued a Supplemental Notice of Proposed Rulemaking (“SNPRM”), to address the scope of permissible disclosures. The comment period for the SNPRM ends on February 17, 2017.