The Substance Abuse and Mental Health Services Administration (SAMHSA) released a final rule (the “Final Rule”) in January 2017 modernizing the confidentiality requirements for substance use disorder (SUD) patient records (also known as 42 CFR Part 2, or “Part 2”). The effective date of the Final Rule, initially set for February 17, 2017, was delayed by the Trump administration’s regulatory freeze of all not-yet-effective regulations, pending review. The Final Rule will now take effect March 21, 2017. Following are our Top 10 Takeaways from the Final Rule.
1. SAMHSA has clarified the definition of "Part 2 Program."
The confidentiality requirements of Part 2 apply to Part 2 Programs, which generally include SUD programs (a) conducted, licensed, or funded by a federal department or agency; or (b) that are tax exempt or receive tax deductions for contributions ((a) and (b) are collectively referred to as “Federal Support”), and (c) which hold themselves out as providing and actually do provide SUD diagnosis, treatment, or referral for treatment. SAMHSA has clarified that a Part 2 Program can be (i) an individual or entity; (ii) an identified unit within a general medical facility (e.g., hospital, trauma center, or federally qualified health center); or (iii) medical personnel or staff within a general medical facility whose primary function is SUD diagnosis, treatment or referral. In each instance, the Program must receive Federal Support and hold itself out and actually provide SUD services.
2. SAMHSA recognizes the growing list of mind-altering substances.
Previously, Part 2 applied to disclosures that “would identify a patient as an alcohol or drug abuser.” Now, Part 2 applies to SUDs, which are defined as “a cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance-related problems such as impaired, control, social impairment, risky use, and pharmacological tolerance and withdrawal.” The definition does not include tobacco or caffeine use. In commentary, SAMHSA provides examples such as alcohol, cannabis, hallucinogens, inhalants, opioids, sedatives, hypnotics, anxiolytics, and stimulants.
3. A "Treating Provider Relationship" may exist prospectively.
To better illustrate the consent requirements (described in numbers 4-6 below), SAMHSA defined a “treating provider relationship” to include the traditional, voluntary physician-patient relationship where an in-person visit has already occurred. However, recognizing that some SUD patients are involuntarily confined, it expanded the definition to include situations where (i) the patient is, agrees to, or is legally required to be diagnosed, evaluated, and/or treated or agrees to accept consultation for a SUD condition; and (ii) the individual or entity undertakes or agrees to undertake diagnosis, evaluation, or treatment of or consultation with the patient for any SUD condition. As a result, Part 2 obligations may arise for providers even before an initial patient encounter occurs.
4. Broad consent is permissible for disclosures of Part 2 Program information to others with Treating Provider Relationships.
A Part 2 Program must obtain patient consent to disclose Part 2 Program information to an entity with which the patient has a Treating Provider Relationship. The consent must be in writing (paper or electronic) and include:
(i) The patient’s name; (ii) The Part 2 Program permitted to make the disclosure; (iii) The amount and kind of SUD-related information to be disclosed; and (iv) The name of the individual or entity that is to receive that information.
Patients may also give broad consent for disclosure to classes of individuals or entities who may have future Treating Provider Relationships, even though their identity is not known at the time of consent. In this case, the consent must include a general description of the individual or entity, or class of individuals or entities to whom disclosure may be made. The consent must also inform the SUD patient of his or her rights to request and receive a list of individuals and entities to which their Part 2 Program information has been disclosed pursuant to a general description.
Tracking disclosures may prove to be burdensome to Part 2 Programs. Part 2 Programs are not allowed to use a broad or general consent until they have a methodology in place to track the disclosures necessary for a patient accounting.
5. Specific consent is required for Part 2 Program disclosures outside of a Treating Provider Relationship.
For a Part 2 Program to disclose SUD-related information to a third party outside of Treating Provider Relationship, the consent must contain each of the elements described in 4(i) through 4(iv) above. Each must be described with specificity and by name.
6. Disclosure without consent is permissible only in very limited circumstances.
SAMHSA outlined three circumstances in which patient consent is not required to disclose SUD-related records: (1) Bona fide medical emergencies; (2) Research; or (3) Audits.
Part 2 Programs may disclose SUD-related records to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient’s consent cannot be obtained. In a medical emergency, the Program must immediately document, in writing: (i) the name of the recipient and their affiliation with a health care facility; (ii) the name of the disclosing party; (iii) the date and time of the disclosure; and (iv) the nature of the emergency. SAMHSA clarified that legal incapacity to consent may qualify in an involuntary commitment situation; however, if the patient refuses to consent and has legal capacity to do so, the situation cannot be deemed one in which consent cannot be obtained. SAMHSA plans to release additional guidance regarding medical emergencies that would be valid grounds to release SUD-related records.
Part 2 Programs may also disclose SUD information for the purpose of conducting scientific research if person with responsibility for disclosure determines that (i) the recipient is a covered entity or business associate under HIPAA and has obtained appropriate authorization or waiver from the patient; (ii) the recipient is subject to the human subjects protection Common Rule (45 CFR Part 46) and has obtained the patient’s informed consent or an appropriate waiver or exemption; or (iii) both HIPAA and Common Rule compliance is met, when applicable. Researchers must not re-disclose patient information, may include data in research reports only in a non-identifiable aggregate form, must follow Part 2 storage requirements including destruction of SUD-data, and must retain the patient records in accordance with all applicable laws.
Finally, Part 2 Programs may disclose SUD information without patients’ consent for audit or evaluation purposes. The Part 2 Program must determine that the recipient is qualified to audit the Program. Permitted auditors may include entities reviewing Part 2 Programs on behalf of Medicare, Medicaid, CHIP, or federally regulated accountable care organizations. The regulations regarding audit disclosures without consent are extremely complex. Part 2 Programs are encouraged to review the regulations carefully and consult with legal counsel.
7. Part 2 Programs must have policies and procedures to prevent unauthorized users and disclosures of Program information.
The Final Rule requires Part 2 Programs and lawful holders of Part 2 Program information to have formal policies and procedures in place to protect against unauthorized uses and reasonably anticipated threats or hazards to patients’ identifying information. The policies and procedures must address (i) transferring, removing, destroying, and maintaining paper records; (ii) physical safeguards for paper records at workstations and cabinets; (iii) rendering patient identifying information in paper records non-identifiable or with a low risk of re-identification; (iv) creating, receiving, maintaining and transmitting electronic records; (v) destroying electronic medical records and sanitizing storage media; (vi) using and accessing electronic medical records; and (vii) rendering patient identifying information in electronic records non-identifiable or with a low risk of re-identification. Notably, courts, law firms, family members and private citizens are not considered “lawful holders” for disclosure purposes and thus are not required to prepare policies and procedures.
8. Part 2 may look, talk and smell like HIPAA, but it is not HIPAA.
Many commenters suggested aligning Part 2 confidentiality requirements with HIPAA, proposing that Part 2 Program information be treated like psychotherapy notes under HIPAA. SAMHSA noted its attempts at such alignment in the Final Rule, but repeatedly reminded commenters that Part 2 provides more stringent federal protections than are required under other health privacy laws. This suggests that providers risk non-compliance by relying solely on their HIPAA policies to safeguard Part 2 Program patients’ privacy.
9. Part 2 Programs must inform patients of their confidentiality rights and may not confirm or deny patient status.
When patients are admitted to Part 2 Programs or as soon as practicable thereafter, that patient must receive paper or electronic notice of their rights under Part 2 Programs. The notice must include contact information and appropriate authorities for reporting Part 2 violations. In addition, Part 2 Programs are prohibited from issuing statements such as “an identified individual is not and has never been a patient.” One commenter illustrated how such statements could give rise to third-party expeditions when the Program answers with silence. Previously, the regulations did not restrict such a disclosure.
10. Compliance is imminent.
Notice published in the Federal Register on February 17, 2017, confirms the new effective date of the Final Rule as March 21, 2017. Thus, Part 2 Programs are well-advised to review their current practices and take remedial steps to protect SUD patients’ rights where necessary.