It has been four months since the changes to 42 CFR Part 2, the confidentiality regulations that apply to all substance abuse treatment records, became effective. Ensure your policies and forms have been updated.
The finalized changes to 42 CFR Part 2 by the Substance Abuse and Mental Health Services Administration (SAMHSA), an agency within the U.S. Department of Health and Human Services (HHS), took affect March 21, 2017. Part 2 originally promulgated in 1975, and the updates “promote health integration and permit appropriate research and data exchange activities,”1 while still ensuring a careful balance between the public health benefits of information exchange and the continued patient privacy protection. Note that any efforts to repeal and replace the Affordable Care Act have no effect on the importance of 42 CFR Part 2 compliance.
Who it affects: Health care entities that receive federal assistance and provide substance abuse treatment.
Purpose: “To ensure that a patient receiving treatment for a substance use disorder…is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.”2
Reasons for revisions: SAMHSA desires to ensure those with substance use disorders (SUDs) have the ability to participate in, and benefit from, health system delivery improvements while also providing appropriate and necessary privacy safeguards. This includes facilitating the exchange of information between patient and health providers and facilitating health integration within new health care models.
42 CFR Part 2 regulations continue to implement the federal drug and alcohol confidentiality law (42 U.S.C. 290dd-2), meaning SAMHSA will continue to apply it to federally assisted programs that provide SUD diagnosis, treatment, or referral for treatment.3
The major provisions modified by the final rule, along with an explanation of the finalized revisions, are summarized below:
- Applicability (§2.12): Part 2 restrictions on disclosures now apply to individuals or entities who receive patient records from other lawful holders of patient identifying information.
- Research (§2.52): In order to allow for the much-needed research on SUDs, SAMHSA revised Part 2 to allow the release of patient identifying information to “qualified personnel”4 to conduct scientific research. Such personnel must meet certain regulatory requirements. The research provision now includes a requirement that 42 CFR Part 2 fully applies to the researcher receiving Part 2 data.
- Confidentiality Safeguards (§2.31): Previously, the patient could list the name or the title of the individual or name of the organization to which the disclosure was to be made. Revisions now make it possible for a patient to list a “general disclosure”5 in the “To Whom” section (e.g., “my treating providers”), which allows patients to benefit from integrated health care systems. SAMHSA retained the option of listing name(s) of the individual(s) to whom a disclosure may be made, as well as still allowing a limitation on generalized consent to recipients who are treating the patient (e.g., treating provider relationship with the patient).
- “To Whom” Consent Requirements (§2.31): The patient must include certain language in the “To Whom” section of the consent form in order for the general disclosure to be valid. SAMHSA also clarified in the new rule that if a patient uses a general designation listing “my treating providers” without specifying whether the designated providers are “past, current, and/or future,” it should be presumed the patient intended to only designate “current” treating providers. Further, if the program designated is part of a general medical facility, the modifications to Part 2 permit the patient to designate the entire entity so long as a list of information to be disclosed is included on the consent form. For example, a patient may provide general disclosure to an entity that does not have a treating provider relationship, such as a Health Information Exchange (HIE) in order to permit disclosure to those participants in the HIE that do have a treating provider relationship with the patient.
- “Amount and Kind” Consent Requirements (§2.31): The “Amount and Kind” of information to be disclosed and the purpose of the disclosure was revised to require more specificity. The revision requires the SUD information disclosed be explicitly described. This is so patients know exactly what they are signing, and so patients may consent only to the disclosure of subsets of information. These include “diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary, elements of a medical record such as clinical notes and discharge summary, employment information, living situation and social supports, and claims/encounter data.” For example, “all of my records” is an insufficient description, while “all of my substance use disorder records” is sufficient.
- Disclosure Tracking §2.13(d): Because the final rule permits patients to include a general disclosure designation (described above), revisions require Part 2 programs to provide to patients, upon request, a list of entities to whom their information has been disclosed. The request must be in writing (paper or electronic), and is limited to disclosures within the past two years. Entity names designated on the request must respond within 30 days with a brief description of each disclosure. There is no given timeframe for compliance with this rule; however, entities must be able to provide a list of disclosures upon request in order to have the option of disclosing information outlined in the general designation on a consent form.
- Section K, Prohibition on Re-Disclosure (§2.32): SAMHSA clarifies the prohibition on re-disclosure only applies to information that would identify, either directly or indirectly, a person as having been diagnosed, treated or referred for treatment for a SUD. Essentially, when the patient consents to having information released to a particular individual, the individual receiving the information may not re-disclose it to a third party. For example, if a person receives substance use treatment from a Part 2 program, and receives treatment for another condition such as heart murmurs, the patient’s record would include information unrelated to SUD (i.e., heart murmurs). Section K does not prohibit re-disclosure of the information related to the heart murmurs so long as it does not include information that would identify the patient as having or having had a SUD.
- Definition Changes (§2.11):
- “Program” is now limited to “general medical facilities.”6 Therefore, if an entity qualifies as a program, it is subject to Part 2 rules and regulations. An identified unit within a general medical facility is subject to Part 2 if “it holds itself out as providing, and provides, substance used disorder, diagnosis, treatment, or referral for treatment.”7 Further, if the provisions of such services are identified as a primary function of medical personnel or the general staff in the general medical facilities, they are considered a “Program,” and are therefore subject to the rules and regulations in Part 2.
- “Medical Emergency” definition in §2.51 now gives providers more discretion to define the existence of a “bona fide medical emergency.”8 Patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency, in which the patient’s prior informed consent cannot be obtained.
- A “Qualified Service Organization” (QSO) now includes entities that provide population health management to a Part 2 program, meaning relevant patient information may be shared with third-party vendors supporting population health initiatives without patient consent.
- Form of Documents (§2.16): 42 CFR Part 2 now applies to both paper and electronic documentation. The provisions include formal policies and procedures addressing security, including electronic file destruction of associated media. A program subject to 42 CFR Part 2 must have established formal policies and procedures for the security of both electronic and paper records.
Generally, the text and preamble of 42 CFR Part 2 make it clear the responsibility of explaining patients’ rights falls on the treatment program. Therefore, programs should be advised to review and/or make changes to the following: consent documents, prohibition on re-disclosure statements, QSO categorization, security policies and procedures (including those regarding permitted disclosures), and general contractual documentation.