Last year, the Substance Abuse and Mental Health Services Administration (SAMHSA) updated the confidentiality requirements for substance use disorder (SUD) patient records (also known as 42 CFR Part 2 or “Part 2”) for the first time in decades. We summarized 10 takeaways from that final rule.
In a final rule published on January 3, 2018, SAMHSA took further steps to modernize Part 2 and to align the regulations with the way health care is delivered in the United States. Specifically, SAMHSA:
- Provided an option for an abbreviated redisclosure prohibition notice in recognition of electronic medical record (EMR) character limitations.
- Established that lawful holders of Part 2 data may disclose such data to contractors, subcontractors and legal representatives for payment and health care operations-related purposes without specific consent.
- Clarified that government entities funding Part 2 programs may have access to program information as necessary to conduct audits and evaluations without patient consent, and similarly may share Part 2 information with contractors, subcontractors and legal representatives for audit and evaluation purposes.
Abbreviated Redisclosure Notice
42 CFR § 2.32 requires disclosures made with SUD patients’ consent to include a lengthy written statement informing the recipient that the information may not be further disclosed without specific patient’s consent or as otherwise permitted by law. SAMHSA sought comments on whether an abbreviated notice should be permissible and, if so, the circumstances in which such notice might be appropriate.
After acknowledging that many EMR systems have internal codes, flags, pop-ups and other signifiers in place to protect health information under HIPAA and other privacy laws, SAMHSA discussed that an abbreviated notice may be useful primarily in EMRs with character-limited free-text fields (often 80 characters or fewer). In the final rule, however, SAMHSA declined to limit use of an abbreviated notice to EMR free-text fields. Instead, SAMHSA amended 42 CFR § 2.32 to allow lawful holders of Part 2 information to append the following redisclosure notice any time notice is required under the Part 2 regulations:
“42 CFR part 2 prohibits unauthorized disclosure of these records.”
Lawful users also may continue to use the longer redisclosure prohibition language found at 42 CFR § 2.32(a)(1).
Authorized Disclosures for Payment and Health Care Operations Purposes
42 CFR § 2.33 allows a Part 2 program to disclose SUD patient records upon obtaining the patient’s written consent to any person identified in the consent. SAMHSA proposed to permit disclosure of such information to contractors, subcontractors and legal representatives without patient consent for specifically identified payment and health care operations activities. In so doing, SAMHSA recognized the practical importance of allowing such disclosures rather than requiring Part 2 programs to list each contractor, subcontractor or legal representative on a consent form or to obtain new consents whenever a contractor is changed.
Although the final rule does not include the list of approved payment and operations activities in the regulations, SAMHSA includes in the preamble to the final rule the activities listed in Table 1 below as non-exclusive examples of payment and health care operations for which disclosure without patient consent is permissible. Importantly, unlike HIPAA, “health care operations” under Part 2 do not include care coordination and case management activities. Nor does the final rule permit Part 2 programs to disclose Part 2 information to contractors, subcontractors and legal representatives for treatment, diagnosis or referral purposes. SAMHSA emphasized the importance of patient choice in disclosing information protected by Part 2 to health care providers with whom patients have direct contact.
Part 2 programs that wish to disclose Part 2 information to contractors, subcontractors or legal representatives for payment and health care operations purposes are required to have agreements in place with such third parties. The agreements must include provisions requiring compliance with Part 2 and must make clear that the contractor, subcontractor or legal representative is fully bound by the provisions of Part 2 and that unauthorized redisclosure is prohibited. Common contract language obligating “compliance with all applicable federal and state laws” will not suffice.We recommend that Part 2 programs include language similar to the following when entering into agreements with contractors, subcontractors and legal representatives to provide payment and/or health care operations support:
“[Contractor] hereby acknowledges that it is fully bound by the provisions of 42 CFR Part 2 upon the receipt of any Part 2 program patient identifying information. 42 CFR Part 2 prohibits unauthorized disclosure of these records. [Contractor] shall implement all reasonable and appropriate safeguards to prevent unauthorized uses and disclosures of Part 2 program information and shall report any unauthorized uses, disclosures, or breaches of patient identifying information to [Lawful Holder].”
Part 2 programs should ensure that any Part 2 program information disclosed is consistent with the purposes set forth in the patient’s consent and is comprised of only the minimal information necessary to meet the payment or health care operations need. Part 2 programs must incorporate the required language into their contracts by February 2, 2020.
Disclosures for the Purpose of Audits and Evaluations
Many Part 2 programs receive financial support from federal, state or local governments. SAMHSA recognizes the need for such governmental entities to audit and evaluate the Part 2 programs for compliance with applicable laws, rules, regulations and policies. SAMHSA also recognizes the practical need for such governmental entities to hire contractors, subcontractors and legal representatives to conduct audits and evaluations on their behalf.
In the final rule, SAMHSA clarifies that federal, state and local governmental entities may receive Part 2-protected patient identifying information directly from the lawful holder when auditing or evaluating a Part 2 program. Patient consent is not required for this purpose or for further redisclosure by the governmental entity to a contractor, subcontractor or legal representative to conduct the audit or evaluation. As with any disclosures, Part 2 programs should limit the information to the minimum necessary to accomplish the task.
Throughout the final rule, SAMHSA reiterated that the 21st Century Cures Act requires the Secretary of Health and Human Services to convene relevant stakeholders prior to March 21, 2018, to evaluate the effect that 42 CFR Part 2 has on patient care, health outcomes and patient privacy. The results of these discussions may lead to additional rulemaking and revisions to the Part 2 regulations. We will continue to monitor any changes.
* * * * *
Table 1. Non-exclusive Examples of Payment and Health Care Operations