The Substance Abuse and Mental Health Services Administration (SAMHSA) has issued a final rule (Rule) updating the Confidentiality of Substance Use Disorder Records, 42 CFR part 2 (Part 2), to expand the circumstances under which federally-assisted substance use disorder (SUD) treatment providers may use and disclose to their third party contractors individually-identifiable information of patients who are receiving SUD treatment (SUD Information).[i] Published in the Federal Register on January 3, 2018, the Rule becomes effective on February 2, with the exception of the contracting requirements of new Section 2.33(c), compliance with which is required on or before February 2, 2020.[ii]
About a year ago, SAMHSA issued a final rule substantially revising Part 2 in order to ensure that patients suffering from a SUD “have the ability to participate in, and benefit from health system delivery improvements, including from new integrated health care models.”[iii] Simultaneously, SAMHSA sought to ensure that Part 2 programs and other recipients of SUD Information would continue to maintain the confidentiality of that information in order to protect such patients from discrimination or other legal consequences if their information is improperly used or disclosed.[iv]
The Rule responds to a supplemental notice of proposed rulemaking (SNPRM), also issued on January 18, 2017, that sought public comment on the following issues:
- the types of payment and health care operations-related disclosures Part 2 programs or “other lawful holders” (persons or entities who received SUD Information from a Part 2 program) of SUD Information should be permitted to make to their contractors, subcontractors, and legal representatives (collectively, Subcontractors);
- whether and under what circumstances a short-form version of the notice of prohibition on re-disclosure of SUD Information described at 42 CFR § 2.32 may be used; and
- whether and to what extent Part 2 programs and other lawful holders (collectively, Lawful Holders) of SUD Information may share that information with Subcontractors for audit and evaluation purposes.[v]
Alternative Notice of Prohibition on Re-disclosure of SUD Information
42 CFR § 2.32 requires each disclosure of SUD Information that is made with the patient’s written consent to be accompanied by a four-sentence statement informing the recipient of restrictions on further disclosure of the information. Through the Rule, SAMHSA has adopted an 80-character long, abbreviated notice of the prohibition on re-disclosure as an alternative to the more lengthy notice included at 42 CFR § 2.32.[vi] The short notice simply states, “42 CFR part 2 prohibits unauthorized disclosure of these records.”[vii] This shorter notice is intended to make it easier for Lawful Holders who use electronic health record systems that impose character limits in free-text fields to issue and receive the re-disclosure notice. However, the Rule clarifies that the shorter re-disclosure notice may be used any time Part 2 requires a re-disclosure notice, whether such notice is provided in paper or electronic format. Acknowledging commenters’ concern that the shorter notice would not protect against unauthorized disclosures of SUD Information because it likely will not convey an understanding of Part 2 requirements, SAMHSA responded by noting that it “encourages” Lawful Holders who use the abbreviated notice to discuss Part 2 requirements with persons or entities to which SUD Information will be disclosed before making disclosures accompanied by the abbreviated notice.[viii] This recommendation to assure that Subcontractors are aware of the scope of Part 2 requirements could place an additional burden on those Lawful Holders who choose to use the abbreviated notice, and some Lawful Holders who do not use electronic health records systems may determine that continuing to use the lengthier notice will prevent misunderstandings that might arise with the shorter notice.
Disclosure of Minimum Necessary Amount of SUD Information to Subcontractors for Payment and Health Care Operations
Perhaps the most controversial of the changes implemented by the Rule is its expansion of the disclosures that may be made by Lawful Holders to Subcontractors. The 2017 final rule revised the requirements for a valid patient consent, providing that a patient consent to disclose his SUD Information to an entity with whom he does not have a treating provider relationship is not valid unless the patient specifies in the consent form an individual within that entity to receive the information.[ix] Each consent form also must describe the purpose of the disclosure.[x]
In contrast, the Rule does not require Subcontractors to be named in patient consent forms. Instead, the Rule appears to exponentially expand the number of persons or entities who may receive SUD information about a patient, so long as (1) the patient has signed a written consent for disclosure for payment and/or health care operations activities, and (2) the recipient of the information who intends to further disclose it is a Lawful Holder. 42 CFR § 2.33(b) now permits Lawful Holders to disclose SUD Information to Subcontractors to enable them to perform payment and health care operations functions for the Lawful Holders, without requiring patients to consent to individually-identified Subcontractors for such disclosures.[xi]
Critics of this new provision have noted that it permits Lawful Holders “greater latitude in sharing information with entities than would be afforded to patients.” SAMHSA acknowledged this concern but appeared to agree with other commenters that it is unreasonable to expect all Lawful Holders, such as third-party payers, to be able to carry out certain payment and health care operations functions without the expertise of Subcontractors, and that it would be infeasible for Lawful Holders to specify each Subcontractor on a Part 2 consent form or obtain consent to changes in Subcontractor entities from all patients who signed such forms.[xii] However, the Rule does not address how Lawful Holders are to respond if some, but not all, patients consent to disclosure of their SUD Information for payment or health care operations purposes. Presumably, Lawful Holders will have to devise a way to assure that they are disclosing only information of consenting patients to Subcontractors.
SAMHSA also declined to extend the provisions of 42 CFR § 2.33(b) to Qualified Service Organizations (QSOs).[xiii] QSOs are exempt from Part 2’s restrictions on disclosure of SUD Information. Instead, they contract with Part 2 programs to provide services such as bill collecting, laboratory analyses, legal or accounting functions, or population health management, and QSOs agree in those contracts to be bound by the requirements of Part 2.[xiv] SAMHSA’s stated reason why QSOs should not be treated as Subcontractors was that patients do not have the opportunity to consent to have their SUD Information disclosed to QSOs.[xv] This may be a distinction without a difference, since Subcontractors appear to provide similar services as QSOs and, pursuant to a new Section 2.33(c), Subcontractors also must contractually agree with their Lawful Holders to safeguard SUD Information.
Contract Required with Subcontractors
As referenced above, 42 CFR § 2.33(c) now permits Lawful Holders to share SUD Information with Subcontractors if the parties have a written contract in place. This contract must state that the Subcontractor is fully bound by the provisions of Part 2, require the Subcontractor to implement appropriate safeguards to prevent unauthorized uses and disclosures, and require the Subcontractor to report unauthorized uses, disclosures, or breaches of patient-identifying information to the Lawful Holder. Subcontractors may not re-disclose SUD information to third parties unless such third parties are assisting the Subcontractor to provide the services described in the contract, and such third parties may be permitted to disclose the information back only to the Lawful Holder or Subcontractor.[xvi] Lawful Holders also must provide a notice of prohibition of re-disclosure to all Subcontractors.[xvii]
Disclosures of SUD Information to Subcontractors for Audit and Evaluation Purposes
The Rule clarifies that Lawful Holders also may disclose certain information to Subcontractors to carry out audits or evaluations in accordance with 42 CFR § 2.53.[xviii] Such audits or evaluations may be performed on behalf of federal, state, or local governments providing financial assistance to, or regulating the activities of, both Part 2 programs and other Lawful Holders, and they may involve payment, quality improvement, or program integrity functions, among others. Pursuant to this revised provision, a state Medicaid program or an accountable care organization (ACO)—or a Subcontractor assisting either of them—may receive SUD Information from a Part 2 program or other Lawful Holder to engage in such audits or evaluation activities.[xix] Entities receiving SUD Information for these purposes may only disclose the information back to the Lawful Holder from which it was obtained, and they may use the information only in carrying out the audit or evaluation purpose or as otherwise specified in Section 2.53(d).[xx]
Potential Future Rulemaking
Replying to numerous comments submitted in response to the SNPRM—including recommendations that SAMHSA further align Part 2 with HIPAA and the HITECH Act, implement additional safeguards before permitting release of SUD Information to Subcontractors for audit and evaluation purposes without patient consent, require patients to be notified on consent forms that they are consenting to have their SUD Information disclosed to both the recipient and the recipient’s Subcontractors for payment and health care operations purposes, and require Subcontractors using SUD Information for audit and evaluation activities to maintain a list of disclosures they make of such information—SAMHSA repeatedly noted that it is contemplating future rulemaking for Part 2 and will consider many of the recommendations submitted at that time.[xxi]
SAMSHA further noted that as required by the 21st Century Cures Act, the Secretary of Health and Human Services will convene stakeholders before March 21, 2018 to discuss the impact of Part 2 on patient care, health outcomes, and patient privacy, and it implied that such discussions may include some of the recommendations submitted by commenters.[xxii] Discussions from the meeting will be used to inform future rulemaking on Part 2.
SAMHSA is trying to perform a difficult balancing act. It remains to be seen whether SAMHSA can, through this and future rulemaking, achieve the right balance between making SUD Information available to those who need it for legitimate purposes to enable individuals who seek treatment for SUDs to participate in and benefit from ACOs, health information exchanges, and other innovative care models, while safeguarding that information from improper uses and disclosures that may result in reputational harm or adverse legal consequences to patients.
In the meantime, Part 2 programs should update their patient consent forms to address the release of SUD Information for payment and health care operations purposes. They also should evaluate whether to update their patient consent forms to include the abbreviated notice regarding re-disclosure and, if they do, they should consider how to assure that their Subcontractors are aware of the scope of re-disclosure restrictions. In addition, Part 2 programs, health systems, ACOs, and other integrated care models treating Part 2 patients will need to carefully evaluate their relationships with Subcontractors to determine what information may be shared with each of them, and they then must amend or enter into appropriate contracts with each applicable Subcontractor no later than February 2, 2020. Perhaps, by that time, additional guidance that resolves some of the remaining concerns cited by commenters will be available