When Pennsylvania’s Congressman Tim Murphy resigned in October after the married father of two sent text messages urging his girlfriend to obtain an abortion, little was said about the effect his departure might have on the confidentiality of SUD information. In July, Congressman Murphy had introduced the Overdose Prevention and Patient Safety Act, or H.R. 3545. Among other things, the law would have rewritten the Drug Abuse Prevention, Treatment, and Rehabilitation Act (DAPTRA) to allow the sharing of patients’ SUD information without patients’ consent for purposes of “treatment, payment, or healthcare operations.”

While federal law currently requires a patient’s written consent to exchange SUD records except in very limited circumstances, the legislation would allow such records to be shared among healthcare professionals, plans and entities under the same circumstances as other types of medical records. State privacy laws would not be preempted, so it would be up to each state to decide whether SUD records could be shared in the same way as other medical records or tighter controls should remain.

The Origins of SUD Confidentiality

DAPTRA was enacted in 1972—a time when there was a surge in the use of illegal drugs, as well as in the number of clinics to treat patients with addiction. The stigma against those with SUDs was strong, leaving advocates concerned that failing to protect medical records related to SUD care could lead to discrimination and even criminal charges against SUD patients.

Reflecting those concerns, DAPTRA prohibited anyone from disclosing SUD records for any reason, subject to certain exceptions—primarily, the written consent of the patient. Other exceptions allow such information to be shared to provide care during a medical emergency; to support those conducting an SUD program audit or scientific research; to assist a state agency, if relevant to a suspected incident of child abuse; or, if a court has ordered it, to avert a substantial risk of death or serious bodily harm.

At the time DAPTRA was enacted, its prohibition against sharing SUD records fit relatively well with the treatment model. It was believed that only specialized SUD providers should be responsible for SUD care, so there was no need to share patients’ SUD information with other healthcare professionals. In 2018, however, the trend has moved toward physical and behavioral health professionals working together to coordinate a patient’s care.

A Strange Status Quo

Today, some providers find it difficult to comply with DAPTRA and the regulations promulgated under the law, 42 C.F.R. Part 2, viewing the consent requirements as administratively unworkable. Others accept the strict consent requirements but find that they prevent information sharing.

Advocates of health information exchange believe that consent should be a one-time process. If a patient consents to the sharing of his or her SUD information, then the organizations and individuals who are engaged in that patient’s care should never have to obtain that consent again. But the regulations in 42 C.F.R. Part 2 were not structured with such a model in mind. For example, the regulations require the consent form to include the name of the recipient of the patient’s information.

In its revision to the regulations earlier this year, the Substance Abuse and Mental Health Services Administration (SAMHSA) modified this requirement to allow a “general designation” of information recipients who have a “treating provider relationship” with the patient, but that exception only applies to entities such as health information exchanges. Moreover, SAMHSA has suggested that care managers do not meet that standard for “treating provider relationship.” Therefore, most consent forms must continue to name the recipients of all SUD information to comply with 42 C.F.R. Part 2.

This requirement, although seemingly minor, substantially impacts the exchange of SUD information. For example, it effectively prohibits any sharing of SUD information on a population level.

To privacy advocates, this may be an acceptable sacrifice to protect SUD information. But privacy advocates have reasons to be unhappy as well. There is no agency that enforces violations of DAPTRA and 42 C.F.R. Part 2. SAMHSA may establish some SUD privacy rules, but it does not have a mechanism for enforcing those rules. Technically, the Department of Justice (DOJ) may bring cases against those who violate SUD confidentiality regulations. But the DOJ has never brought actions to enforce the Part 2 consent form requirements or anything but the most flagrant violations of the SUD laws and regulations. In practice, the federal government does not rigorously enforce the SUD confidentiality law and regulations. While many states incorporate the federal requirements into their own SUD confidentiality law and regulations, the extent to which states seek to enforce those laws varies.

In addition, the SUD law and regulations do little to protect patients against perhaps the greatest threat to SUD confidentiality: hacking. Predating the personal computer, DAPTRA and 42 C.F.R. Part 2 do not address the significant threat hacking poses to patient confidentiality.

Future Reform

Though its fate is unclear, Congressman Murphy’s bill does point the way forward for SUD confidentiality reform. Congress could seek to narrow the scope of DAPTRA to allow for more free exchange of SUD information. Combining additional exceptions to the consent requirement and directing SAMHSA to adopt more lenient consent form rules could go a long way in helping promote the appropriate exchange of SUD information. In return, the legislation could establish a mechanism to enforce these requirements at a federal level.

For now, federal law and regulations continue to prevent the sharing of SUD information. At the same time, these rules largely go unenforced. As the nation confronts the opioid epidemic, reform of the SUD laws and regulations is critical.