On January 18, 2017, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) released a final rule (the Final Rule) modifying the federal regulations governing the confidentiality of drug and alcohol abuse patient records set forth at 42 CFR Part 2 (Part 2 regulations). Largely following the changes that SAMHSA introduced in the 2016 Notice of Proposed Rulemaking1 (Proposed Rule), the Final Rule may have fallen short of many providers' desire for less complexity in the rules and a more practical balance between patient privacy and facilitating the provision of care.
Background. The Part 2 regulations govern providers of substance abuse treatment, diagnosis and referral for treatment (including facilities, medical personnel and specialized units within inpatient settings) that are "federally assisted" - which includes not only receiving government reimbursement but also holding a license or certification granted by a federal agency or department. The regulations, initially promulgated in 1975, significantly restrict a program's disclosure of patient-identifying information without the patient's consent. In recent years, substance abuse providers and other stakeholders have advocated for revisions to the Part 2 regulations, both to better integrate substance abuse records into the overall electronic health record framework and to support the shifting reimbursement landscape by allowing the sharing of information for care coordination and outcomes assessment. Many providers have also requested greater harmonization between the Part 2 regulations and the HIPAA requirements.2 SAMHSA largely avoided this request, relying on its statutory mandate to hold substance use disorder records to a more stringent standard. However, SAMHSA did modify the definition of "patient-identifying information" and the security standards to align more closely with HIPAA.
The following is a high-level summary of the more significant changes to the Part 2 regulations.
Effective Date. The Final Rule takes effect on February 17, 2017. While the Proposed Rule would have given entities two additional years to comply with the requirement to provide a list of disclosures made under a "general designation" consent upon request (as discussed below), the Final Rule eliminates that distinction in favor of a single effective date. SAMHSA states that valid consent forms in place prior to February 17, 2017 will continue to be valid until their stated expiration dates.
New and Expanded Definitions. The Final Rule modifies a number of the defined terms under the Part 2 regulations, several of which are addressed below.
- "Patient" is revised to refer to both current and former patients of a Part 2 program, meaning the protections of the Part 2 regulations are expressly extended to former patients.
- SAMHSA clarifies that the phrase "other similar information" used in the definition of "patient-identifying information" is intended to include any of the 18 identifiers enumerated in the HIPAA Privacy Rule as patient identifying information.
- In response to commenters' concerns about modifying the definition of a "program" to include a unit or staff member in general medical practice in certain circumstances, SAMHSA did not finalize these modifications. SAMHSA clarified instead that a practice comprised of primary care providers could be considered a "general medical facility" for purposes of the definition.
- The Final Rule introduces a new term, "other lawful holder of patient-identifying information," to refer to an entity, other than a Part 2 program, that has received Part 2-covered information as a result of a patient consent or other exception permitting disclosure. SAMHSA clarifies that the prohibition on re-disclosure (discussed below) applies to such "lawful holders." In contrast, a patient who has obtained a copy of his or her own records is not a "lawful holder" and is not subject to the re-disclosure prohibition.
- To more accurately reflect current diagnostic terminology, the Final Rule replaces the terms "drug abuse" and "alcohol abuse" with "substance use disorder," which is defined more broadly to include substances that can be associated with altered mental status that have the potential to lead to risky and/or socially prohibited behaviors.
- The list of services that may be provided by a "qualified service organization" (QSO) was revised in two instances. First, SAMHSA replaced the term "medical" services with "medical staffing" to clarify that a Part 2 program may disclose information to a medical staffing vendor (such as an on-call coverage provider) pursuant to a valid QSO agreement, but the program may not rely on a QSO agreement to disclose information to a treating physician where patient consent must be obtained. Second, "population health management" was added to the list of services a QSO may provide. This change allows a Part 2 program to share data with a health management organization without patient consent as long as the parties have entered into a valid QSO agreement. This category includes an accountable care organization, managed care organization providing care coordination, and medical homes. While many commenters advocated expanding the definition of QSO further to permit lawful holders of patient-identifying information to disclose such information to their contractors for payment and operations purposes, SAMHSA deferred resolution on this issue by issuing, concurrent with the Final Rule, a Supplemental Notice of Proposed Rulemaking (SNPRM), discussed below.
- The term "treating provider relationship" is added, relating to the modified consent requirements (discussed below). A treating provider relationship exists even when there has been no in-person encounter with a patient, but the practitioner has agreed to undertake treatment or consultation of the patient and the patient has agreed to (or is legally required to) be treated or evaluated by the practitioner or entity. Notably, an entity has a treating provider relationship with a patient if the entity "employs or privileges" one or more practitioners who treat the patient (or have agreed to treat the patient).
Patient Consent - Designating the Recipient of Information. The Part 2 regulations prohibit a program from disclosing patient identifying information unless the patient has consented in writing or a very limited exception applies. The Final Rule makes changes to the "to whom" requirement of a consent form, allowing patients to consent in certain circumstances to a "general designation" of the information recipient, where previously identifying a specific recipient was required. The modified requirements for content of the "to whom" section of a patient consent are set forth below.
- Consent for disclosure to an individual must include the individual's name, whether or not the consenting patient has a treating provider relationship with the individual.
- Consent for disclosure to an entity with which the patient has a treating provider relationship may designate the name of the entity (for example, "City Hospital").
- Consent for disclosure to an entity that is a third party payer should designate the name of the entity (e.g. Medicare).
- Consent for disclosure to an entity that is not a third party payer and that does not have a treating relationship with the patient may designate the name of the entity (e.g. ABC Regional Health Information Exchange) if at least one of the following is also listed: (1) the name of an individual participant (e.g. Dr. X [who participates in the exchange]), (2) the name of an entity participant that has a treating provider relationship with the patient (e.g. City Hospital [which participates in the exchange]) or (3) a general designation of one or a group of participants who have a treating provider relationship (for example, "my current and future treating providers").
List of Disclosures. The Final Rule implements, largely without modification, the proposed requirement that patients who have opted to use the "general designation" on their consent will have the right to request a list of disclosures made pursuant to that general designation for up to two years prior to their request. The entity disclosing information under the general designation must respond to such a request within 30 days and identify the recipient, date and brief description of each disclosure. In response to comments expressing confusion over the respective roles of the program treating the patient and the entity disclosing the information under a general designation (e.g. an information exchange or other intermediary), SAMHSA adds language in the Final Rule clarifying that the entity making the disclosure, rather than the Part 2 program, is responsible for providing the list of disclosures. This requirement is analogous to an accounting of disclosures under HIPAA, but differs in that the patient has a right to a list of disclosures that have been authorized, including those made to carry out treatment of the patient. SAMHSA states that it will issue additional guidance as to how a patient may request this list of disclosures directly from intermediaries. While many commenters have expressed concern about the technological difficulty of tracking and providing a list of disclosures, particularly in light of the effective date of the Final Rule, SAMHSA responds that the general designation is not required, and that entities may elect not to make disclosures pursuant to a general designation, thereby avoiding the need to implement this requirement.
Additional Modifications to Form of Consent. Patient consent forms that provide the general designation option in the "to whom" section must include a statement that the patient confirms his or her understanding of his or her right to request a list of disclosures under the general designation. In addition, the Final Rule confirms generally that consent may be paper or electronic, and an electronic signature is acceptable unless prohibited by other applicable law. SAMHSA has eliminated sample consent language from the regulations but states it may issue future guidance to provide examples of valid consent language.
The Notice to Patients of Federal Confidentiality Requirements. This notice is now required to include, in addition to the statement that a violation of the Part 2 regulations may be reported to appropriate authorities, contact information for such authorities. The Final Rule allows the notice to be provided in electronic or paper format, consistent with HIPAA.
Security for Electronic Records. The Final Rule requires Part 2 programs to have in place policies and procedures to prevent unauthorized uses or disclosures of patient information. The policies and procedures must address both paper and electronic records. The Final Rule also establishes specific data storage requirements for records that must be retained under law.
Re-disclosure Requirements. The Final Rule clarifies that the re-disclosure prohibition only applies to information that would identify an individual as having been diagnosed, treated, referred as having a substance use disorder (not to other information that is part of the record but does not identify the individual as having had a substance use disorder).
Additional Disclosures. The Final Rule clarifies the restrictions on additional disclosures such as medical emergencies, research and audit/evaluation. For medical emergencies, the Final Rule gives providers more discretion to determine when a "bona fide medical emergency" exists. The Final Rule also revises the research exception to permit disclosures for scientific research if certain documentation relating to protections for human research is provided. Lastly, the Final Rule permits certain audits and evaluations necessary to meet the requirements of an accountable care organization or a similar CMS-regulated organization.
Additional Guidance on Disclosures for Payment and Operations to Follow. In response to the Proposed Rule, a number of commenters sought clarification on how Part 2-covered entities and their contractors may disclose patient-identifying information for payment and healthcare operations. Rather than provide responsive guidance in the Final Rule, SAMHSA has issued the SPNRM to seek comment on (1) payment and operations disclosures that can be made to contractors and subcontractors under the consent provisions of the Part 2 regulations and (2) disclosures for Medicare, Medicaid and other federal program audits or evaluations. Specifically, SAMHSA proposes to include in the regulations a specific list of permitted purposes for which a "lawful holder" may disclose patient-identifying information received pursuant to patient consent, and to place additional conditions on such disclosures. Comments must be submitted by February 17, 2017, to be considered by SAMHSA.
Unlike trends in HIPAA enforcement, the Part 2 regulations historically have not been actively enforced. SAMHSA received a number of comments calling for more meaningful penalties for Part 2 violations. Declining to modify the penalty provisions in a meaningful way, SAMHSA responded to these commenters by re-iterating that the Department of Justice has enforcement authority over the Part 2 regulations. It is unclear whether the release of the Final Rule signals greater enforcement of these issues ahead.