At long last, nearly 30 years after their last substantive revisions, the Substance Abuse and Mental Health Services Administration (SAMHSA) has issued a Final Rule amending the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, also known as 42 C.F.R. Part 2. The new Final Rule was issued in an effort to modernize its requirements and facilitate the health information exchange required for participation in new payment models, while addressing the privacy concerns of patients seeking treatment for substance use disorders. The Final Rule was scheduled to be effective February 17, 2017; however, a recent Trump administration regulatory freeze has delayed the effective date until at least March 21, 2017.
In general, 42 C.F.R. Part 2 prohibits the disclosure of substance use disorder diagnosis, referral or treatment information outside of a part 2 program unless there is patient consent. Part 2 programs include:
- Individuals and entities (other than general medical facilities) that hold themselves out as providing, and provide, substance use disorder diagnosis, treatment, or referral for treatment; or
- Identified units within general medical facilities that hold themselves out as providing, and provide, substance use disorder diagnosis, treatment, or referral for treatment; and
- Medical personnel or other staff in general medical facilities whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers;
so long as those programs are federally assisted.
Programs are considered to be federally assisted if they participate in the Medicare program, are authorized to conduct substance dependence maintenance treatment or withdrawal management, or are registered to dispense controlled substances used in the treatment of substance use disorders, among other things.
In practice, this means that part 2 programs cannot share information that would identify a patient as having a substance use disorder with physicians or other practitioners that are not part of the particular part 2 program at issue, including with primary care or other physicians who also provide treatment to the patient, or hospital departments outside the part 2 program, or entities affiliated with the part 2 program – or to an HIE that would facilitate such sharing – without first obtaining patient consent.
The Final Rule retains the general prohibition against disclosure outside the part 2 program without patient consent, but makes the following changes intended to facilitate sharing while maintaining safeguards to protect the confidentiality of sensitive health information:
- Consents. The biggest change in the Final Rule is that it permits patients to consent to the disclosure of their part 2 program information not just to an individual by name, but through a general designation, such as (a) to entire entities (such as hospitals, clinics and physician practices) with which the patient has a treating provider relationship or more generally “to my past, present and future treatment providers”; (b) to third-party payers; and (c) to HIEs and research organizations, which may then further disclose to authorized individuals and entities who have a treating provider relationship with the patient. In addition, the consent form can be drafted to terminate upon a specific event, such as “on my death”; and can authorize disclosure of “all of my substance use disorder information,” as long as more restrictive options are also made available.
- Qualified Service Organizations. The Final Rule continues to permit a part 2 program to disclose patient identifying information to Qualified Service Organizations with which the part 2 program contracts to provide certain services, including data processing, billing and collections, dosage preparation, legal, accounting or medical staffing. The Final Rule expands the definition of QSO to include an organization that provides population health management services to the part 2 program. The commentary to the Final Rule makes clear, however, that use of agreements with a QSO should not be used to avoid obtaining patient consent.
- Prohibitions on Redisclosure. Each disclosure with a patient’s written consent must include notice to the recipient that it is prohibited from further disclosing information that would identify a patient as having or having had a substance use disorder, either directly, through publicly available information or through verification of identity theft, unless such disclosure is affirmatively authorized by the patient.
- List of Disclosures. Upon written request by a patient, entities that re-disclose part 2 information pursuant to a general designation (i.e., not to a specifically named individual or entity) must, within 30 days, provide to patients who have consented to such disclosure a list of entities to which their information has been disclosed within the past two years. The list of disclosures also must include the date of the disclosure and a brief description of the patient identifying information disclosed.
- Security Policies. Part 2 programs and other lawful holders of part 2 program patient information must have in place formal policies and procedures to reasonably protect against unauthorized used and disclosures of the information, as well as to protect against reasonably anticipated threats or hazards to the security of the information. The policies must address both paper and electronic records, and identify how to securely create, maintain, transfer, remove and destroy such records, as well as how to de-identify patient identifying information in a manner that creates a very low risk of re-identification.
- Research. A part 2 program may disclose patient identifying information if its director, managing director or CEO determines that the recipient of the information: (a) has obtained patient authorization or waiver or alteration of waiver in a manner consistent with HIPAA’s Privacy Rule, or (b) is in compliance with human subject research requirements as issued by HHS. A researcher who requests linkages to data sets contained in a data repository must have the request approved by an appropriate IRB.
- Audit and Evaluation. Part 2 program information may be shared without patient consent for audit and evaluation purposes to any individual who agrees to comply with certain limitations on re-disclosure: (1) as required by federal, state or local government agencies or third-party payers that provide financial assistance to the part 2 program; or (2) as determined by the part 2 program to be qualified to conduct an audit or evolution of the part 2 program. Part 2 program information also may be shared as necessary to meet the requirements of a CMS-regulated ACO or other organization provided certain conditions are met.
- Disposition by Discontinued Programs. The Final Rule includes specific requirements for the disposition of patient identifying information upon discontinuation of a part 2 program. Within one (1) year of the discontinuation, all such paper records must sanitized to render the data non-retrievable and electronic records must be encrypted and labelled with respect to document retention requirements.
Shortly after President Trump’s inauguration on January 20, 2017, his administration issued a memorandum ordering a freeze on all new or pending regulations, to give them time to review them. For rules already published in the Federal Register but not yet in effect, as holds for the Final Rule, the memorandum delays these effective dates for 60 days, with the potential that a new notice for opening the regulations could occur. As a result, the effective date of the Final Rule is delayed until at least March 21, 2017, with the potential for further changes.
If the Final Rule is implemented as published, part 2 programs will need to review their consent documents and security policies, as well as their contracts with QSOs or other organizations that now qualify as QSOs. Those organizations that disclose part 2 program information based on general designation consents will need to implement processes to enable them to comply with the List of Disclosure requirements upon request.