On July 13, 2020, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule revising the Confidentiality of Substance Use Disorder Patient Records regulations located at 42 C.F.R. Part 2, commonly referred to as “Part 2.” Under Part 2, federally assisted substance use disorder (SUD) treatment programs are prohibited from disclosing patient identifying information without the individual’s written consent except in a few limited circumstances. According to SAMHSA, the “emergence of the opioid crisis, with its catastrophic impact” has underscored “the need for thoughtful updates to [Part 2].” The final rule also “takes important first steps toward the greater flexibility for information sharing envisioned by Congress in its passage of § 3221 of the [Coronavirus Aid, Relief, and Economic Security (CARES)] Act,” discussed in more detail below.
The Part 2 regulations were originally promulgated in 1975 to ensure the confidentiality of SUD treatment records, prior to the enactment of broader health privacy laws and regulations, such as the regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Part 2 restrictions are generally more stringent than the HIPAA restrictions, since HIPAA allows the disclosure of protected health information for certain purposes without an individual’s authorization. SAMHSA’s final rule revises the Part 2 regulations in an effort to more closely align the privacy requirements of Part 2 and HIPAA, as well as to better address the needs of individuals with SUD and facilitate coordinated care.
The final rule does not change Part 2’s general framework for protecting the confidentiality of SUD patient records. Disclosure of SUD treatment records is still prohibited without patient consent, except in a few limited circumstances (e.g., medical emergencies). In addition, law enforcement officials are still prohibited from using SUD patient records in a criminal prosecution brought against the patient, unless they obtain a court order.
The final rule does revise certain aspects of the Part 2 regulations:
- Applicability: The final rule clarifies applicability to certain non-Part 2 providers (e., providers of treatments that are not regulated as programs under Part 2). Pursuant to the final rule, records created by a non-Part 2 provider containing information about a SUD—based on such provider’s own patient encounters—are not subject to the Part 2 restrictions, as long as the non-Part 2 provider segregates any specific SUD records received from a Part 2 program. In addition, the definition of “Records” is modified to create an exception for information conveyed orally by a Part 2 program to a non-Part 2 provider for treatment purposes with patient consent. Under the revised definition, such information does not become subject to Part 2 restrictions just because it is reduced to writing by the non-Part 2 provider.
- Consent Requirements: The final rule revises the consent requirements to permit patients to consent to the disclosure of their information to any entity (e.g., the Social Security Administration) without requiring that the consent identify a specific individual to receive the information on behalf of the entity. The final rule also includes special instructions for consents relating to disclosures to information exchanges and research institutions, as well as additional guidance for consents relating to disclosures for the purpose of case management and care coordination.
- Re-Disclosure: The final rule changes the notice language required to accompany disclosures to clarify that non-Part 2 providers are not required to redact SUD information contained in a non-Part 2 record, and to allow for re-disclosure with express written consent or as otherwise permitted by the regulations.
- Disclosure Permitted with Written Consent: The final rule expressly permits disclosures for purposes of “payment and health care operations” with the patient’s written consent, and provides an illustrative list of 18 activities that are considered payment and health care operations, such as “patient safety activities,” “activities relating to addressing fraud, waste and/or abuse,” and “care coordination and/or case management services in support of payment or health care operations.”
- Disclosure to Central Registries and PDMPs: The final rule amends the disclosure requirements to (A) allow non-opioid treatment providers to access central registries, in order to determine whether a patient is already receiving opioid treatment; and (B) allow opioid treatment providers to disclose dispensing and prescribing data, as required by applicable state laws, to prescription drug monitoring programs (PDMPs), subject to patient consent.
- Medical Emergencies: The final rule expands a “bona fide medical emergency” to include situations where normal operation of a Part 2 program is suspended, and the program is unable to obtain the required written consent due to a state of emergency declared by the state or federal authority as the result of a natural or major disaster. Disclosures without consent are permitted until the Part 2 program is able to resume operations.
- Research: The final rule amends the research exception to permit disclosures by a HIPAA covered entity or business associate, without patient consent, to individuals or organizations who are not HIPAA covered entities or subject to the Common Rule, for the purpose of conducting scientific research, provided the disclosures are made in accordance with the HIPAA requirements at 45 C.F.R. § 164.512(i).
- Audit and Evaluation: The final rule clarifies the specific situations that fall within the scope of permissible disclosures for audits and/or evaluations by federal, state, and local government agencies and third-party payers.
- Undercover Agents and Informants: The final rule amends the period of time for court-ordered placement of an undercover agent or informant in a Part 2 program from 6 months to 12 months, and clarifies that the time period begins when the agent/informant is placed in the Part 2 program.
In addition, the final rule provides guidance for Part 2 program employees, volunteers, and trainees regarding the receipt of incidental communications from SUD patients on personal devices. SAMHSA recognizes that patients may reach out to employees through personal devices or email accounts that are not used in the regular course of business. The guidance clarifies that such personal devices/accounts do not become part of the Part 2 record or subject to Part 2’s sanitization standards. Instead, the employees (or volunteers or trainees) should immediately delete the communication from their personal device/account and respond to the patient only through an authorized channel provided by the Part 2 program, unless responding from the personal device/account is in the best interest of the patient. If the communication contains patient identifying information, it should be forwarded to such authorized channel and then deleted.
Finally, SAMHSA notes that Section 3221 of the CARES Act amended several provisions of the Part 2 authorizing statute, including the requirements for consent, restrictions for the use of records in legal proceedings, and penalties for violations of the statute under sections 42 U.S.C. 290dd–2(b), (c) and (f), respectively. The amended provisions allow greater flexibility for the sharing of SUD records, but the provisions do not go into effect until March 27, 2021. Therefore, SAMHSA has stated that it intends the standards in this month’s final rule to “serve as interim and transitional standards,” until SAMHSA is able to engage in future rulemaking to implement the new changes enacted by the CARES Act.