August 30, 2019
On August 26, 2019, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (“SAMHSA”) published new proposed regulations regarding confidentiality of substance use disorder records covered under 42 CFR Part 2. These are only proposed regulations at this point, but they do offer some insight into SAMHSA’s current views regarding confidentiality of covered records. If finalized, the regulations would provide additional clarity to several provisions within 42 CFR Part 2 and some limited additional flexibility for providers, but overall the proposed changes are modest and would still generally require health care providers to obtain patient consent for sharing of covered records for treatment.
In issuing the proposed regulations, SAMHSA repeatedly notes its objective of maintaining privacy rights of individuals receiving treatment for substance use disorders (“SUDs”), while helping to address the substantial increase in overdose deaths and other challenges from the opioid crisis. Among the more significant items within the proposed regulations and preamble guidance are:
- Clarifications/modifications to specifically indicate the scope of records covered under 42 CFR Part 2 would not include a note made by a non-Part 2 provider (i.e., a health care provider that is not characterized as a Part 2 Program provider under the current regulations) based on an oral discussion with a Part 2 Program. In short, a new record created by a non-Part 2 provider that mentions SUD status of a patient will not be subject to 42 CFR Part 2 merely because it references SUD treatment.
- Clarification that a non-Part 2 provider may segregate records received from a Part 2 Program in order to avoid having the full record maintained by the non-Part 2 provider fall under 42 CFR Part 2. In short, if a non-Part 2 provider receives copies of covered records from a Part 2 Program, those records should be segregated from portions of the record not covered by 42 CFR Part 2.
- Revisions to specifically allow consents for disclosure of covered records to identify an entity, rather than an individual recipient, whether the disclosure is to a treating provider, a third-party payer or others.
- Specifically including examples of activities that would be considered “payment and health care operations.” The examples are consistent with examples referenced in prior guidance from SAMHSA, but under the proposed regulations, the examples would be incorporated into the regulations. SAMHSA indicates that the examples cited are not exhaustive, and states that other types of disclosures for payment and health care operations, as described in the regulations, are also permitted even if not specifically described in an example.
- Revisions to specifically allow opioid treatment programs to enroll in state prescription drug monitoring programs and to allow providers that do not qualify as opioid treatment programs to query central registries to determine if a patient is receiving opioid treatment through a program participating in the registry.
- Provisions to specifically indicate that the current provisions allowing disclosures in medical emergencies would include disruptions to Part 2 Programs resulting from declared emergencies from natural disasters, such as hurricanes.
- Revisions to allow some disclosures of Part 2 covered records for research without patient consent, whether or not the recipient is a HIPAA covered entity or subject to the Common Rule, provided the disclosure would comply with HIPAA.
- Provisions to specifically identify certain activities that would qualify for disclosures without patient consent for “audit and evaluation.” These include activities by governmental and third-party payers to improve care and outcomes, assess needs for payment adjustments, and medical necessity/utilization reviews.
- Limited modifications proposed for the notice language that Part 2 Programs are required to include when disclosing covered SUD records.
Importantly, in the preamble to the proposed regulations, SAMHSA notes that several of the revisions proposed are intended to facilitate certain treatment and reduce the increasing prevalence of overdoses and deaths from the opioid crisis. However, SAMHSA also indicates that it has elected not to propose elimination of the typical requirement for Part 2 Programs to obtain patient consent before disclosing covered records to another health care provider outside of the Part 2 Program for treatment purposes. Of course, many such disclosures can be facilitated through participation in a health information exchange, without requiring that each individual and entity participating in the exchange be specifically identified in the patient consent for disclosure.
If finalized, the proposed regulations could be helpful to Part 2 Programs and other providers in some circumstances. However, significant variances would remain between the standards under 42 CFR Part 2 and the requirements of HIPAA, particularly relating to disclosures among health care providers for treatment. If you have any questions about the new proposed regulations, 42 CFR Part 2 or other medical record privacy and security standards, please contact Bill Hall or a member of Hancock Daniel’s HIPAA / Privacy & Security team.
The information contained in this advisory is for general educational purposes only. It is presented with the understanding that neither the author nor Hancock, Daniel & Johnson, P.C., is offering any legal or other professional services. Since the law in many areas is complex and can change rapidly, this information may not apply to a given factual situation and can become outdated. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. Under no circumstances will the author or Hancock, Daniel & Johnson, P.C. be liable for any direct, indirect, or consequential damages resulting from the use of this material.