On August 26, 2019, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued two Notices of Proposed Rulemaking (“NPRM”) proposing changes to the Confidentiality of Substance Use Disorder Patient Records at Title 42 of the Code of Federal Regulations, Part 2 (“Part 2”).
Part 2 is a federal privacy law that protects substance use disorder records of patients seeking treatment, diagnosis or referral for treatment for substance use disorders (“SUDs”) from a Part 2 program. A Part 2 program is a federally assisted individual, entity or identified unit within a general medical facility that holds itself out as providing SUD diagnosis, treatment or referral for treatment, or medical personnel. It includes staff in a general medical facility whose primary function is the provision of SUD diagnosis, treatment or referral for treatment and who are identified as such providers. Part 2 requirements are far more stringent than the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requirements. The lack of alignment between Part 2 and HIPAA has frustrated providers in recent years, particularly given efforts to address the nation’s opioid crisis. In an effort to modernize Part 2 and address provider concerns, SAMHSA updated Part 2 through a Final Rule in 2017 as well as 2018. These frequent updates illustrate the challenges of regulating Part 2 records, and demonstrate the difficulty Part 2 programs and non-Part 2 providers alike face in complying with Part 2 while providing care for SUD patients.
The first NPRM (“NPRM 1”) consists of revisions to 11 provisions of Part 2. Per SAMHSA, the changes were prompted by the need to protect the privacy of individuals seeking and being treated for SUDs at Part 2 programs, while allowing information to be shared for purposes of caring for such individuals, particularly in light of the nation’s opioid crisis. SAMHSA noted that the changes build upon its efforts in 2017 and 2018 to align Part 2 with advancements in the health care delivery system. Comments on this proposed rule are due October 25, 2019.
The second NPRM (“NPRM 2”) aims to correct an error from the 2017 Final Rule. It addresses when a court is permitted to authorize the disclosure of confidential communications made by a patient to a Part 2 program, specifically when the disclosure is needed for the investigation or prosecution of an extremely serious crime. Comments on this proposed rule are due September 25, 2019. A summary fact sheet of NPRM 1 and NPRM 2 is available here.
Under NPRM 1, SAMHSA proposed the following changes to 11 provisions of Part 2:
- Definitions (§ 2.11) Exclusion of Certain Orally Conveyed Information from the Definition of a Part 2 “Record”
With a stated intent to better facilitate coordination of care between Part 2 programs and non-Part 2 providers, SAMHSA proposed to amend the definition of a Part 2 “record” to exclude information shared with the consent of the patient orally by a Part 2 program with a non-Part 2 provider for treatment purposes. This change would permit a Part 2 program, after obtaining consent from a patient, to verbally share information with the patient’s non-Part 2 provider. Additionally, the information received by the non-Part 2 provider orally, even when the non-Part 2 provider documents such discussion in writing, would no longer be subject to the Part 2 requirements, including presumably being exempt from Part 2’s prohibition on re-disclosure. Such information documented in the non-Part 2 provider’s record could be shared the same way as the provider’s other general medical records. Note that this exception for oral information only applies to discussions between Part 2 programs and health care providers, and would not apply to oral disclosures to other types of entities or individuals.
- Applicability (§ 2.12) Clarification for When a SUD Record is Subject to Part 2
Through changes to the “Applicability” section of Part 2, SAMHSA attempted to clarify when SUD information provided to non-Part 2 providers by Part 2 programs is and is not covered by Part 2. SAMHSA stated that when a non-Part 2 treating provider records information about a patient’s SUD and SUD treatment that was generated during the non-Part 2 provider’s own direct patient encounter, that information is not subject to Part 2. However, when a written Part 2 record is received by a non-Part 2 provider from a Part 2 program, such record remains subject to Part 2, including if it is incorporated into other non-Part 2 records.
SAMHSA recommended that non-Part 2 providers segregate Part 2 records received from Part 2 programs from the records created by a non-Part 2 provider. For paper records, segmenting can be accomplished by physically holding Part 2 records separately. For electronic records, segmenting can be achieved through an electronic health record (“EHR”) platform with Data Segmentation for Privacy (“DS4P”) architecture. SAMHSA also highlighted its participation in the development of the interoperability resource “FHIR” for Consent2Share. SAMHSA noted that separate servers are not necessary for “segregation” and it is not proposing any specific technical standards either for segregation or for EHR systems.
SAHMSA notes that segregation assists non-Part 2 programs in complying with the heightened confidentiality requirements for Part 2 records in their possession. Additionally, segregation helps ensure that non-Part 2 provider records do not become subject to Part 2 through incorporation into a Part 2 record. Records containing SUD information generated by non-Part 2 providers remain subject to HIPAA and state confidentiality laws, as applicable to the provider.
- Consent Requirements (§ 2.31) General Designations Allowed for Part 2 Records Recipients
Under the proposed changes, SAMHSA would no longer require that patient consent forms include the specific names of individual recipients to whom Part 2 records will be released. Instead, listing the name of the entity to whom the disclosure will be made would also be acceptable. For example, a patient could now list a government agency or health care entity, without needing to name a specific individual recipient. For disclosures to health information exchanges (“HIEs”) or research institutions, the consent still must include the name of the HIE or research entity as well as either the specific name of the participating provider(s) or a general designation of any provider with whom the patient has a treating provider relationship.
- Prohibition on Re-disclosure (§ 2.32) Clarification that Only the Part 2 “Record” is Prohibited from Re-Disclosure, Not SUD Information in Non-Part 2 Records
Non Part-2 providers and other lawful holders of Part 2 records who are not themselves a Part 2 program are still prohibited from redisclosing Part 2 records except as permitted by the Part 2 rules. However, if information does not identify an individual as having been diagnosed, treated or referred for treatment for a SUD by a Part 2 Program (e.g., other non-SUD health information), that information may be redisclosed without being subject to Part 2. To address concerns regarding downstream entities redacting records received from Part 2 programs, SAMHSA clarified that instead non-Part 2 providers can record such information about a SUD and its treatment in their own records without such information becoming subject to Part 2, as long as the original record received from a Part 2 program or other lawful holder is segregated or segmented.
- Disclosures Permitted with Written Consent (§ 2.33) Inclusion of Non-Exhaustive List of Health Care Operations and Payment Purposes Disclosures for Lawful Holders of Part 2 Records
SAMHSA proposed adding a non-exhaustive list identifying certain health care operations and payment purposes for which disclosure of Part 2 records is permitted by a lawful holder to its contractors, subcontractors and legal representatives. SAMHSA emphasized that the list is illustrative, adding the category of “other payment/health care operations activities not expressly prohibited” to the list. The list includes items such as clinical professional support services, training, patient safety activities, business planning, development and management. Unlike “health care operations” as defined by HIPAA, disclosures from a lawful holder to contractors, subcontractors and legal representatives for care coordination and case management purposes are not permitted as Part 2 health care operations and payment purposes. However, other mechanisms for disclosure under Part 2 may provide for such disclosures under certain circumstances.
- Disclosures to Prevent Multiple Enrollments (§ 2.34) Permission for Non-OTP Treating Providers to Query Central Registries
A central registry is an organization that maintains individually identifiable information about individuals applying for withdrawal management or maintenance treatment for the purpose of avoiding enrollment in more than one program. SAMHSA proposed allowing non-Opioid Treatment Programs (“OTPs”) who have a treating provider relationship with the patient to query a central registry of withdrawal management or maintenance treatment programs, so that they can protect patients from adverse effects when prescribing medications and prevent duplicative patient enrollment for opioid use disorder treatment.
- Disclosures to Prescription Drug Monitoring Programs (§ 2.36)
Prescription Drug Monitoring Programs (“PDMPs”) use a database to collect information on the prescription and dispensation of controlled substances, often on a state level. OTPs are not required to report the dispensation of methadone or buprenorphine to their state PDMP, resulting in some data relevant to the PDMP being excluded. SAMHSA proposed allowing OTP programs and other lawful holders of Part 2 records, who have obtained patient consent, to report data to the applicable PDMP.
- Medical Emergencies (§ 2.51) Inclusion of Natural and Major Disasters as “Bona Fide Emergencies”
Part 2 records may be shared without patient consent if there is a bona fide medical emergency. SAMHSA proposed to include major or natural disasters declared by state or federal authorities in the definition of “emergency.” This would permit Part 2 programs to disclose Part 2 records to medical personnel to enable the delivery of effective, ongoing SUD services during a disaster without the need to obtain patient consent. SAMHSA emphasized that consent should still be obtained, if possible.
- Research (§2.52) Permit Part 2 Records to be Shared for Research Purposes in Accordance with HIPAA Requirements
SAMHSA also proposed changes to Part 2’s requirements for sharing SUD records for research purposes to better align with HIPAA and the Common Rule on Research on Human Subjects. SAMHSA proposed that HIPAA covered entities be permitted to disclose Part 2 identifiable information to individuals and organizations that are neither HIPAA covered nor business associates and to entities not subject to the Common Rule for purposes of scientific research. However, such disclosure must be made in accordance with the HIPAA Privacy Rule requirements for disclosures for research purposes at 45 CFR § 164.512(i). Further, SAMHSA clarified that research disclosures to workforce members of a HIPAA covered entity are permissible for purposes of employer-sponsored research if the covered entity requires all research activities to be conducted in accordance with either the HIPAA Privacy Rule or Common Rule requirements. SAMHSA also added language permitting research disclosures to individuals covered by FDA regulations governing the protection of human subjects in clinical investigations, provided there exists proper documentation of compliance with FDA requirements and subject to authority under the Food, Drugs, and Cosmetics Act.
- Audit and Evaluation (§ 2.53) Clarification of When Identifiable Part 2 Records May Be Shared for Audits and Evaluations
SAMHSA sought to resolve ambiguity surrounding the circumstances under which specified individuals and entities may access Part 2 patient identifying information in the course of an audit or evaluation. Audit and evaluation continue to be undefined terms in the regulation; however, SAMHSA believed that audits or evaluations should not be restricted to reviews that examine individual Part 2 program performance. Therefore, SAMHSA proposed clarifying language that would confirm the permissibility of disclosure for audit and evaluation purposes without patient consent, which includes the following scenarios:
- To an agency or third-party payer entity for periodic activities to identify actions such as changing its policies or procedures to improve patient care and outcomes across part 2 programs; targeting limited resources more effectively; or determining the need for adjustments to payment policies for the care of patients with SUD;
- To federal, state and local government agencies and third-party payers for activities related to reviews of appropriateness of medical care, medical necessity and utilization of services;
- To the larger health care organizations in which the Part 2 programs operate (even if not a Part 2 program) on a need-to-know basis;
- To quality improvement organizations and other types of entities that are responsible for quality assurance for performing utilization or quality control reviews, such as health care organization accrediting, certification or similar bodies; and
- To federal, state and local government agencies, as well as their contractors, subcontractors and legal representatives, in the course of conducting audits or evaluations mandated by statute or regulation, if those audits or evaluations cannot be carried out using de-identified information.
- Orders Authorizing the Use of Undercover Agents and Informants (§ 2.67) Extension of Time Period for Placement of Undercover Agent or Informant
SAMHSA proposed extending the time period that a court may approve placement of an undercover agent or informant in a Part 2 program from six months to twelve months. Further, the changes would clarify that the twelve-month time period begins when the undercover agent is placed or the informant is identified in the Part 2 program, not the date of the court order.
NPRM 2 seeks to correct language set forth in the 2017 Part 2 Final Rule. SAMHSA stated that an erroneous addition in the 2017 Final Rule is hampering law enforcement efforts to address the opioid crisis.
Under Part 2 as currently in effect, a court order may authorize disclosure of confidential communications made by a patient to a Part 2 program in the course of diagnosis, treatment or referral for treatment only if the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime “allegedly committed by the patient,” such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon or child abuse and neglect. SAMHSA said that the phrase “allegedly committed by the patient” was erroneously added, as evidenced by the fact that it is not addressed in the preamble of the 2017 Final Rule, and that no explanation was added.
In NPRM 2, SAMHSA proposed removing the phrase “allegedly committed by the patient,” to expand the scope of the extremely serious crimes that can be grounds for a court to authorize the disclosure of otherwise confidential communications. SAMHSA believes that this change is necessary to enable valid enforcement efforts even when the patient is not involved in the serious crime to combat the national opioid crisis. SAMHSA provided the example of drug trafficking by Part 2 providers or Part 2 programs as a type of serious crime that may be deterred through this change.
If you have any questions, would like additional information or would like assistance drafting and submitting public comments in response to this proposed rulemaking, please contact:
- Patricia Connelly at (317) 429-3654 or email@example.com;
- Stephane Fabus at (414) 721-0904 or firstname.lastname@example.org;
- Amy Poe at (919) 228-2404 or email@example.com; or
- Your regular Hall Render attorney.
For more information on Hall Render’s Health IT services, click here.