On August 26, 2019, the U.S. Department of Health and Human Services ("HHS") and the Substance Abuse and Mental Health Services Administration ("SAMHSA") issued a proposed rule amending the regulations governing the confidentiality of substance use disorder ("SUD") records ("Part 2"). The release of this proposed rule signifies the agencies' increased flexibility, particularly in the face of the national opioid epidemic, to reduce barriers to care coordination for patients with SUDs.
Background on Part 2
Part 2 regulations were initially implemented in 1975 to protect the confidentiality of SUD patient records created by certain federally-funded programs with the goal of encouraging more people to enter treatment programs. These regulations were updated in 2017 and 2018 to facilitate information exchange among treating providers while addressing the legitimate privacy concerns of patients seeking treatment for a SUD.
However, notwithstanding these changes, covered programs and treating providers have continued to express concerns over the restrictive nature of the regulations and the difficulties in disclosing patient information among treating providers.
Below is a brief summary of the significant provisions of the proposed rule and their implications for providers of SUD care and treatment.
- Applicability (42 C.F.R. § 2.12): The proposed regulation would clarify that a non-Part 2 treating provider can record information about a patient's SUD and treatment, which would not render such record subject to the Part 2 regulations (nor render the provider subject to Part 2 regulations affecting Part 2 providers). Still, any records that a non-Part 2 provider receives from a Part 2 provider or program must be segregated or segmented. This change would provide non-Part 2 providers with greater capability to accurately record vital information about a patient's SUD and treatment without fear that cumbersome Part 2 regulations would newly apply.
- Consent Requirements (42 C.F.R. § 2.31): Under the proposed rule, a SUD patient may consent to disclosure of his/her SUD treatment information to an entity without a treating provider relationship and without naming a specific person as the recipient for the disclosure. This should be seen as a drastic improvement to the current regulations, which require a patient to specifically name an individual to whom a disclosure may be made. As a result, patients often have trouble applying for benefits or resources from governmental and non-governmental entities (e.g., social security benefits or sober living programs) because these entities lack a treating provider relationship with the patient or the patient is unable to name a specific individual at these entities to receive the disclosure.
- Disclosures Permitted with Written Consent (42 C.F.R. § 2.33): In 2017, SAMHSA proposed to include a list of 17 specific uses permitted when a patient consents to disclosure of his/her records for payment and/or health care activities (e.g., billing/claims management, patient safety activities, educational activities, activities related to addressing fraud, waste and/or abuse). Though SAMHSA chose not to include these 17 items in the 2018 final rule, the agency has now decided to include the list, but to emphasize that such items are illustrative but not exhaustive examples of how the information can be used. SAMHSA also now proposes to include an 18th item, "other payment/health care operations activities not expressly prohibited."
- Disclosures to Prescription Drug Monitoring Programs (42 C.F.R. § 2.36): SAMHSA proposes to add a new § 2.36 to explicitly permit Part 2 programs (including outpatient treatment programs) or other lawful holders of information to prescription drug monitoring programs, though the program or holder of the information must obtain patient consent under § 2.31 prior to reporting. It is unclear whether requiring patients to consent to this would advance the goal of preventing prescription drug misuse; however, in line with the spirit of Part 2 regulations, SAMHSA has emphasized its concern with protecting patient data and patient confidentiality.
- Medical Emergencies (42 C.F.R. § 2.51): Currently, disclosures of SUD treatment records without patient consent are permitted in a bona fide medical emergency. However, natural disasters can present unique challenges for patients with SUDs and for their treating providers. Disasters may result in patients seeking treatment at facilities or with providers who do not have full access to their records. While the proposed rule continues to emphasize that consent should be obtained whenever possible, SAMHSA proposes to authorize a covered program to disclose patient identifying information to medical personnel, without patient consent, in the event of a natural disaster to deliver effective, ongoing SUD services to patients in such disasters. SAMHSA proposes that this medical emergency exception would apply only when a state or federal authority declares a state of emergency as a result of a disaster and the covered program is closed and unable to provide services or obtain the informed consent of the patient as a result of the disaster.
- Research (42 C.F.R. § 2.52): Under the proposed rule, a lawful holder or Part 2 program that is a HIPAA covered entity or business associate may disclose patient identifying information to entities other than HIPAA covered entities and institutions subject to the Common Rule, which governs research conducted or funded by certain government agencies, provided that any such data will be disclosed in accordance with the HIPAA Privacy Rule at 45 C.F.R. § 164.512(i). This change aligns the requirements of Part 2 with the research requirements set forth in the Privacy Rule.
- Audit and Evaluation (42 C.F.R. § 2.53): The proposed rule would expand the types of entities permitted to audit or evaluate Part 2 patient identifying information on the premises of a Part 2 program. For example, third-party payers covering patients in the Part 2 program, as well as quality improvement organizations ("QIO") (and contractors/subcontractors/legal representatives of the payer or QIO), quality assurance entities, and entities that have direct administrative control over the Part 2 program, would be permitted to perform such an audit or evaluation. Note that these entities must agree in writing to comply with the existing limitations on disclosure and use set forth in 42 C.F.R. § 2.53(d).
Overall, the proposed rule, if implemented, would bring some relief to non-Part 2 providers who may have been reticent in the past to document information relating to SUDs, and will afford greater clarity to Part 2 providers and other lawful holders of patient identifying information on permitted uses and consent requirements. HHS and SAMHSA seek comments on the proposed rule by October 25, 2019.