Key Points

  • The Substance Abuse and Mental Health Services Administration (SAMHSA) recently issued a final rule modifying strict confidentiality protections for patient records of federally assisted programs for the treatment of substance use disorders (SUDs) at 42 CFR Part 2 (Part 2). The final rule attempts to facilitate disclosures of SUD records for care coordination and case management purposes while reducing regulatory burdens.
  • The final rule becomes effective August 14, but the standards it prescribes are interim. In the period between publication of the original proposed rule in August 2019 and adoption of the final rule, Congress made sweeping changes to the authorizing law for Part 2 as part of the CARES Act. (For more information, see Katten’s advisory “The CARES Act From a Health CARE Perspective.”) Many changes made by the final rule likely will be further revised in coming months as SAMHSA continues to conform Part 2 to CARES Act changes scheduled to take effect in 2021.
  • As a result, although the final rule makes a number of important interim changes, the heavy lifting is yet to come. Part 2 providers, their vendors, and the wide range of non-Part 2 providers and health care organizations involved in the treatment, care coordination, and payment of care for individuals affected by opioid addiction and other SUDs should plan to closely monitor the upcoming CARES Act rulemaking, and consider submitting comments.

SAMHSA issued a final rule relaxing certain of the privacy regulations applicable to SUD records effective August 14, 2020, with the stated goals of (1) facilitating better coordination of care in response to the opioid epidemic and in light of advances in technology; and (2) making the regulations more understandable and less burdensome. See 85 Fed. Reg. 42986 (July 15, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-07-15/pdf/2020-14675.pdf.

The so-called “Part 2” regulations, referring to 42 CFR Part 2, implement Public Health Service Act § 543 (42 U.S.C. § 290dd–2), and address the use or disclosure of patient records created by federally assisted programs for the treatment of SUDs (i.e., alcohol and drug abuse (SUD Records)). Part 2 generally prohibits treatment programs and certain third-party recipients from disclosing patients’ identities or records without patient consent, except in specified circumstances (e.g., medical emergencies, qualified audit or evaluation of the program, research requests, and court orders).

Key changes in the final rule include:

  • Narrowed Definition of “Records” and Applicability of Part 2: The final rule revises the definition of “records” so that information conveyed orally by a Part 2 program to a non-Part 2 treating provider with consent of the patient does not become a SUD Record merely because it is reduced to writing by the non-Part 2 provider. The final rule also clarifies that when a non-Part 2 treating provider creates records about a SUD (e.g., a treatment note based on a direct clinical encounter with the patient), that record is not a SUD Record unless the non-Part 2 provider incorporates records received from a Part 2 program. In other words, records received by a non-Part 2 provider are SUD Records, subject to Part 2 restrictions on re-disclosure, but records created by a non-Part 2 provider in its direct patient encounter(s) generally are not. Segregation or segmentation of any SUD Records received from Part 2 programs should be used to ensure that new records created by non-Part 2 providers during their own patient encounters do not become SUD Records. For paper records, this may involve physically separating the SUD Record from other records. For SUD Records shared between interoperable electronic health record (EHR) systems that meet Data Segmentation for Privacy (DS4P) standards, segregation could be carried out by logical segmentation of the SUD Records using electronic privacy and security tags; however, the final rule does not impose any new requirement for data segmentation or EHR technology. A non-Part 2 provider remains subject to Part 2 re-disclosure restrictions with regard to SUD Records, whether or not the provider is able to segregate them from other records. SAMHSA notes that segregation does not require the use of a separate server for holding received SUD Records.
  • Eased Consent Requirements: The final rule largely adopts the changes to the consent requirements of 42 CFR § 2.31 included in the proposed rule. It revises consent requirements to allow patients to consent to the disclosure of SUD Records to a wide range of entities without naming a specific individual to receive this information on behalf of a given entity. Among other things, this change will allow patients to apply for benefits/resources online by indicating an agency (e.g., Social Security Administration) and not an individual as the recipient of SUD Records. The final rule also includes specific provisions applicable to consents for disclosure of SUD Records to health information exchanges and research institutions. Part 2 programs should review and consider updating their standard consent forms to reflect the eased consent requirements.
  • Prohibition on Re-Disclosure: The final rule adopts the changes set forth in the proposed rule and revises the language on prohibited re-disclosure of SUD Records in the written notice to recipients to clarify that (1) non-Part 2 providers do not need to redact information in non-SUD Records (e.g., in their own clinical records that are not protected by Part 2) regarding SUDs; and (2) only SUD Records are subject to the prohibition on re-disclosure (unless expressly permitted by written consent of the patient or otherwise permitted under Part 2).
  • Disclosures Permitted With Written Consent for Care Coordination and Case Management: The final rule allows disclosure of SUD Records with a patient’s written consent to specified entities and individuals for a non-exhaustive example list of payment and health care operations purposes, including care coordination and case management activities, and clarifies that other payment and health care operations activities not expressly prohibited are also allowed.
  • Disclosures to Prevent Multiple Enrollments: The final rule adopts the changes set forth in the proposed rule, revising disclosure requirements to allow non-opioid treatment providers and non-central registry treating providers to query a central registry, to determine whether their patients are already receiving opioid treatment through a member program.
  • Disclosures to Prescription Drug Monitoring Programs (PDMPs): The final rule adopts the provisions set forth in the proposed rule, creating new permissions to allow opioid treatment programs to disclose dispensing and prescribing data to PDMPs as required by applicable state law, subject to patient consent. Part 2 programs that choose to report to a PDMP should update their consent forms to request consent for the disclosure.
  • Broadens the Medical Emergency Exception: The final rule authorizes disclosures of SUD Records to medical personnel as necessary to meet a bona fide medical emergency when a Part 2 program is closed and unable to provide services or obtain the prior written consent of the patient, during a temporary state of emergency declared by a state or federal authority as the result of a natural or major disaster, until the Part 2 program resumes operations.
  • Research: The final rule permits disclosure of SUD Records by a Health Insurance Portability and Accountability Act (HIPAA) covered entity or business associate to individuals/organizations who are not subject to HIPAA’s privacy rule or the HHS regulations regarding the protection of human subjects, known as the Common Rule, for the purpose of conducting scientific research. The final rule seeks to align Part 2, the Common Rule and the privacy rule for the conduct of research on human subjects, and to streamline duplicative requirements for research disclosures under Part 2 and the privacy rule. It also permits research disclosures to recipients covered by FDA regulations for the protection of human subjects in clinical investigations.
  • Audit and Evaluation: The final rule clarifies that governmental agencies and third-party payers may conduct audits and evaluations to identify necessary actions at the agency or payer level to improve care. This includes reviews of appropriateness of medical care, medical necessity and utilization of services by auditors that may include quality assurance organizations as well as entities with direct administrative control over a Part 2 program. The final rule removes the word “periodic” so as not to indicate the frequency with which audit and evaluation activities should occur.
  • Orders Authorizing the Use of Undercover Agents and Informants: The final rule amends the period for court-ordered placement of an undercover agent and informant within a Part 2 program to 12 months and clarifies that the 12-month period starts when the undercover agent or informant is placed in the Part 2 program.
  • Guidance on Personal Devices and Accounts: The final rule provides non-binding guidance on how a Part 2 program’s workforce should handle communications using personal devices and accounts, especially in relation to Part 2’s requirements for disposition of records by discontinued programs. Specifically, SAMHSA clarifies that, if patient contact is made through a workforce member’s personal email or cell phone account that is not used in the regular course of business for the Part 2 program, the workforce member should immediately delete this information from the personal account and only respond via an authorized channel supplied by the Part 2 program, unless responding directly from the personal account is required in order to protect the best interest of the patient. If the email or text contains patient identifying information, the information should be forwarded to the authorized channel and then deleted from the personal account. In responding and forwarding patient identifying information, Part 2 program’s workforce subject to HIPAA should use a secure, encrypted means of communication where required for HIPAA compliance.