The Substance Abuse and Mental Health Services Administration (“SAMHSA”), a branch of the United States Department of Health and Human Services, has issued changes to the regulations governing the Confidentiality of Substance Use Disorder Patient Records. The final rule updates to Title 42 of the Code of Federal Regulations Part 2 (“Part 2”), effective as of February 2, 2018, are intended to reflect advances in healthcare delivery, including the increased use of electronic records, while maintaining the privacy protections for individuals seeking treatment for substance abuse.“The final rule makes helpful changes to better align Part 2 with HIPAA,” said Kathryn Edgerton, Partner at Nelson Hardiman. “Facilities should update their policies and procedures, patient consent agreements, and third-party contracts to reflect updates in the final rule.”

Part 2 governs the confidentiality of substance abuse patient records for treatment programs that receive federal financial assistance or are authorized by the federal government to dispense controlled substances used in substance abuse treatment. Part 2 also applies to the “lawful holders” of protected patient information, which consist of individuals or entities lawfully receiving information protected by Part 2. Like the Health Insurance Portability Accountability Act of 1996 (“HIPAA”), which sets forth privacy protections for medical records held by covered entities, a cornerstone of Part 2 is that patient consent is required before personal health information can be disclosed, unless narrow exceptions apply. Part 2 was considered stricter than HIPAA in certain respects, as it required additional consent from a patient for a lawful holder to re-disclose medical information for bona fide purposes related to payment and healthcare operations. SAMHSA has attempted to better align the final rule with HIPAA so that such re-disclosures can be made without an additional patient consent.

Providers and lawful holders subject to Part 2 will find that the changes provide greater flexibility dealing with re-disclosures of patient identifying information. First, SAMHSA has authorized the use of an abbreviated notice to be included on records warning against prohibited re-disclosures. The approved abbreviated notice states: “Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records.” Each disclosure with the patient’s written consent must contain this language, or other language set forth in Section 2.32 of Part 2.

Second, while re-disclosures of patient identifying information by lawful holders to third-parties previously required an additional patient consent, now disclosures for payment and health care operations can be made to contractors, subcontractors, and legal representatives by lawful holders pursuant to the Part 2 rule consent provisions. If patients specifically consent to disclosure of their records for payment and/or healthcare operation activities, which can be obtained at the outset of treatment as part of a broader patient consent agreement, lawful holders can re-disclose the records without obtaining an additional consent from the patient.

The permitted re-disclosures by lawful holders are limited to the purposes of payment and healthcare operations. Similar to the minimum necessary standard in HIPAA, re-disclosures to the agents of lawful holders must be limited to only that information that is necessary to carry out the purpose of the disclosure. As set forth in the preamble of the final rule, payment and healthcare operations for which additional consent is no longer required include, but are not limited to, the following:

  • Billing, claims management, and collections activities;
  • Review of health care services with respect to medical necessity, insurance coverage, appropriateness of care, or justification of charges;
  • Quality assessment and improvement;
  • Patient safety activities;
  • Training and assessment of students, practitioners, health care professionals, and staff;
  • Assessment of provider and/or health plan performance;
  • Accreditation, certification, licensing, or credentialing activities;
  • Activities related to contracts for health insurance, health benefits, reinsurance of risk, or third-party liability coverage;
  • Medical review, legal services, and auditing functions; and
  • Business planning and development, business management, and general administrative and compliance activities.

Notably, Part 2’s traditional consent requirements still apply to re-disclosures made for treatment-related activities, including diagnosis, treatment, care coordination, case management, and referral purposes. For treatment purposes, the patient consent must specifically list, among other things, the name of the individual or entity making and receiving the disclosure, a description of the information that may be disclosed, and the purpose of the disclosure.

SAMHSA has added language to Part 2 that requires lawful holders include specific language acknowledging the requirements of Part 2 in their contracts or comparable legal agreements with contractors and subcontractors. Such a requirement is similar to the requirements in place under HIPAA for business associate agreements that require the consultant receiving protected health information agree to abide by the privacy protections in HIPAA. The final rule does not require any specific contractual language, so long as the agreement to comply with Part 2 when receiving any patient identifying information is clear. Lawful holders have two years from the effective date of the rule (until February 2, 2020) to bring their contracts with contractors, subcontractors, and legal representatives into compliance if they choose to re-disclose patient identifying information to these third-parties.

Third, the final updates address the exchange of patient identifying information in the course of audits and evaluations of lawful holders. Patient identifying information can now be provided for designated audit and evaluation purposes of lawful holders, whereas previously the disclosures were limited to audits and evaluations of Part 2 programs only. Such authorized audit and evaluation activities include those conducted by governmental agencies or other entities providing financial assistance or authorized by law to regulate the Part 2 program or lawful holder, third-party payers covering patients in the Part 2 program, or quality improvement organizations and their contractors, subcontractors, or other legal representatives performing utilization or quality control review.

Substance abuse treatment providers and lawful holders covered by Part 2 should review and update their policies and procedures, patient consent agreements, and third-party contracts to reflect applicable updates in the final rule.

This Update Was Brought To You By:

Kathryn F. Edgerton is a transactional and regulatory attorney with Nelson Hardiman, LLP, a California based healthcare specialty law firm. Ms. Edgerton has built a significant practice advising hospitals, physician organizations, addiction treatment and behavioral care providers, long-term health providers, telemedicine providers, home health providers, medical spas, and other health-related organizations on the complex transactional and regulatory issues impacting the healthcare industry.

Focused on Addiction Treatment and Behavioral Care Providers

Drawing on her experience as counsel to approximately 70 addiction treatment providers, Ms. Edgerton brings a practical perspective to her work advising on day-to-day operational issues, as well as business and regulatory concerns. Ms. Edgerton successfully obtained licensure, certification, and accreditation for a host of facilities regulated by the California Department of Health Care Services (DHCS), the California Department of Social Services (DSS), and the California Department of Public Health (CDPH), including substance abuse treatment facilities, group homes, adult residential facilities, congregate living health facilities, and home health agencies. Ms. Edgerton has a wealth of experience drafting facilities’ patient intake documentation, and policies and procedures related to licensure, certification, and compliance with privacy and security laws and regulations. She has successfully represented behavioral care facilities facing denial and non-renewal of licensure, certification, and accreditation by government and accreditation agencies.

Ms. Edgerton is a Certified Information Privacy Professional in U.S. private-sector privacy laws and regulations (CIPP/US), and is Certified in Healthcare Privacy Compliance (CHPC) by the Compliance Certification Board.