July 19, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

July 18, 2019

Subscribe to Latest Legal News and Analysis

July 17, 2019

Subscribe to Latest Legal News and Analysis

Are you compliant with the Revised 42 CFR Part 2?

It has been four months since the changes to 42 CFR Part 2, the confidentiality regulations that apply to all substance abuse treatment records, became effective.  Ensure your policies and forms have been updated.

The finalized changes to 42 CFR Part 2 by the Substance Abuse and Mental Health Services Administration (SAMHSA), an agency within the U.S. Department of Health and Human Services (HHS), took affect March 21, 2017. Part 2 originally promulgated in 1975, and the updates “promote health integration and permit appropriate research and data exchange activities,”1 while still ensuring a careful balance between the public health benefits of information exchange and the continued patient privacy protection.  Note that any efforts to repeal and replace the Affordable Care Act have no effect on the importance of 42 CFR Part 2 compliance.

Who it affects: Health care entities that receive federal assistance and provide substance abuse treatment.

Purpose: “To ensure that a patient receiving treatment for a substance use disorder…is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.”2

Reasons for revisions: SAMHSA desires to ensure those with substance use disorders (SUDs) have the ability to participate in, and benefit from, health system delivery improvements while also providing appropriate and necessary privacy safeguards.  This includes facilitating the exchange of information between patient and health providers and facilitating health integration within new health care models.

42 CFR Part 2 regulations continue to implement the federal drug and alcohol confidentiality law (42 U.S.C. 290dd-2), meaning SAMHSA will continue to apply it to federally assisted programs that provide SUD diagnosis, treatment, or referral for treatment.3

The major provisions modified by the final rule, along with an explanation of the finalized revisions, are summarized below:

  1. Applicability (§2.12): Part 2 restrictions on disclosures now apply to individuals or entities who receive patient records from other lawful holders of patient identifying information.

  2. Research (§2.52): In order to allow for the much-needed research on SUDs, SAMHSA revised Part 2 to allow the release of patient identifying information to “qualified personnel”4 to conduct scientific research.  Such personnel must meet certain regulatory requirements.  The research provision now includes a requirement that 42 CFR Part 2 fully applies to the researcher receiving Part 2 data.

  3. Confidentiality Safeguards (§2.31): Previously, the patient could list the name or the title of the individual or name of the organization to which the disclosure was to be made.  Revisions now make it possible for a patient to list a “general disclosure”5 in the “To Whom” section (e.g., “my treating providers”), which allows patients to benefit from integrated health care systems.  SAMHSA retained the option of listing name(s) of the individual(s) to whom a disclosure may be made, as well as still allowing a limitation on generalized consent to recipients who are treating the patient (e.g., treating provider relationship with the patient).

    1.  “To Whom” Consent Requirements (§2.31): The patient must include certain language in the “To Whom” section of the consent form in order for the general disclosure to be valid.  SAMHSA also clarified in the new rule that if a patient uses a general designation listing “my treating providers” without specifying whether the designated providers are “past, current, and/or future,” it should be presumed the patient intended to only designate “current” treating providers.  Further, if the program designated is part of a general medical facility, the modifications to Part 2 permit the patient to designate the entire entity so long as a list of information to be disclosed is included on the consent form.  For example, a patient may provide general disclosure to an entity that does not have a treating provider relationship, such as a Health Information Exchange (HIE) in order to permit disclosure to those participants in the HIE that do have a treating provider relationship with the patient.

    2.  “Amount and Kind” Consent Requirements (§2.31): The “Amount and Kind” of information to be disclosed and the purpose of the disclosure was revised to require more specificity.  The revision requires the SUD information disclosed be explicitly described.  This is so patients know exactly what they are signing, and so patients may consent only to the disclosure of subsets of information.  These include “diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary, elements of a medical record such as clinical notes and discharge summary, employment information, living situation and social supports, and claims/encounter data.”  For example, “all of my records” is an insufficient description, while “all of my substance use disorder records” is sufficient.

  4. Disclosure Tracking §2.13(d): Because the final rule permits patients to include a general disclosure designation (described above), revisions require Part 2 programs to provide to patients, upon request, a list of entities to whom their information has been disclosed.  The request must be in writing (paper or electronic), and is limited to disclosures within the past two years.  Entity names designated on the request must respond within 30 days with a brief description of each disclosure.  There is no given timeframe for compliance with this rule; however, entities must be able to provide a list of disclosures upon request in order to have the option of disclosing information outlined in the general designation on a consent form.

  5. Section K, Prohibition on Re-Disclosure (§2.32): SAMHSA clarifies the prohibition on re-disclosure only applies to information that would identify, either directly or indirectly, a person as having been diagnosed, treated or referred for treatment for a SUD.  Essentially, when the patient consents to having information released to a particular individual, the individual receiving the information may not re-disclose it to a third party.  For example, if a person receives substance use treatment from a Part 2 program, and receives treatment for another condition such as heart murmurs, the patient’s record would include information unrelated to SUD (i.e., heart murmurs).  Section K does not prohibit re-disclosure of the information related to the heart murmurs so long as it does not include information that would identify the patient as having or having had a SUD.

  6. Definition Changes (§2.11):

    1. “Program” is now limited to “general medical facilities.”6  Therefore, if an entity qualifies as a program, it is subject to Part 2 rules and regulations.  An identified unit within a general medical facility is subject to Part 2 if “it holds itself out as providing, and provides, substance used disorder, diagnosis, treatment, or referral for treatment.”7  Further, if the provisions of such services are identified as a primary function of medical personnel or the general staff in the general medical facilities, they are considered a “Program,” and are therefore subject to the rules and regulations in Part 2.

    2. “Medical Emergency” definition in §2.51 now gives providers more discretion to define the existence of a “bona fide medical emergency.”8  Patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency, in which the patient’s prior informed consent cannot be obtained.

    3. A “Qualified Service Organization” (QSO) now includes entities that provide population health management to a Part 2 program, meaning relevant patient information may be shared with third-party vendors supporting population health initiatives without patient consent.

  7. Form of Documents (§2.16): 42 CFR Part 2 now applies to both paper and electronic documentation.  The provisions include formal policies and procedures addressing security, including electronic file destruction of associated media.  A program subject to 42 CFR Part 2 must have established formal policies and procedures for the security of both electronic and paper records.

Generally, the text and preamble of 42 CFR Part 2 make it clear the responsibility of explaining patients’ rights falls on the treatment program.  Therefore, programs should be advised to review and/or make changes to the following: consent documents, prohibition on re-disclosure statements, QSO categorization, security policies and procedures (including those regarding permitted disclosures), and general contractual documentation.


1 New rule improves the exchange of medical information in ways that protect the privacy of people receiving substance use treatment, SAMHSA (Jan. 13, 2017), https://www.samhsa.gov/newsroom/press-announcements/201701131200.
2 Kate Tipping, Confidentiality of Substance Use Disorder Patient Records Notice of Proposed Rulemaking, SAMHSA, https://www.samhsa.gov/sites/default/files/topics/health_info_tech/42-cf... (last visited June 8, 2017).
3 43 C.F.R. § 2.1 (2017).
4 Id. § 2.52.
5 Id. § 2.31.
6 Id. § 2.11.
7 Id.
8 Id.

© 2019 Dinsmore & Shohl LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Stacey A. Borowicz, Regulatory, Health care industry, attorney, Dinsmore Shohl,
Associate

Stacey Borowicz is an accomplished attorney who dedicates the majority of her business and regulatory practice to health care providers. Stacey brings with her more than a decade of front line experience in the health care industry as she acquired a rare set of skills as a medical researcher/scientist prior to entering the practice of law.

Stacey's experience in the healthcare representation is diverse and includes Medicare/Medicaid audit and overpayment appeals, voluntary disclosures and refunds. Stacey also brings a wealth of experience in...

614-227-4212
Daniel S. Zinsmaster, Dinsmore Law Firm, Health Care Lawyer
Partner

Dan provides trusted counsel and advocacy to health care clients on a variety of matters, such as corporate compliance, provider credentialing, administrative proceedings and litigation.  He also advises clients on practice formation and acquisition, as well as contract review and preparation.  In recent years, Dan has helped health care companies and providers navigate through fraud and abuse investigations, antitrust reviews, and other white collar criminal matters.  He is a frequent author and lecturer on telehealth and telemedicine issues.

Prior to joining Dinsmore, Dan practiced for nearly seven years with the State Medical Board of Ohio, where he advised board members and agency personnel on issues related to the Medical Practices Act of Ohio, Chapter 119 Administrative Procedures, and federal rules and regulations implicating the area of health care.  His substantial regulatory experience enables him to bring a unique and insightful perspective to handling diverse and complex health care matters, and his thorough understanding of health care laws and policies helps him serve as a valuable resource to corporations, health care associations, hospitals, medical practices and individual practitioners. 

In addition to his experience with federal and state health care regulatory agencies, Dan has successfully aided clients appearing before a number of other administrative or executive entities, including the Ohio Department of Commerce, Accountancy Board of Ohio, and the Ohio Board of Registration for Professional Engineers and Surveyors.  He previously served as an extern for the Legal Office of the Ohio governor, as well as the Business & Regulations Division of the Columbus city attorney’s office.

(614) 628-6949