February 7, 2023

Volume XIII, Number 38


February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

HHS Eases Federal Substance Use Disorder Confidentiality Rules

Last month the Substance Abuse and Mental Health Services Administration (“SAMHSA”) finalized amendments to the federal Confidentiality of Substance Use Disorder Patient Records regulation, 42 C.F.R. Part 2 (“Part 2”). The changes purport to better facilitate substance use disorder (“SUD”) care coordination and treatment by loosening technical consent requirements, clarifying permissible disclosures, and providing other guidance. Notably, these changes do not address changes required under the COVID-19-related CARES Act, which will require aligning Part 2’s consent requirements more closely to HIPAA. More information about these changes are summarized below:

  • Modification of Authorization Requirements: Part 2 previously required naming specific individuals to receive SUD records in authorization forms (except in very limited circumstances). This functioned as a major barrier to effective data sharing because patients often did not know a specific person’s name at a recipient organization. The modified authorization rules now more closely align with HIPAA by permitting organizations (instead of specific persons) to be named in authorization forms.

  • Permissible Disclosures for Payment and Health Care Operations Permitted with Written Consent: Part 2 previously left some ambiguity about the types of purposes for which SUD information could be disclosed with patient consent. The modifications now permit disclosures with consent that align to the HIPAA definitions of “Payment” and “Health Care Operations” and include “care coordination and case management.”

  • Disclosures for Research: The modifications also align the Part 2 “research” disclosure rules much more closely with HIPAA and the federal “Common Rule” regarding human subject research.

  • Permissible Disclosures for Audit and Program Evaluation: The regulation also clarifies specific situations that fall within the scope of permissible disclosures for audits and/or program evaluation purposes. Federal, state and local governmental agencies and third-party payers may conduct audits and evaluations to identify needed actions at the agency or payer level to improve care. Additionally, audits and evaluations may include reviews of appropriateness of medical care, medical necessity, and utilization of services.

  • Regulation Scope and Re-Disclosure: Treatment records created by non-Part 2 providers based on their own patient encounter(s) are explicitly not covered by Part 2, unless the provider incorporates SUD records received from a Program into the provider’s records. Otherwise, providers (and the EHRs they use) can avoid Part 2 applicability by segmenting data obtained from Part 2 records from the rest of the provider’s records.

Critical features of Part 2 remain unchanged, however, including:

  • Most data uses and disclosures still require patient authorization. However, Part 2 changes are coming up under the CARES Act that will make it substantially easier for entities subject to HIPAA to share information after obtaining an initial authorization.
  • Part 2 continues to prohibit law enforcement’s use of SUD patient records in criminal prosecutions against patients in the absence of a court order.

This development will have wide-ranging implications for Part 2 programs, which will benefit from the additional flexibility. The area of healthcare data privacy is constantly evolving and it can be difficult to navigate changes in the law. 

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 240

About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...