Last month the Substance Abuse and Mental Health Services Administration (“SAMHSA”) finalized amendments to the federal Confidentiality of Substance Use Disorder Patient Records regulation, 42 C.F.R. Part 2 (“Part 2”). The changes purport to better facilitate substance use disorder (“SUD”) care coordination and treatment by loosening technical consent requirements, clarifying permissible disclosures, and providing other guidance. Notably, these changes do not address changes required under the COVID-19-related CARES Act, which will require aligning Part 2’s consent requirements more closely to HIPAA. More information about these changes are summarized below:

• Modification of Authorization Requirements: Part 2 previously required naming specific individuals to receive SUD records in authorization forms (except in very limited circumstances). This functioned as a major barrier to effective data sharing because patients often did not know a specific person’s name at a recipient organization. The modified authorization rules now more closely align with HIPAA by permitting organizations (instead of specific persons) to be named in authorization forms.

• Permissible Disclosures for Payment and Health Care Operations Permitted with Written Consent: Part 2 previously left some ambiguity about the types of purposes for which SUD information could be disclosed with patient consent. The modifications now permit disclosures with consent that align to the HIPAA definitions of “Payment” and “Health Care Operations” and include “care coordination and case management.”

• Disclosures for Research: The modifications also align the Part 2 “research” disclosure rules much more closely with HIPAA and the federal “Common Rule” regarding human subject research.

• Permissible Disclosures for Audit and Program Evaluation: The regulation also clarifies specific situations that fall within the scope of permissible disclosures for audits and/or program evaluation purposes. Federal, state and local governmental agencies and third-party payers may conduct audits and evaluations to identify needed actions at the agency or payer level to improve care. Additionally, audits and evaluations may include reviews of appropriateness of medical care, medical necessity, and utilization of services.

• Regulation Scope and Re-Disclosure: Treatment records created by non-Part 2 providers based on their own patient encounter(s) are explicitly not covered by Part 2, unless the provider incorporates SUD records received from a Program into the provider’s records. Otherwise, providers (and the EHRs they use) can avoid Part 2 applicability by segmenting data obtained from Part 2 records from the rest of the provider’s records.

Critical features of Part 2 remain unchanged, however, including:

• Most data uses and disclosures still require patient authorization. However, Part 2 changes are coming up under the CARES Act that will make it substantially easier for entities subject to HIPAA to share information after obtaining an initial authorization.
• Part 2 continues to prohibit law enforcement’s use of SUD patient records in criminal prosecutions against patients in the absence of a court order.

This development will have wide-ranging implications for Part 2 programs, which will benefit from the additional flexibility. The area of healthcare data privacy is constantly evolving and it can be difficult to navigate changes in the law.