Issues Concerning Substance Abuse Patient Confidentiality Laws
It was with the best of intentions that Congress passed the Federal Confidentiality of Alcohol and Drug Abuse Patient Records Law over forty years ago. The patient privacy regulations (“Part 2”) spawned by this law reflected a sensitivity to the stigma that can accompany substance abuse, preventing highly vulnerable patients in need from seeking appropriate treatment. In the interim, however, the field of behavioral health care has experienced seismic shifts in coordinated patient care while the regulations concerning these patient records have failed to adapt to changing standards such as electronic health records or health information exchanges. Due to this inflexibility, providers and patients are now facing a host of impediments in the provision of behavioral healthcare.
Part 2 regulations concerning information for those being treated for substance use disorders (“SUDs”) are more stringent than the rules embodied in HIPAA, adding additional layers of explicit patient consent for every disclosure of patient information. This consent must be written and given prior to the disclosure, and blanket waivers of consent are not permitted. Unlike the privacy provisions of HIPAA, Part 2 does not allow for the disclosure of protected patient information for the purposes of treatment, payment or health care operations without the consent of the patient except in limited circumstances. It may be easy to tell how this can pose problems for newer strategies of coordinated patient care and the integration of electronic health records (“EHRs”). These regulations did not envision a technological timeline where health records could be stored, accessed or transferred instantly and digitally, so their application to modern and evolving healthcare has been awkward at best.
Also, the required contents of the disclosure can prove limiting when trying to provide coordinated care across multiple providers and entities. For instance, a consent to a disclosure must identify every single individual or organization to which that disclosure will be made, which can be problematic for disclosing to newer entities such as Accountable Care Organizations or Health Information Exchanges that experience ever-shifting memberships.
The regulations also do not contemplate the way treatment of SUDs blurs the lines between specialized providers, primary care physicians and others. For instance, some SUD treatment may take place with a primary care provider, and records for this treatment are not covered under the Part 2 regulations, even if they would be covered had the patient seen an SUD specialist at a federally-funded facility for the same treatment. If a patient sees a specialist in SUDs, however, that record from that visit is confidential. If a consent form from that specialist is not thorough with the amount and type of information allowed, a follow-up visit with a primary care provider may not have sufficient information to provide necessary treatment.
There is little guidance as to how providers should deal with the intersection between the necessary written consent of patients and electronic health records or coordinated care. The Department of Health and Human Services, Substance Abuse and Mental Health Administration (“SAMHSA”) addressed several of these issues in a published set of FAQs, but questions remain as to how providers can effectively participate in ACOs or health information exchanges under these rules. This is an especially important question in Kentucky, where, for example, new regulations from Kentucky’s Medical Licensure Board that govern the treatment of SUDs with certain medication-assisted therapies require physicians providing these treatments to register with Kentucky’s health information exchange.
Last year, SAMHSA conducted a public listening session to begin addressing these concerns. The primary takeaways from this session were that patient consent should include the ability to consent to disclosure to entities such as ACOs and health information exchanges and the ability to consent to disclosure of an open class of any provider involved in that patient’s care, and redisclosure of information without the patient’s consent should be allowed in line with HIPAA regulations, such is in patient treatment, payment and healthcare operations.
Protection for patients in the treatment of SUDs remains paramount, but existing Part 2 regulations only provide complexity and uncertainty in the face of new and evolving treatments and technology. Providers dealing with the treatment of SUDs should be wary of compliance with Part 2 regulations and how they interact or even hinder areas of care that involve EHRs, HIPAA requirements and principles of coordinated care. Providers shouldn’t try to negotiate the tangled web of Part 2 regulations alone, instead seeking out legal guidance from a trusted source to ease compliance with complicated requirements.