September 26, 2020

Volume X, Number 270

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

Proposed Changes to Part 2 Rules Ease Substance-Use Disorder Record Sharing

Recently proposed changes to the federal regulations governing the confidentiality of substance-use disorder patient records (Part 2) would all but eliminate the most significant and intractable barrier to sharing protected information under Part 2 with patient consent. The proposed rule does not contemplate changing the basic principle under Part 2 that generally requires patient consent for disclosures other than for a bona fide medical emergency, research, audits, or program evaluations, or when based on an appropriate court order. The Substance Abuse and Mental Health Services Administration (SAMHSA) also published an accompanying fact sheet with a user-friendly summary of the proposed changes and the purposes behind them.  

Background on Part 2 Data Sharing

For years, Part 2’s rigorous consent requirements have made it extremely challenging for Part 2 programs to share information, even in circumstances when patients wanted them to do so. The rule has required—in most circumstances—that a valid consent specify by name the individual to whom a disclosure may be made. Covered programs have largely viewed this requirement as operationally impossible to implement and complained that it necessitates the total exclusion of substance-use disorder information from care coordination and benefits programs that patients have affirmatively opted into. 

Although recent changes in 2017 relaxed Part 2’s consent requirements when patients authorize disclosures to treating providers, the rule has remained a significant barrier to information sharing in contexts beyond treatment. In its proposed rule, SAMHSA would amend the regulation to allow written consents to identify the name of the individual or the name of the entity that may receive the information. Consents authorizing disclosure to health information exchanges and research institutions would need to include the name of specific individuals or entities beyond the health information exchange or research institution itself (but would still be allowed to use a general designation limited to treating providers). 

Expanding the Scope of Permissible Data Sharing

SAMHSA explained that the consent change is intended to effectuate the wishes of patients who may want Part 2 programs “to disclose protected information to entities for reasons including eligibility determinations and seeking non-medical services or benefits from governmental and non-governmental benefits.” Beyond those specifically identified goals, the revision would facilitate consent-based information sharing for a range of programs or services that go beyond medical treatment. This simple proposal could fundamentally restructure the information-sharing landscape.

The rule also includes several other noteworthy proposed changes. On a similar theme of loosening the most restrictive aspects of Part 2, SAMHSA has proposed amending the definition of “record” to clarify that entities and individuals who are not covered by Part 2 need only apply confidentiality protections to the specific Part 2 record they receive from covered programs.  If all of its changes were finalized, the proposed rule would result in a kind of safe harbor for non-covered entities that segregate Part 2 records they receive, ensuring that such non-covered entities need not fear that their own records (which may include identical substance-use disorder information) suddenly become subject to Part 2’s onerous requirements.  As part of this effort, new language would state that “information conveyed orally by a part 2 program to a non-part 2 provider for treatment purposes with the consent of the patient does not become a record subject to this part in the possession of the non-part 2 provider merely because that information is reduced to writing by that non-part 2 provider.”

Health Care Operation and Payment Disclosures

In addition, the proposed rule would revise the regulation governing disclosures that may be made to contractors with written consent to include a non-exhaustive list of 17 activities that are considered “payment” or “health care operations” under Part 2.  Part 2 does not currently define “payment” or “health care operations.”  SAMHSA included 17 “illustrative examples” of such activities in the preamble to a 2018 rule.  Since these activities were not included in the text of the final rule, many Part 2 providers believed that such activities were not permissible payment or health care operation activities under the rule. The proposed rule would move those 17 activities into the regulation itself, but SAMHSA continues to stress that the list is not intended to be exhaustive. Notably, the 2018 rule, as well as this proposed rule, intentionally exclude care coordination and case management in the list of activities, even though care coordination and case management are part of HIPAA’s definition of “health care operations.”

Interested parties will have until October 25, 2019 to provide comments on the proposed rule.

© 2020 Foley & Lardner LLPNational Law Review, Volume IX, Number 239


About this Author

Adam Hepworth,  Health Care Attorney, Foley Law Firm

Adam J. Hepworth is an associate and health care business lawyer with Foley & Lardner LLP. He is a member of the firm’s Health Care Industry Team.

Prior to joining Foley, Mr. Hepworth was a law clerk for Judge Harris L. Hartz on the United States Court of Appeals for the Tenth Circuit. He also interned in the San Francisco City Attorney’s health group and externed in the Civil Division of the United States Attorney’s Office in San Jose. Before he attended law school he was a policy intern for Sierra Health Foundation, where he worked on...

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management and the entire breach notification process, from the early stages of the investigation to the notification of affected individuals and state and federal government regulators. Her depth of experience in this area allows her to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath. Prior to joining Foley, Ms. Hennessy was a health law associate with a large U.S. law firm based in Milwaukee.

Claire Marblestone, health care lawyer, Foley and Lardner, Law firm
Senior Counsel

Claire Marblestone is an associate and health care lawyer with Foley & Lardner LLP. Her practice focuses on transactional and health care regulatory matters, with an emphasis on HIPAA compliance, the Anti-Kickback Statute, Stark law, provider enrollment, and licensure and certification. She advises a number of clients, including hospitals, health systems and physician groups on regulatory and compliance issues presented by telemedicine and telehealth.