Recent Guidance by ONC and SAMHSA Sheds Light on Compliance Requirements for 42 CFR Part 2
In the face of the ongoing opioid crisis in the United States, the Office of the National Coordinator for Health Information Technology (“ONC”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) recently released two fact sheets to clarify how the requirements of 42 CFR Part 2 apply in different provider contexts, including via electronic health information exchange (“HIE”). The Part 2 regulations were initially promulgated in 1975 to ensure the confidential treatment of records relating to the identity, diagnosis, prognosis or treatment of patients in federally assisted programs for substance use disorders (“SUD”). SAMHSA attempted to modernize the regulations in 2017, in part to account for the many advances in healthcare technology and care delivery models that impact how patient records are transmitted and maintained. However, many stakeholders continue to call for further changes, and a number of bills have been introduced in the House and Senate to further align the Part 2 regulations with HIPAA for the purposes of healthcare treatment, payment and operations.
The new Fact Sheets are intended to help remove barriers to choosing or providing appropriate SUD treatment and to guide stakeholders on how to access and securely share SUD-related health information with the patient’s consent. They are the first guidance documents that SAMHSA has issued since the Part 2 regulations were amended last year. Although they largely restate material in the Preamble of the Final Rule, they contain a series of useful fact patterns that illustrate when and how patient consent should be obtained, including by clarifying how a general designation in a patient consent form works in practice. The key takeaways and insights from the Fact Sheets, which are particularly helpful for stakeholders in mixed-use facilities, integrated care settings, or utilizing HIEs, are summarized below.
Fact Sheet: Does Part 2 Apply to Me?
The first fact sheet provides a series of clarifying examples to help providers understand if they qualify as a Part 2 Program that is subject to the Part 2 regulation, and, if so, how to properly disclose patient information.
- Opioid Treatment Programs
- Providers treating patients for SUDs, including for opioid use disorder, in a Part 2 Program can only disclose patient information related to that treatment (for example, with the patient’s primary care provider) upon obtaining written consent from the patient. The consent form must comply with all requirements in Section 2.31 of the Part 2 regulations and must be accompanied by a notice of prohibition on re-disclosure, so that the information is not further disclosed without the patient’s explicit written consent.
- Mixed-Use Facilities
- The application of the Part 2 regulations in a mixed-use facility (where only certain providers meet the definition of a Part 2 program) is complex and requires extra care to protect against impermissible disclosures of a patient’s SUD status, particularly where Electronic Health Records (“EHR”) are in use. For example, where a patient is being treated in a mixed-use facility by providers who are subject to the Part 2 requirements and by others who are not, then the patient’s consent is required before information about the SUD treatment can flow into the facility’s EHR and be seen by the other treating providers. In this situation, the consent form must name the mixed-use facility or the individual providers at the facility, if the patient wants to share his / her records with them.
- Further, those providers that are part of a Part 2 program and only treat patients with SUDs (and are recognized as such) must obtain a patient’s consent before disclosing any personally identifying information (“PII”), since any information coming from such a provider would identify a patient as having an SUD.
- Accountable Care Organizations (ACOs)
- A Part 2 program that is part of an ACO must obtain written consent before disclosing a patient’s SUD treatment to any other providers within the ACO group. Such consent could take the form of a general designation (“all my treating providers”) or specific naming of individual providers.
- Integrated Care Setting
- Integrated care programs should carefully determine if they qualify as a Part 2 program. An integrated care program may provide services for the diagnosis, treatment, or referral of a SUD without actually meeting the requirements of a Part 2 program (i.e., if there is no federal assistance). In such a case, providers and entities would not be subject to restrictions in Part 2 but would still be subject to the privacy requirements in HIPAA and state laws applicable to the disclosure of PII.
Fact Sheet: How Do I Exchange Part 2 Data?
The second fact sheet focuses on the electronic exchange of health care records with a Part 2 program. The guidance differentiates between the two primary types of electronic health information exchange: directed exchanges (methods used to securely send patient information between providers or with an HIE) and query-based exchanges (methods used by providers to search for patient clinical information, typically via an HIE intermediary that connects disparate systems or facilitates searches between systems).
- Directed Exchanges: To use a direct exchange, a Part 2 program must obtain the patient’s written consent before sending PII to a third party. Once written consent is obtained, the Part 2 program may create and send direct messages between EHR systems.
- Query-based Exchanges: When a Part 2 program wants to connect to an HIE to facilitate disclosure of patient records to other providers, there are two possible ways of doing so in compliance with 42 CFR Part 2.
- QSOA: The HIE may enter into a qualified service organization agreement (“QSOA”) where the HIE agrees to be fully bound by the Part 2 regulations, in which case the Part 2 program and the HIE may exchange patient information with each other for the limited purposes specified in Part 2. However, even with a QSOA in place, other, third party providers participating in the HIE must still have the patient’s consent to view the patient’s SUD records, and the HIE is prohibited from re-disclosing such records to third party providers without the patient’s written consent.
- Written Consent: Alternatively and more commonly, the patient may provide specific written consent in accordance with the requirements of Part 2 that lists the providers who may access the HIE to view his / her patient records. The written consent should include the name of the HIE and either the name of specific individuals or a general designation of entities that are treating providers of the patient.
This recent guidance from ONC and SAMHSA highlight the complexity that providers face when handling SUD patient records. Organizations involved in providing such services should evaluate their existing practices regarding disclosure of PII in relation to the scenarios provided in the fact sheets. For more information about compliance with 42 CFR Part 2 and recommendations of ways to reduce risk with your practice, please contact the authors or your regular SPB contact.