October 17, 2021

Volume XI, Number 290

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

SAMHSA Finalizes Interim Changes to Substance Use Disorder Confidentiality Rule Pending Implementation of Deeper CARES Act Reforms

Key Points

  • The Substance Abuse and Mental Health Services Administration (SAMHSA) recently issued a final rule modifying strict confidentiality protections for patient records of federally assisted programs for the treatment of substance use disorders (SUDs) at 42 CFR Part 2 (Part 2). The final rule attempts to facilitate disclosures of SUD records for care coordination and case management purposes while reducing regulatory burdens.

  • The final rule becomes effective August 14, but the standards it prescribes are interim. In the period between publication of the original proposed rule in August 2019 and adoption of the final rule, Congress made sweeping changes to the authorizing law for Part 2 as part of the CARES Act. (For more information, see Katten’s advisory “The CARES Act From a Health CARE Perspective.”) Many changes made by the final rule likely will be further revised in coming months as SAMHSA continues to conform Part 2 to CARES Act changes scheduled to take effect in 2021.

  • As a result, although the final rule makes a number of important interim changes, the heavy lifting is yet to come. Part 2 providers, their vendors, and the wide range of non-Part 2 providers and health care organizations involved in the treatment, care coordination, and payment of care for individuals affected by opioid addiction and other SUDs should plan to closely monitor the upcoming CARES Act rulemaking, and consider submitting comments.

SAMHSA issued a final rule relaxing certain of the privacy regulations applicable to SUD records effective August 14, 2020, with the stated goals of (1) facilitating better coordination of care in response to the opioid epidemic and in light of advances in technology; and (2) making the regulations more understandable and less burdensome. See 85 Fed. Reg. 42986 (July 15, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-07-15/pdf/2020-14675.pdf.

The so-called “Part 2” regulations, referring to 42 CFR Part 2, implement Public Health Service Act § 543 (42 U.S.C. § 290dd–2), and address the use or disclosure of patient records created by federally assisted programs for the treatment of SUDs (i.e., alcohol and drug abuse (SUD Records)). Part 2 generally prohibits treatment programs and certain third-party recipients from disclosing patients’ identities or records without patient consent, except in specified circumstances (e.g., medical emergencies, qualified audit or evaluation of the program, research requests, and court orders).

Key changes in the final rule include:

  • Narrowed Definition of “Records” and Applicability of Part 2: The final rule revises the definition of “records” so that information conveyed orally by a Part 2 program to a non-Part 2 treating provider with consent of the patient does not become a SUD Record merely because it is reduced to writing by the non-Part 2 provider. The final rule also clarifies that when a non-Part 2 treating provider creates records about a SUD (e.g., a treatment note based on a direct clinical encounter with the patient), that record is not a SUD Record unless the non-Part 2 provider incorporates records received from a Part 2 program. In other words, records received by a non-Part 2 provider are SUD Records, subject to Part 2 restrictions on re-disclosure, but records created by a non-Part 2 provider in its direct patient encounter(s) generally are not. Segregation or segmentation of any SUD Records received from Part 2 programs should be used to ensure that new records created by non-Part 2 providers during their own patient encounters do not become SUD Records. For paper records, this may involve physically separating the SUD Record from other records. For SUD Records shared between interoperable electronic health record (EHR) systems that meet Data Segmentation for Privacy (DS4P) standards, segregation could be carried out by logical segmentation of the SUD Records using electronic privacy and security tags; however, the final rule does not impose any new requirement for data segmentation or EHR technology. A non-Part 2 provider remains subject to Part 2 re-disclosure restrictions with regard to SUD Records, whether or not the provider is able to segregate them from other records. SAMHSA notes that segregation does not require the use of a separate server for holding received SUD Records.

  • Eased Consent Requirements: The final rule largely adopts the changes to the consent requirements of 42 CFR § 2.31 included in the proposed rule. It revises consent requirements to allow patients to consent to the disclosure of SUD Records to a wide range of entities without naming a specific individual to receive this information on behalf of a given entity. Among other things, this change will allow patients to apply for benefits/resources online by indicating an agency (e.g., Social Security Administration) and not an individual as the recipient of SUD Records. The final rule also includes specific provisions applicable to consents for disclosure of SUD Records to health information exchanges and research institutions. Part 2 programs should review and consider updating their standard consent forms to reflect the eased consent requirements.

  • Prohibition on Re-Disclosure: The final rule adopts the changes set forth in the proposed rule and revises the language on prohibited re-disclosure of SUD Records in the written notice to recipients to clarify that (1) non-Part 2 providers do not need to redact information in non-SUD Records (e.g., in their own clinical records that are not protected by Part 2) regarding SUDs; and (2) only SUD Records are subject to the prohibition on re-disclosure (unless expressly permitted by written consent of the patient or otherwise permitted under Part 2).

  • Disclosures Permitted With Written Consent for Care Coordination and Case Management: The final rule allows disclosure of SUD Records with a patient’s written consent to specified entities and individuals for a non-exhaustive example list of payment and health care operations purposes, including care coordination and case management activities, and clarifies that other payment and health care operations activities not expressly prohibited are also allowed.

  • Disclosures to Prevent Multiple Enrollments: The final rule adopts the changes set forth in the proposed rule, revising disclosure requirements to allow non-opioid treatment providers and non-central registry treating providers to query a central registry, to determine whether their patients are already receiving opioid treatment through a member program.

  • Disclosures to Prescription Drug Monitoring Programs (PDMPs): The final rule adopts the provisions set forth in the proposed rule, creating new permissions to allow opioid treatment programs to disclose dispensing and prescribing data to PDMPs as required by applicable state law, subject to patient consent. Part 2 programs that choose to report to a PDMP should update their consent forms to request consent for the disclosure.

  • Broadens the Medical Emergency Exception: The final rule authorizes disclosures of SUD Records to medical personnel as necessary to meet a bona fide medical emergency when a Part 2 program is closed and unable to provide services or obtain the prior written consent of the patient, during a temporary state of emergency declared by a state or federal authority as the result of a natural or major disaster, until the Part 2 program resumes operations.

  • Research: The final rule permits disclosure of SUD Records by a Health Insurance Portability and Accountability Act (HIPAA) covered entity or business associate to individuals/organizations who are not subject to HIPAA’s privacy rule or the HHS regulations regarding the protection of human subjects, known as the Common Rule, for the purpose of conducting scientific research. The final rule seeks to align Part 2, the Common Rule and the privacy rule for the conduct of research on human subjects, and to streamline duplicative requirements for research disclosures under Part 2 and the privacy rule. It also permits research disclosures to recipients covered by FDA regulations for the protection of human subjects in clinical investigations.

  • Audit and Evaluation: The final rule clarifies that governmental agencies and third-party payers may conduct audits and evaluations to identify necessary actions at the agency or payer level to improve care. This includes reviews of appropriateness of medical care, medical necessity and utilization of services by auditors that may include quality assurance organizations as well as entities with direct administrative control over a Part 2 program. The final rule removes the word “periodic” so as not to indicate the frequency with which audit and evaluation activities should occur.

  • Orders Authorizing the Use of Undercover Agents and Informants: The final rule amends the period for court-ordered placement of an undercover agent and informant within a Part 2 program to 12 months and clarifies that the 12-month period starts when the undercover agent or informant is placed in the Part 2 program.

  • Guidance on Personal Devices and Accounts: The final rule provides non-binding guidance on how a Part 2 program’s workforce should handle communications using personal devices and accounts, especially in relation to Part 2’s requirements for disposition of records by discontinued programs. Specifically, SAMHSA clarifies that, if patient contact is made through a workforce member’s personal email or cell phone account that is not used in the regular course of business for the Part 2 program, the workforce member should immediately delete this information from the personal account and only respond via an authorized channel supplied by the Part 2 program, unless responding directly from the personal account is required in order to protect the best interest of the patient. If the email or text contains patient identifying information, the information should be forwarded to the authorized channel and then deleted from the personal account. In responding and forwarding patient identifying information, Part 2 program’s workforce subject to HIPAA should use a secure, encrypted means of communication where required for HIPAA compliance.

©2021 Katten Muchin Rosenman LLPNational Law Review, Volume X, Number 206
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Special Counsel

Lisa Christensen serves as special counsel in the Employee Benefits and Executive Compensation group. Her practice focuses on all aspects of employee benefits and executive compensation, including reviewing, revising, drafting documents and counseling clients with respect to plan administration and compliance with all applicable federal laws and state laws (including, but not limited to, requirements under the Internal Revenue Code (IRC), Health Insurance Portability and Accountability Act (HIPAA), Consolidated Omnibus Budget Reconciliation Act (COBRA), Medicare and/or Employee Retirement...

1.212.940.6575
Margaret A. Donohue Health Care Attorney Katten Muchin Rosenman New York, NY
Associate

Margaret Donohue has more than 10 years of experience counseling clients in the health care industry. She works with hospitals, nursing homes, home health agencies, behavioral health and other health care providers on complex Medicare and Medicaid regulatory and reimbursement issues. She also champions their cause in all types of litigation from state and federal audits to False Claims Act investigations.

Helping to ensure the well-being of health care providers

Margaret advises health care clients on compliance with state and federal health care laws. These include...

212-940-6499
Special Counsel

David Florman helps clients achieve industry-aware, cost-effective and sustainable results in a wide variety of matters involving health care regulation and reimbursement. He also works closely with the firm's transactional health care attorneys and others to provide a full range of health care advisory, investigative, litigation and transactional services.

Practice Focus

  • Medicare and Medicaid, managed care, disproportionate share hospitals, upper payment limits and other reimbursement
  • Health care compliance, civil monetary penalties, the anti-kickback statute...
212.940.8633
Megan Hardiman, Katten Muchin Law Firm, Health Care Legl Specialist
Partner

Megan Hardiman draws on her broad regulatory background to advise clients on complex health information privacy issues, tax-exempt organization compliance issues, including maintaining tax-exempt status, IRS Form 990 reporting issues and best practices for executive compensation, state fee-splitting and corporate practice of medicine prohibitions and fraud and abuse compliance.

Megan devotes a significant portion of her practice to helping health care companies and business associates understand and meet the requirements of the Health Insurance Portability...

312-902-5488
Joseph V. Willey, Health Care litigator, Katten Muchin Law Firm
Partner

Joseph V. Willey concentrates his practice in health care and health care litigation.

Joe has more than 30 years of experience in a wide range of health care matters, including Medicare and Medicaid reimbursement, government audits and federal and state fraud and abuse laws. He advises hospitals and other providers on compliance with federal anti-kickback and physician self-referral laws and represents providers in investigations and litigation under the False Claims Act. He has extensive experience in federal and state courts and...

212-940-7087
Advertisement
Advertisement
Advertisement