SAMHSA Finalizes Second Round of Changes to Federal Substance Use Disorder Privacy Rule
New federal regulations published on January 3, 2018, clarify when lawful holders of substance-use disorder records may use and disclose patient identifying information for payment, health care operations, and audits and evaluations. The 2018 regulations address issues that were discussed, but not resolved, in last year’s final rule published on January 18, 2017.
The 2017 final rule made the first major revisions to the federal regulations governing the confidentiality of substance-use disorder patient records (Part 2) since 1987. On the same day that the Substance Abuse and Mental Health Services Administration (SAMHSA) finalized the 2017 regulations, it issued a supplemental notice of proposed rulemaking to clarify requirements related to the disclosure of Part 2 covered data by contractors and legal representatives.
New Flexibility to Use Contractors and Agents for Payment and Operations Purposes
The most significant revisions that have now been finalized are relevant when a Part 2 program has disclosed records to another individual, with patient consent, for payment or health care operations. New regulatory language provides that the recipient of such records—described as a “lawful holder”—may further disclose the records to its contractors, subcontractors, or legal representatives to carry out the payment or health care operations activities authorized by the patient’s consent. Lawful holders who make such a disclosure must have in place a written agreement which provides that the recipient is bound by the Part 2 rules.
The scope of “payment and health care operations” is relatively broad. SAMHSA does not define either term, but offers a list of examples in the final rule, including activities such as billing, claims management, clinical professional support services, patient safety activities, trainings and assessments, accreditation and licensing, underwriting, legal services, business planning and development, general administrative activities, customer services, resolution of internal grievances, sale or transfer of an organization, eligibility or coverage determinations, risk adjusting, and medical necessity review.
There is not, however, any new authority related to disclosures for diagnosis, treatment, or referral. SAMHSA justifies stricter limitations on treatment disclosures on the basis that “it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact.” Of particular note, SAMHSA considers care coordination or case management to be a diagnosis, treatment, or referral activity, rather than a payment or health care operations activity—an intentional departure from the health care operations definition in the HIPAA Privacy Rule.
The new regulations also make a few additional clarifications. They authorize an abbreviated notice to accompany disclosure that simply reads: “42 CFR Part 2 prohibits unauthorized disclosure of these records.” This change is intended to accommodate electronic systems that have character limitations on free text fields.
The regulations also provide that entities performing audits or evaluations of a lawful holder of protected records may receive patient identifying information directly from the lawful holder under the Part 2 audits and evaluation exception.
The new regulations go into effect on February 2, 2018.