November 18, 2019

November 18, 2019

Subscribe to Latest Legal News and Analysis

Spurred by Opioid Crisis, Government Proposes Additional Changes to Substance Use Disorder Confidentiality Regulations to Facilitate Provision of Coordinated Care

On August 26, 2019, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published a notice of proposed rulemaking (NPRM) to “better align” its substance use disorder (SUD) confidentiality regulations at 42 C.F.R. Part 2 (Part 2) with the needs of providers and patients, and to “facilitate the provision of well-coordinated care” for individuals with SUD.

The NPRM follows final rules issued by SAMHSA in 2017 and 2018 that sought to provide “greater flexibility” for disclosures of patient-identifying information under Part 2, and to provide “greater clarity” concerning disclosures for payment, health care operations, and for audits or evaluations. SAMHSA now seeks to provide further guidance on the applicability of the Part 2 regulations, and on the requirements for disclosure of confidential SUD information. The proposed changes largely follow-up on issues raised under the 2017 and 2018 final rules, and seek to expand permissible uses and disclosures of Part 2 records. As a reminder, the Part 2 regulations generally apply to records of federally-assisted programs that hold themselves out as providing, and provide, SUD diagnosis, treatment, and referral for treatment.

 Proposed Changes to Part 2 Definitions (§ 2.11)

The current regulations define “records” as “any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient” including both electronic and paper records of diagnosis, treatment, referrals, billing information, emails, voicemails, and texts. In the NPRM, SAMHSA proposes to revise this definition to carve out “information conveyed by a part 2 program to a non-part 2 provider for treatment purposes with the consent of the patient” from the definition of a Part 2 record merely because such information is then written down by the non-Part 2 provider. Generally, Part 2 program records transmitted to a non-Part 2 provider continue to be subject to Part 2’s restrictions on uses and disclosures, but here SAMHSA proposes a “very limited exception” to enable non-Part 2 providers to receive SUD information orally without the record becoming subject to Part 2. SAMHSA intends for this change to “better facilitate coordination of care” between Part 2 programs and other health care providers, and to “resolve lingering confusion” amongst such health care providers about when SUD information can be recorded without subjecting the records to Part 2.

Proposed Clarification of Applicability of Part 2 (§ 2.12)

In the NPRM, SAMHSA proposes to revise the Part 2 applicability regulations to reiterate that SUD records received by non-Part 2 providers from Part 2 programs are subject to Part 2 restrictions on re-disclosure. This is intended to address “confusion within the provider community” about what information obtained by non-Part 2 providers may be subject to Part 2 that persists following SAMHSA’s 2017 final rule. SAMHSA explains that the records of non-Part 2 providers will not be subject to Part 2 regulations solely because such records include SUD information, and notes that the opioid epidemic has heightened the importance of primary care providers and general medical facilities carrying out SUD treatment and operations. The NPRM proposes an additional subsection to Part 2’s applicability regulation to clarify that the recording of SUD information by a non-Part 2 provider does not make the record subject to Part 2. SAMHSA cautions, however, that the incorporation of a Part 2 program record into a patient’s medical record held by a non-Part 2 provider would render the entire record subject to Part 2, and therefore non-Part 2 providers may want to utilize segregation of Part 2 records to ensure that new clinical records are not subject to Part 2’s restrictions.

Proposed Relaxation of Consent Requirements (§ 2.31)

Currently, the Part 2 regulations contain specific requirements for patient consent to disclosure of a Part 2 program record. The consent must include the name(s) of individuals to whom a disclosure is to be made, or the name of an entity with a treating provider relationship with the patient. If the disclosure is to be made to an entity without a treating provider relationship, the patient must name the entity and identify the specific individual who is to receive the information. According to the government, this has presented a barrier for patients seeking to disclose Part 2 records to a non-treating entity – e.g., to secure social security or housing benefits or assistance – because the patient often cannot identify a specific individual within the non-treating entity to receive the records. SAMHSA proposes to remedy this issue by revising the regulations to allow patients to list only the entity to which they consent to disclosure of information, even if a treating provider relationship does not exist. As part of this change, SAMHSA proposes to re-organize the consent regulations to also provide that if the recipient of Part 2 information is a health information exchange (HIE) or research institution, the consent must include the entity’s name and the name of an individual or participant, or a general designation of an individual or entity participants therein, provided that only participants with a treating provider relationship with the patient that “need to know” the information can access it. As a result, the regulations will continue to limit the use of a general designation in the recipient provision of a Part 2 patient disclosure where the recipient is an HIE or research institution.

Proposed Changes to Standard Notice Prohibiting Re-disclosure (§ 2.32)

Under Part 2, re-disclosures of Part 2 records with a patient’s consent must be accompanied by a statement notifying the recipient that unauthorized re-disclosure of the information is prohibited by federal rules under Part 2. The Part 2 regulations set forth specific language and two options for such statements at 42 C.F.R. § 2.32.

The NPRM proposes to revise the template notices to ensure that downstream entities understand that they need not manually redact disclosure data files related to a patient having a SUD, as long as Part 2-covered data is segregated or segmented within such files. The revised notice would clarify that the prohibition on re-disclosure applies to the Part 2 record unless further disclosure is expressly permitted by the patient or Part 2.

Disclosures Permitted with Written Consent (§ 2.33)

In its 2018 final rule, SAMHSA included in the preamble examples of types of payment and health care operations activities that would be acceptable with patient consent, but declined to incorporate these into the actual regulations. SAMHSA now proposes to reverse course and include examples to further clarify permissible activities, while reiterating that the list is illustrative and not intended to list all possible uses or disclosures for treatment or health care operations. The permissible activities include billing, collections activities, clinical professional support services, and patient safety activities. In the NPRM, SAMHSA also highlights an important difference between Part 2 and HIPAA: disclosures for care coordination and case management are not covered “health care operations” under 42 C.F.R. § 2.33(b) – which allows lawful holders of Part 2 records disclosed with patient consent for payment or health care operations to further disclose such records to contractors and representatives to carry out the payment or health care operations purpose – whereas under HIPAA the definition of health care operations can apply to uses and disclosures for care coordination and case management. This means that for Part 2 records, disclosures to subcontractors and representatives to undertake care coordination and case management activities continue to require specific patient consent.

Disclosures to Prescription Drug Monitoring Programs with Patient Consent (§ 2.36)

Currently, opioid treatment programs (OTPs) do not have to report dispensing of methadone or buprenorphine – medications commonly used to combat opioid addiction – to state prescription drug monitoring programs (PDMPs). SAMHSA previously took the position that OTPs could not disclose patient-identifying information to PDMPs unless a Part 2 exception applies, but “no longer believes this policy is advisable in light of” the opioid crisis. In the NPRM, SAMHSA therefore proposes establishment of a new § 2.36 that would allow Part 2 programs (including OTPs) to enroll in PDMPs and submit dispensing data for controlled substances, but only with each patient’s written consent.

 Proposal for Medical Emergencies to Include Natural and Major Disasters (§ 2.51)

Part 2 permits disclosures without consent in a “bona fide medical emergency,” which is not defined under Part 2 but per SAMHSA can refer to a situation where a patient requires urgent clinical care for a life-threatening condition, and it would be infeasible to obtain consent prior to administering such care. In the NPRM, SAMHSA proposes to expand the circumstances in which Part 2 records may be disclosed without patient consent in a medical emergency to also include natural and major disasters that cause a federal or state authority to declare a state of emergency, if the Part 2 program is closed and unable to provide services or obtain patient consent to disclosures. SAMHSA notes that “consent should still be obtained if at all feasible,” but expedient care for patients should be prioritized in disaster situations.

Disclosures for Research Purposes (§2.52)

In the NPRM, SAMHSA proposes to liberalize current restrictions on disclosure of Part 2 data for research purposes. Currently, Part 2 programs are only permitted to disclose Part 2 data for research purposes to HIPAA covered entities and business associates who have obtained patient authorization in accordance with HIPAA, or to organizations subject to the Common Rule’s protections of human subjects. SAMHSA proposes to alter these restrictions to allow disclosures by a HIPAA covered entity (or business associate) to individuals and organizations who are not subject to HIPAA or the Common Rule, as long as the data is disclosed for research purposes in accordance with the HIPAA Privacy Rule at 45 C.F.R. 164.512(i). The NPRM also proposes regulatory changes to clarify that research disclosures can be made to workforce members of a covered entity for purposes of employer sponsored research, or “to recipients who are covered by FDA regulations for the protection of human subjects in clinical investigations” as long as there is documented compliance with FDA regulatory requirements and the disclosure is pursuant to authority under the Food, Drugs and Cosmetics Act.

Permissible Audit and Evaluation Activities (§ 2.53)

To address perceived confusion concerning disclosures without patient consent for audit and evaluation purposes, SAMHSA proposes revisions to allow government agencies and third party payers to receive Part 2 records without patient consent to preform periodic audits and evaluations, provided such agencies and payers abide by restrictions on re-disclosure and all other Part 2 confidentiality restrictions. SAMHSA also proposes to include a new, non-exhaustive advisory list of allowable program evaluation activities that use patient identifying information. SAMHSA also proposes to clarify that audit and evaluation activities may include “reviews of appropriateness of medical care, medical necessity, and utilization.”

Additional Provisions

The NPRM also proposes changes to Part 2 regulations governing the use of Part 2 information to prevent multiple enrollments, and the use of undercover agents in Part 2 programs.

Deadline for Public Comments

SAMHSA is accepting public comments on the NPRM until October 25, 2019 at 5 p.m. Comments should refer to file code SAMHSA 4162-20, and be submitted electronically, by regular mail, by express or overnight mail, or by hand or courier.


This post was co-authored by Michael Lisitano, legal intern at Robinson+Cole. Michael is not yet admitted to practice law.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Conor Duffy Cybersecurity Attorney
Associate

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.

Regulatory

Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...

860.275.8342