On January 18, 2017, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (“SAMHSA”) published a final rule amending 42 C.F.R. Part 2 (“Part 2”), with an effective date that has now been delayed until March 21, 2017. Modernization of the Part 2 rule is critical given that these guidelines have not been revised for nearly 30 years. Although many will be pleased with SAMHSA’s steps to promote coordinated care, the final rule also includes some changes that will make it more difficult to share Part 2 records in other circumstances. A brief summary of the primary changes to the Part 2 rule follows.
1. “To Whom” Consent Requirements
The proposed rule acknowledged that the Part 2 consent requirements prevented Part 2 programs and their patients from participating in integrated care models, which require enhanced information sharing among a patient’s treating providers. Specifically, the proposed rule expanded the pool of potential recipients; a patient’s consent now may permit Part 2 records to be shared with all providers involved in the patient’s past, present and future care. The final rule adopts this provision, enabling a patient to consent broadly to the disclosure of his or her information to individuals or entities whose members have a “treating provider relationship” with the patient. To take advantage of this provision, (a) patients must provide a general designation in the “To Whom” section of the written consent, and (b) patients must be notified of their ability to request a list of disclosures (see below). The new requirements for the content of the "To Whom" section of a patient consent are as follows:
- If an entity has a treating provider relationship with the patient, specifying the name of the entity in the consent is sufficient.
- The consent should designate the name(s) of any particular third party payer(s) with whom Part 2 information may be shared.
- If an entity such as a health information exchange is facilitating data sharing among providers, the consent should indicate the name of each such entity and:
- The name of each individual participant (for example, a physician that participates in the health information exchange); and/or
- The name of any entity participant that has a treating provider relationship with the patient whose information is being disclosed (for example, a hospital that participates in the exchange); and/or
- A general designation of each individual or entity participant or class of participants, which must be limited to participants with treating provider relationships with the patient whose information is being disclosed (for example, “my current and future treating providers”).
For all other individuals or entities that are not treating providers, the consent must specify the names of each particular authorized recipient.
While the above changes are constructive, the final rule will make it more difficult to share Part 2 records in other circumstances. Currently, a patient consent can specify “the name or title of the individual or the organization to which disclosure is to be made.” Under the new final rule, the consent must specifically name any authorized recipient (by individual name – naming an entity is insufficient) who is not a treating provider, third party payer, or intermediary for data-sharing among treating providers. Our blog post discusses the impact of this change in greater detail, and suggests that entities consider requesting that the rule be reopened to address this concern.
2. Accounting of Disclosures
The final rule will entitle patients who consent to a general disclosure designation (such as “my current and future treating providers”) to obtain a list of the individuals and entities to whom their information has been disclosed. A patient’s request for a list of such disclosures must be in writing (including paper or electronic requests). The entity receiving the request from a patient must respond to the request in 30 or fewer days of receiving the request. Although the response need go back only two years, the final rule expands the types of disclosures that Part 2 programs must track under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (which does not require an accounting of disclosures for treatment, payment, or health care operations), and poses significant challenges for those programs already struggling to maintain an accounting of disclosures for HIPAA purposes.
3. “Amount and Kind” Consent Requirements
Patient consents already must describe how much and what kind of information is to be disclosed. The final rule adds a requirement that the substance use disorder information that may be disclosed be explicitly described. For example, rather than merely requiring consent to the release of substance use disorder information generally, the final rule – according to the preamble commentary – explains that the consent should allow the patient to consent only to the disclosure of discrete subsets of information. Examples of such discrete subsets include “diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary, elements of a medical record such as clinical notes and discharge summary, employment information, living situation and social supports, and claims/encounter data.” As discussed in our separate blog post, this requirement likely may prove difficult to operationalize, and entities may wish to consider requesting the reopening of the rule on this point.
4. Security of Records
The final rule updates the data-security requirements to account for both paper and electronic records. Specifically, Part 2 programs and other lawful holders of patient identifying information must have formal policies and procedures for the security of paper and electronic records. In particular, to more closely align with the HIPAA Security Rule, 42 C.F.R. § 2.16(a)(2)(i) now requires that a Part 2 program’s security policies for electronic records must include “creating, receiving, maintaining, and transmitting such records.”
5. Discontinued Records
When a Part 2 program is acquired by another program or discontinues operations, it must remove patient identifying information from its records or destroy the records entirely, including by sanitization or destruction. Destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. SAMHSA indicates that the process of sanitizing paper or electronic media must be permanent and irreversible, so there is no reasonable risk that the information may be recovered.
6. Prohibition on Re-Disclosure
SAMHSA clarifies that the prohibition on re-disclosure only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder. The final rule also allows other health-related information shared by the Part 2 program to be re-disclosed, if permissible under other applicable laws.
7. Medical Emergencies
The new rule revises the medical emergency exception by giving providers greater discretion to determine when a “bona fide medical emergency” (42 U.S.C. 290dd-2(b)(2)(A)) exists. The revised language provides that patient identifying information may be disclosed to medical personnel to the extent necessary to meet a “bona fide medical emergency” in which the patient's prior informed consent cannot be obtained. Still, SAMHSA requires the Part 2 program to immediately document specific information related to the medical emergency.
The final rule revises the Part 2 research exception to permit any lawful holder of Part 2 patient identifying information to disclose Part 2 records to qualified personnel for the purpose of conducting scientific research, if the researchers provide documentation indicating that they have met certain other existing privacy protections for human subject research. For example, if a researcher is a HIPAA-covered entity or business associate, it must obtain and document authorization from the patient, or a waiver or alteration of authorization approved by an institutional review board (“IRB”), consistent with the HIPAA Privacy Rule and other law. SAMHSA also enables researchers to link to data sets from data repositories holding Part 2 data pursuant to certain regulatory requirements (e.g., IRB review and approval; prohibiting disclosure under this part to law enforcement).
9. Audit and Evaluation
SAMHSA provides that the audit or evaluation provision applies to electronic as well as paper records, and permits the Part 2 program, rather than just the program director, to determine who is qualified to conduct an audit or evaluation of the Part 2 program. Further, SAMHSA permits disclosure of patient identifying information for an audit or evaluation necessary to meet the requirements of a CMS-regulated accountable care organization (“ACO”) or similar organization, if certain requirements are met (for example, that the audit or evaluation organization has a signed Participation Agreement with the Centers for Medicare & Medicaid Services (“CMS”) or similar documentation demonstrating that the organization and its auditors or evaluators will conduct the audit and evaluation activities in compliance with 42 U.S.C. 290dd-2 and 42 C.F.R. Part 2.
10. Changes to Various Definitions
New Definitions of Note:
Substance Use Disorder
The final rule adds the term “substance use disorder” to replace separate definitions for “alcohol abuse” and “drug abuse.” The new term covers substance use disorders that may be associated with altered mental status and that can lead to risky or socially prohibited behaviors, “including, but not limited to, substances such as, alcohol, cannabis, hallucinogens, inhalants, opioids, sedatives, hypnotics, anxiolytics, and stimulants.” Additionally, the definition of “substance use disorder” clarifies that, for purposes of Part 2, the term excludes both tobacco and caffeine use.
Treating Provider Relationship
SAMHSA also adds the term “treating provider relationship” to ensure that Part 2 information is protected in situations where a patient is diagnosed, evaluated, and/or treated without actually having consented to the care (for example, involuntary commitment). Specifically, according to SAMHSA, a “treating provider relationship” exists, regardless of whether an in-person encounter occurred, if:
- “A patient is, agrees to [be], or is legally required to be diagnosed, evaluated, and/or treated, or agrees to accept consultation, for any condition by an individual or entity, and;
- The individual or entity undertakes or agrees to undertake diagnosis, evaluation, and/or treatment of the patient, or consultation with the patient, for any condition.”
Importantly, SAMHSA considers an entity to have a “treating provider relationship” with a patient if the entity employs or privileges one or more individuals who have a “treating provider relationship” with the patient, as defined.
Changes to Existing Definitions:
SAMHSA modifies the definition of “disclose” or “disclosure” to mean “to communicate any information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.”
The final rule amends the term “patient” such that it refers to both current and former patients.
Patient Identifying Information
SAMHSA also modifies the definition of “patient identifying information” to add the identifiers listed in the HIPAA Privacy Rule at 45 C.F.R. § 164.514(b)(2)(i) that were not already included in the definition of “patient identifying information,” to meet the “or similar information” standard.
The final rule represents modernization of the Part 2 rule, particularly by providing patients with the ability to make a general designation about which treating providers may review their records. Still, the final rule limits communication among providers in some ways and fails to align fully with HIPAA. This will lead to further confusion, and conflation of Part 2 with HIPAA. The final rule also burdens Part 2 programs with the task of maintaining lists of entities that have received each patient’s Part 2 information over the prior two years. An organization must provide such a list to a requesting patient within 30 days. Although this provision gives patients access to more information about disclosures of their records, as we have seen with HIPAA, the burden of maintaining an accounting of disclosures often far outweighs the benefit. Furthermore, SAMHSA has indicated that Part 2 programs will have only 30 days to come into compliance with the final rule, although current Part 2 consent documents may remain in place until expiration. This assumes that all Part 2 programs can immediately allocate significant resources to understanding the nuances of the final rule, and rapidly implement its new requirements.