Client Alerts & Newsletters

SAMHSA's "Final" Substance Use Disorder Records Confidentiality Rules: a Short-Term Change Towards Further Alignment with HIPAA in 2021

Jul.23.2020

On July 15th, the Substance Abuse and Mental Health Services Administration of the Department of Health & Human Services (SAMHSA) published final rules (“Final Rule”) revising its regulations on the Confidentiality of Substance Use Disorder Patient Records at 42 C.F.R. Part 2 (“Part 2”). This Final Rule will be effective August 14, 2020 and follows prior Part 2 rules that relaxed restrictions to enable greater access and availability of Part 2 covered records as more health data is being shared electronically.

The Final Rule largely finalizes changes that were proposed in late 2019, which we detailed in a previous alert. Of note, these changes:

  • Reduce some of the restrictions imposed on recipients of information derived from Part 2-covered records in making further disclosures,
  • Relax certain requirements for the content of patient consents to disclose Part 2-covered records to other individuals and institutions, and
  • Clarify the contexts under which recipients of Part 2-covered records can disclose such records for payment and health care operations (including care coordination and case management activities), for research purposes, as well as to support auditing and evaluation activities.

Other provisions of the Final Rule address the disclosure of records in relation to opioid treatment programs (OTPs) and prescription drug monitoring programs (PDMPs), and during state or federally declared disaster periods. SAMHSA also provides overall guidance to employees, volunteers and trainees of Part 2 facilities on the use of personal devices and accounts, and particularly the sanitation standards applicable to such items.

Yet, SAMHSA noted the just-published Final Rule provides “interim and transitional standards”; Part 2 is slated to change significantly because section 3221 of the Coronavirus Aid, Relief and Economic Security Act (“CARES Act”), enacted on March 27, 2020, made significant amendments to the Part 2 authorizing statute in an effort to more closely align Part 2 with the Health Insurance Portability and Accountability Act and its implementing regulations (collectively, HIPAA). Thus, while none of the CARES Act’s updates to the Part 2 statute are implemented in this most recent Final Rule, SAMHSA eventually will publish a new notice of proposed rulemaking and subsequently issue a new final rulemaking to implement the changes from the CARES Act. Any updated Part 2 regulations issued pursuant to the CARES Act would take effect no earlier than March 27, 2021. We anticipate that HHS will consider how this regulation aligns with anticipated rulemaking to update the HIPAA regulations, which has yet to be submitted to the Office of Management and Budget for review.

Provisions of the Final Rule

The Final Rule continues the basic framework for confidentiality protection of substance use disorder (SUD) patient records created by federally assisted SUD treatment programs. As amended by the Final Rule, Part 2 will still:

  • Restrict the disclosure of SUD treatment records without written patient consent, with some limited exceptions;
  • Prohibit the use of SUD patient records by law enforcement in criminal prosecutions against patients, absent a court order; and
  • Allow for disclosures of SUD treatment records for the purpose of scientific research, audit, or program evaluation, or based on an appropriate court order.

The Final Rule, however, attempts to provide for more flexibility, as described below, to health care providers, plans, health information exchanges (HIEs), and electronic health records (EHR) vendors to disclose such records, for increasingly common health information sharing scenarios and approaches that previously triggered Part 2’s extensive protections.

Updates to Key Concepts – Records, Consent for Disclosures, and Permissible (Re)Disclosures

By amending the definition of “records” under § 2.11 and providing new language at § 2.12(d)(2)(C)(ii) in the “Applicability” section, SAMHSA finalized its proposals to allow non-Part 2 providers to receive SUD information from a Part 2 program and use that information to inform a treatment discussion with the patient without triggering the strict protections usually required. As a result, the following fact scenarios will not result in the application of Part 2 restrictions:

  • Where SUD information is conveyed orally by a Part 2 program to a non-Part 2 provider for treatment purposes with patient consent, and the non-Part 2 provider reduces the information to writing.
  • Where a non-Part 2 provider receives SUD records from a Part 2 program and uses these records to inform subsequent independent conversations with the patient, and then creates new records based on these patient conversations that mention the patient’s SUD status and related care.

In contrast, a non-Part 2 provider that directly copies, incorporates, or transcribes written SUD record information from a Part 2 program into the non-Part 2 provider’s own records must still comply with Part 2’s extensive restrictions for privacy of the records and against re-disclosure. Therefore, non-Part 2 providers that generate records using such methods still must be maintained separately to ensure that the entire record held by the non-Part 2 entity is not subject to Part 2’s onerous restrictions.

In addition, the Final Rule modifies the “Consent” requirements under § 2.31. As finalized, SAMHSA has modified the Final Rule to allow Part 2 programs to share a patient’s SUD records if the patient’s written consent lists the recipient entity on the “to whom” portion of the consent form. The Final Rule neither requires the patient to identify a specific individual at the recipient entity, nor have a treating provider relationship with an individual at the recipient entity the patient lists.

SAMHSA made these changes largely to remove the barriers to care that arose because, for example, individuals did not always have the name of an individual provider in the course of coordinating their care, the name of a staff person when applying for benefits or other assistance from government agencies, or an employer or contractor at a health plan. In addition to “continuing to permit patient consent to disclosures to third-party payers based on naming the recipient entity, without specifying an individual recipient at that entity,” the changes to § 2.31(a)(4) also provide flexibility to entities that facilitate health information exchange (HIE) and research institutions to include the name of the HIE or research institution and either (1) the name(s) of an individual or entity participant(s), or (2) a general designation of an individual or entity participant(s) or class of participants, limited to a participant(s) who has a treating provider relationship with the patient (e.g., “all my treating providers”). HIEs must particularly take note that a general designation would need to be applied in a manner that limits disclosures of Part 2 records to those participants in the HIE that have a treating relationship with the patient who has provided the written consent.1

SAMHSA also finalized, as proposed, the changes to the provision in § 2.32(a)(1) that revise the necessary language to accompany disclosures of Part 2 records made pursuant to a patient’s written consent. The language changes are intended to convey that only the Part 2 record is subject to the prohibition on re-disclosure. Furthermore, in the Final Rule preamble, the agency emphasizes that non-Part 2 providers “do not need to redact information in a non-part 2 record regarding SUD and [Part 2] allows re-disclosure if expressly permitted by written consent of the patient or permitted under part 2 regulations.”

SAMHSA also modified § 2.34 to enable Part 2 programs to disclose Part 2 information to medical personnel without patient consent as necessary to deliver SUD services in a natural or major disaster (e.g., if the Part 2 program is closed and unable to either provide services or obtain the patient’s consent due to a state of emergency as declared by a state or federal authority).

Other portions of the Final Rule finalize proposals that are intended to facilitate care coordination efforts to combat the opioid public health emergency. Related to this focus, the Final Rule will now allow:

  • Non-opioid treatment program (non-OTP) providers that have a treating provider relationship with a particular patient to query a central registry (see § 2.34(d)); and
  • OTPs and other “lawful holders” of Part 2 information to enroll in PDMPs and disclose dispensing and prescribing data to PDMPs as required under applicable state law and subject to patient consent, to help prevent duplicative enrollments in SUD care, excessive opioid prescriptions, and SUD-related adverse drug events (see § 2.36).

Finally, to provide additional flexibility for research activities involving SUD information and related disclosures necessary to facilitate that research, SAMHSA finalized its proposal to align Part 2’s research provisions at § 2.52 with those of HIPAA and the Federal Policy for the Protection of Human Subjects (the “Common Rule” promulgated at 45 C.F.R. Part 46). As promulgated, the Final Rule now allows research disclosures of Part 2 information from a HIPAA covered entity or business associate to individuals and organizations who are neither HIPAA covered entities nor subject to the Common Rule, so long as such disclosures are made in accordance with HIPAA’s research provisions at 45 C.F.R. § 164.512(i). SAMHSA also finalized its other revisions to Part 2’s research provisions to permit research disclosures to recipients who are covered by Food and Drug Administration (“FDA”) regulations for the protection of human subjects in clinical investigations at 21 C.F.R. Part 50, subject to certain requirements imposed under FDA’s authority.

But ultimately, SAMHSA did not finalize the proposed changes to § 2.52 that would have allowed certain research disclosures to be made to a HIPAA covered entity’s workforce members for employer-sponsored research, because commenters expressed concerns that this could be interpreted as allowing employers to conduct research on SUDs involving their employees. While that means there is no policy related to disclosures by Part 2 to a HIPAA covered entity’s workforce at this time, it is likely that pursuant to the CARES Act, SAMHSA will consider whether and how to facilitate such disclosures in alignment with the HIPAA regulations.

Clarification of Permissible Disclosures for Payment and Health Care Operations

All stakeholders, but particularly health care payers, should particularly take note of the finalized list of payment and health care operations in the regulatory text at § 2.33 that clarify the scope of a patient’s written consent for disclosures of their Part 2 records related to such activities.

SAMHSA finalized the proposed list of 17 specific types of payment and health care operations, but in the Final Rule added disclosures for “care coordination and case management” as an 18th type of permissible activity, as well as a catch-all provision for “other payment/health care operations activities not expressly prohibited by this provision.” Barring a major overhaul of the definition of payment or health care operations under the HIPAA regulations, it is unlikely that this list will change after the implementation of regulatory updates to Part 2 pursuant to section 3221 of the CARES Act. The full, finalized list of payment and health care operations activities is below.

  1. Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing, and/or related health care data processing
  2. Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services)
  3. Patient safety activities
  4. Training involving student trainees, health care professionals, and non-health care professionals, and/or assessment activities related to practitioner competencies and provider or health plan performance
  5. Accreditation, certification, licensing, or credentialing activities
  6. Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and/or ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care
  7. Third-party liability coverage
  8. Activities related to addressing fraud, waste and/or abuse
  9. Conducting or arranging for medical review, legal services, and/or auditing functions
  10. Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies
  11. Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations
  12. Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers
  13. Resolution of internal grievances
  14. The sale, transfer, merger, consolidation, or dissolution of an organization
  15. Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims
  16. Risk adjusting amounts due based on enrollee health status and demographic characteristics
  17. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges
  18. Care coordination and/or case management services in support of payment or health care operations
  19. Other payment/health care operations activities not expressly prohibited in this provision

Segmentation

In contexts where plans, EHR vendors, and HIEs do need to comply with the Final Rule, SAMHSA specifically does not “impose on non-part 2 entities any new requirement for data segmentation as a practice, nor do they establish any new standards or requirements for EHR technology.” As in the proposed rule, SAMHSA steered away from creating a regulatory definition of “segmentation,” because a formal definition might have unforeseen technical consequences for EHRs and HIEs in particular.

The Final Rule preamble generally acknowledges two main ways that “segmentation” may be achieved for compliance: (1) using an EHR or other technology that supports data tagging and segmentation for privacy and consent management; and (2) “segregating” or “holding apart” of paper records received from a Part 2 program by the non-Part 2 program recipient. SAMHSA indicated that it will continue to advise on issues under Part 2 to support interoperability certification and enforcement and standard-setting for EHRs that fall under the authority of the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS). Both the ONC and CMS are actively preparing for enforcing upcoming compliance deadlines for their final rules regarding interoperability, information blocking, and patient access that have bearing on the exchange of health care information beyond SUD records covered by 42 C.F.R. Part 2.

Audits and Evaluations

With respect to audits and evaluations, SAMHSA finalized its proposed changes to § 2.53. Specifically, the final regulatory language now allows for the disclosure of Part 2 records to entities performing audits and evaluations on behalf of: (1) federal, state, or local government agencies; (2) individuals or entities that provide financial assistance to the Part 2 program; (3) third-party payers covering patients in the Part 2 program; (4) quality improvement organizations performing reviews; (5) the contractors, subcontractors, or legal representatives of such entities listed in (1) through (4); and (6) entities with “direct administrative control over the part 2 program or lawful holder.” SAMHSA added the last category to the others that were in the existing regulations, and clarified that this phrase refers to the situation in which a SUD unit “is a component of a larger behavioral health program or of a general health program.” The Final Rule also provides clarification on the types of activities included in the term “audits and evaluations,” which now expressly includes:

  • Activities undertaken by a governmental agency or payer to identify actions it can take to (1) improve care and outcomes for patients with SUDs who are treated by Part 2 programs, (2) ensure the effective management of resources, or (3) determine the need for adjustments to payment policies to enhance care or coverage for patients with SUDs; and
  • Reviews of appropriateness of medical care, medical necessity, and utilization of services.

Preparing for Future CARES Act Changes to Part 2

Overall, SAMHSA characterized the Final Rule as a deregulatory action “because it eliminates some of the burdens of, and barriers to, SUD treatment record-keeping previously imposed.” The amendments in the CARES Act to the statute authorizing the Part 2 regulations are a further step in that direction and enable SAMHSA to make more significant regulatory changes to align Part 2 and HIPAA.

As SAMHSA works to align its regulations more closely with HIPAA, it needs to collaborate with the HHS Office of Civil Rights (OCR) on its planned notice of proposed rulemaking to modify the HIPAA regulations. OCR issued a Request for Information in December 2018 seeking comments on how it should update the HIPAA regulations to better facilitate care coordination and management and account for advancements in technology since the last major update of the HIPAA rules in 2013. The agency, however, still has yet to publish any proposed regulations even though the Spring 2020 Unified Agenda anticipated a June 2020 release.

The Crowell Digital Health team is closely following these two parallel regulatory tracks and their implications for clients, and can advise on preparing for future changes that will result from rulemaking by SAMHSA and OCR related to privacy and confidentiality of health records, as well as on recently finalized rules from ONC and CMS regarding interoperability, information blocking, and patient access that have bearing on the exchange of health care information more broadly. For all of our previous alerts and insights on laws, regulations, and guidance governing the exchange of health information, please visit the Digital Health team’s Health Data page.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Jodi G. Daniel
Partner – Washington, D.C.
Phone: +1 202.624.2908
Email: jdaniel@crowell.com

Brandon C. Ge
Counsel – Washington, D.C.
Phone: +1 202.624.2531
Email: bge@crowell.com

Crowell & Moring LLP is an international law firm with more than 500 lawyers representing clients in litigation and arbitration, regulatory, and transactional matters. The firm is internationally recognized for its representation of Fortune 500 companies in high-stakes litigation, as well as its ongoing commitment to pro bono service and diversity. The firm has offices in Washington, DC, New York, Los Angeles, San Francisco, Orange County, London, Brussels, and Shanghai.

View Desktop Site | Mobile Sitemap

Contact | Subscribe | Terms of Use | Privacy Statement | Alumni

© Crowell & Moring LLP 2020
Attorney advertising - prior results do not guarantee a similar outcome.