On Monday July 13, 2020, the Substance Abuse and Mental Health Services Administration (SAMHSA), part of the United States Department of Health and Human Services (HHS), issued a final rule amending the Confidentiality of Substance Use Disorder Patient Records regulations under 42 CFR Part 2 (SUD Regulations). The most recent amendments to the SUD Regulations continue SAMHSA’s efforts to align its privacy protections with those provided under the Health Insurance Portability and Accountability Act (HIPAA).1 Although the reforms ease the ability of providers treating patients with substance use disorders (SUD) to coordinate treatment and participate in other care improvement activities, these requirements remain stricter than those of HIPAA. This alert details the changes to the SUD Regulations and the extent to which the new regulations align with HIPAA.
History. The SUD Regulations apply to federally assisted alcohol and drug abuse programs, including opioid treatment programs, behavioral health centers, and mental health centers, as well as any other entity2 that provides or holds itself out as providing diagnosis, treatment, or referral for treatment for a SUD (Part 2 Programs). The SUD Regulations were originally issued in 1975 to address concerns about the potential use of SUD information in non-treatment-based settings. They were implemented before the broad privacy and security protections for personal health information (PHI) were enacted under HIPAA.3 The SUD Regulations created significant confidentiality protections and are in addition to the HIPAA privacy requirements applicable to all covered entities, including Part 2 Programs. As a result, Part 2 Programs must comply with more stringent federal protections than health care providers not subject to the SUD Regulations. Over time, SAMHSA published regulations to alleviate the confidentiality burdens created by the SUD Regulations by providing greater flexibility to exchange SUD information within the healthcare system, and to clarify permitted uses of SUD information for payment, operations, audits and evaluations.4
Key Provisions of Final Rule. More recently, the emergence of the opioid crisis increased demand for SUD treatment and highlighted the need for further provider flexibility to share SUD information during treatment of a patient. In addition to final rules published in 2017 and 2018, on July 13, 2020, SAMHSA issued new final rules that further harmonize SUD Regulations and HIPAA privacy requirements. In the final rule, SAMHSA noted its long effort to align the SUD Regulations with HIPAA and the aligned Congressional intent illustrated under the Coronavirus Aid, Relief and Economic Security Act (CARES Act), passed in March 2020. The final rule, in the works prior to the CARES Act, introduces a number of changes to the SUD Regulations, including but not limited to the following:
- SUD patients may consent to have their Part 2 Program treatment records disclosed to an entity without naming a specific recipient;
- Provides examples of permissible disclosures of Part 2 Program treatment records for payment and healthcare operations, and clarifies additional allowable disclosures for audit and evaluation activities;
- Permits disclosure of SUD information for public health activities by Part 2 Programs or other lawful holders of Part 2 Program SUD information, to state prescription drug monitoring programs (PDMPs); and
- Allows certain non-Part 2 Program providers with a treating provider relationship to access a central registry to see if a patient is already receiving opioid treatment.
More changes forthcoming. SAMHSA has also indicated that the SUD Regulations will continue to be harmonized with HIPAA due to passage of the CARES Act. The CARES Act amended several sections of the SUD Regulations’ authorizing statute (42 U.S.C. 290dd–2) specifically to allow greater flexibility for the sharing of SUD information and alignment with HIPAA.5 SAMHSA intends to issue new proposed rules within the next 12 months to implement the CARES Act amendments.6
Comparison with HIPAA. The chart below details the most recent changes to the SUD Regulations and the corresponding protections under HIPAA. Part 2 Programs must ensure that they understand their obligations under both SUD Regulations and HIPAA, and ensure that they comply with both in their operations. Although the trend towards relaxation of SUD regulations to align with HIPAA will continue, SUD regulations still contain stricter requirements than HIPAA due to the particular sensitivity of the treatment information involved. Part 2 Programs must continue to ensure these differences are accounted for in their policies, procedures, and practices.
HIPAA - SUD Regulations Comparison:
|
Topic |
The SUD Regulations |
HIPAA |
|
Oral transmission of consented treatment information |
SUD treatment information conveyed orally by a Part 2 Program to a non-Part 2 Program provider for treatment purposes with the consent of the patient, does not become a record subject to SUD Regulations if the non-Part 2 Program provider reduces the information to writing. (42 CFR § 2.11). |
The SUD treatment records created by the non-Part 2 provider will still be considered PHI and subject to HIPAA. |
|
Separate treatment records |
SUD treatment records created by non-Part 2 Program providers are not subject to the SUD Regulations if the non-Part 2 Program provider keeps their treatment records separate from the SUD records received from a Part 2 Program. (42 CFR § 2.12). |
The SUD treatment records created by the non-Part 2 provider will still be considered PHI and subject to HIPAA. |
|
Re-disclosure prohibition statement |
Amended the prohibition on re-disclosure statement which must be included on each disclosure made with the patient’s written consent. (42 CFR § 2.32). |
Prohibition on re-disclosure statement is not required for disclosures with patient authorization under HIPAA. |
|
Deletion of patient messages sent to employees’ personal devices |
Part 2 Program employees may delete incidental messages sent by SUD patients to their personal devices by deleting the message. (42 §§§ 2.11, 2.16, 2.19). |
Incidental messages sent by a patient to a non-Part 2 Program employee, may be deleted without the need to sanitize the personal device. |
|
Specificity of recipient for patient-consented disclosure |
A SUD patient is able to consent to the disclosure of her or his Part 2 Program treatment records to an entity without naming a specific recipient at the entity. (42 CFR § 2.31). |
A valid authorization for disclosure of PHI under HIPAA does not require a specific name and can list “other specific identification of the person(s), or class of persons” that will receive the PHI under the disclosure or use. (45 C.F.R. § 164.508). |
|
Defining permitted kinds of disclosures for payment and healthcare operations |
A SUD patient’s written consent allows disclosures for “payment and healthcare operations.” The new regulations include a list of 18 examples of permissible payments or health care activities, including care coordination and/or case management services. (42 CFR § 2.33). |
A covered entity may use PHI for treatment, payment, or healthcare operations without the patient’s authorization. (45 C.F.R. § 164.506). Under HIPAA, the definition of healthcare operations includes case management and care coordination. (45 C.F.R. § 164.501). |
|
Central registry searches for patient treatment history |
Non-opioid treatment programs and non-central registry providers with a treating provider relationship to the patient are able to search a central registry to see if a patient is already receiving opioid treatment. (42 CFR § 2.34). |
N/A |
|
Disclosing patient information to State PDMPs |
A Part 2 Program or other lawful holder of Part 2 Program patient data is able to participate in state PDMPs if required by state law, and report prescribing or dispensing of Schedule II-IV medications to a state’s PDMP. (42 CFR § 2.36). |
A covered entity may, consistent with state law requirements, report prescribing or dispensing of Schedule II-IV medications to a state’s PDMP for uses and disclosures required by law, or for uses and disclosures for public health activities. (45 C.F.R. § 164.501). |
|
Disclosures during medical emergencies |
Authorizes disclosure of patient’s SUD records to medical personnel without patient consent to the extent necessary during a “bona fide medical emergency” in which a Part 2 Program facility is closed and unable to provide services, during a temporary state of emergency declared by state or federal government as the result of a natural or major disaster. (42 CFR § 2.51). |
A covered entity may use PHI for treatment, without the patient’s authorization. Treatment includes sharing PHI with other medical personnel. (45 C.F.R. §§ 164.501, 164.506). During a national or public health emergency the Secretary of HHS may waive certain HIPAA provisions under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.7 |
|
Disclosures for research |
Disclosure of Part 2 Program patient data is permissible by HIPAA-covered entities or business associates to entities not subject to HIPAA or the Common Rule, for the purpose of conducting scientific research. The disclosure must be made in accordance with HIPAA regulation 45 CFR 164.512(i). (42 CFR § 2.52). |
45 CFR 164.512(i) is the HIPAA regulation that allows a covered entity to disclose a patient’s PHI, without the patient’s permission, for research purposes as long as listed requirements are met, which may include issuance of a waiver of patient authorization by an institutional review board or privacy board or limited use of the PHI (e.g., preparatory to research). |
|
Disclosures for audits and program evaluations |
Details additional permissible disclosure for audits and program evaluations of Part 2 Programs or other lawful holders of Part 2 Program patient data. (42 CFR § 2.53). |
A covered entity may use PHI for healthcare operations without the patient’s authorization. (45 C.F.R. § 164.506). The definition of healthcare operations includes auditing functions, and conducting quality assessment and improvement activities. (45 C.F.R. § 164.501). |
|
Placement of undercover agents and informants |
With a court order, undercover agents and informants are able to be placed within a Part 2 Program for 12 months. Courts are able to extend the placement with a new court order. (42 CFR § 2.67). |
N/A |
- HHS, Health Privacy Rule 42 CFR Part 2 is Revised, Modernizing Care Coordination for Americans Seeking Treatment for Substance Use Disorders (July 13, 2020), available at https://insidehealthpolicy.com/sites/insidehealthpolicy.com/files/documents/2020/jul/he2020_1503.pdf.
- A “program” (defined at § 2.11) is an individual, entity (other than a general medical facility), or an identified unit in a general medical facility, that “holds itself out” as providing and provides diagnosis, treatment, or referral for treatment for a SUD. Medical personnel or other staff in a general medical facility who are identified as providers whose primary function is to provide diagnosis, treatment, or referral for treatment for a SUD are also Programs. SAMHSA, Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me?, available at https://www.samhsa.gov/sites/default/files/does-part2-apply.pdf.
- 42 CFR 2.12(a).
- 85 FR 42986 (July 15, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-07-15/pdf/2020-14675.pdf.
- 85 FR 42987.
- 85 FR 42990.
- HHS, Is the HIPAA Privacy Rule suspended during a national or public health emergency?, available at https://www.hhs.gov/hipaa/for-professionals/faq/1068/is-hipaa-suspended-during-a-national-or-public-health-emergency/index.html.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.