Summarizing the 42 CFR Part 2 Final Rule
On Jan. 13, 2017, the Substance Abuse and Mental Health Services Administration (SAMHSA) announced the final rule under 42 CFR Part 2, which regulates the confidentiality of substance abuse patient records. This final rule adopts many of the revisions proposed in the Notice of Proposed Rulemaking issued on Feb. 9, 2016.
The final rule now allows for the disclosure of patient information with a consent from a Part 2 program to an intermediary, such as a Health Information Exchange, which may then disclose to its participants that have a treating provider relationship with the substance abuse disorder (SUD) patient. The treating providers will no longer need to be specifically identified in the consent form. In exchange for this loosening of the Part 2 requirements, the intermediary (not the Part 2 program) must give the patient a list of disclosures of the SUD information upon request. The list will identify each of the recipients of the SUD information pursuant to the general designation.
Other highlights of the revisions are summarized below.
1. To Whom
The final rule adopts the revisions set forth in the Notice of Proposed Rulemaking (NPRM) to the "To Whom" requirement under the consent provisions. This element allows for a consent to be executed to an intermediary, such as an HIE that doesn't have a treating provider relationship, to allow for a disclosure pursuant to a general designation that only identifies the recipients as those participants in the HIE with a treating provider relationship. That designation would allow for the disclosure to past, present and future providers that have a treatment relationship with the patient without specifically identifying each. Thus, if the patient executed such a consent and a new provider entered the HIE, a new consent would not be necessary to permit disclosures to that provider.
This new opportunity for disclosure is only allowed if the intermediary party is able to track and generate a list of disclosures. The list of disclosures identifies the recipients of the SUD information for up to the prior two years. The list of disclosures is more robust than the accounting of disclosures currently required under HIPAA. Although the HITECH Act imposed a duty to account for disclosures for treatment under HIPAA, similar to the list of disclosures, that requirement has not been implemented. Thus, medical providers have a less difficult compliance burden than the behavioral health providers, which generally have not received the financial assistance for adoption of health information technology.
In addition, the list of disclosures must be implemented as soon as the intermediary wants to begin using the general designation under the consent process. This may result in significant delays. Note, however, that while SAMHSA does not prohibit it, the agency requests that costs for the list of disclosures not be passed on to the patient.
2. From Whom
The final rule doesn't for the most part adopt the provisions of the NPRM regarding the restrictive requirements proposed for the “From Whom” element under the consent section. The NPRM sought to impose a new duty to specifically identify the party disclosing the SUD information. The final rule generally doesn't impose such a duty and retains the less stringent requirements of the existing rule.
This is important because using the general designation allowed under the To Whom provision, coupled with a multi-party, bidirectional consent, the general designation permitted by the From Whom provision under the final rule, will allow for disclosure to and among the participants in an integrated care environment such as an HIE. It appears that the final rule consent described would permit disclosure from the Part 2 program, to the intermediary, to the treating provider, and then to another treating provider.
3. Re-disclosure Prohibition
The final rule only slightly modified the existing prohibition against re-disclosure. It now makes clear that only data that directly or indirectly identifies a patient as suffering from an SUD is subject to this prohibition. This clarification does not seem to be meaningful. Any information that could potentially identify the patient as suffering from an SUD, such as name, diagnosis, medications or vital signs each accompanied by the name of the Part 2 program, would be subject to the prohibition. Thus, the context and not necessarily the data itself is the determining factor of whether data could be re-disclosed. This may be difficult for electronic systems to flag or segment.
The preamble to the final rule confirms that the disclosure from one treating provider to another treating provider in an HIE would be considered a re-disclosure. Thus, the consent process described above using the retained From Whom provision is necessary to avoid the prohibition.
4. Medical Emergencies
The final rule adopts the language of the NPRM that attempts to align the language of the medical emergency section with that set forth under the statute itself. This should result in a more expansive interpretation and application of the exception to allow for the disclosure of SUD treatment information for medical emergencies.
The final rule adopts for the most part the language of the NPRM relating to research. This provision aligns much of the requirements of Part 2 with HIPAA and the Common Rule but retains some of the more restrictive requirements.
6. Patient Identifying Information
The final rule attempts to align this definition with the definition of "Protected Health Information" under HIPAA. However, there is a recognition referenced in the re-disclosure prohibition that only data that would identify a patient as suffering from an SUD or undergoing SUD treatment is protected under Part 2. This creates uncertainty that is not present under HIPAA because the Part 2 program and the recipient of the information must look to the context of the information to try to determine whether the information could be used to identify the patient as suffering from an SUD or receiving SUD treatment. HIPAA sets forth a more definite definition of what is protected health information and does not necessarily vary depending upon the situation.
7. Qualified Service Organization (QSO)
The final rule narrows the ability to use the QSO arrangement in situations in which it was previously relied upon. For instance, care coordination and medication management are no longer acceptable purposes for using a QSO Agreement. The preamble provides that a QSO may not be utilized to avoid the use of an appropriate consent in a treatment context. The NPRM and final rule did expand the accepted uses to include population health management. However, this allowance is not applicable to any exchange of SUD information for treatment purposes on an individual basis. In conjunction with the final rule, another NPRM was also issued that attempts to address the exchange of SUD information by contractors and subcontractors of third-party payers and other lawful holders of the information. These topics will be discussed separately.
8. Other Consent Provisions
The final rule clarifies that a consent may extend for a period of time or until the expiration of an event. One method would be to terminate upon the patient's death. This is another provision that will ease the burden of using a consent. Another is the express recognition of electronic consent in the final rule, which will allow for ease of implementation and use.
9. What Was Not Included
The final rule does not align permitted disclosures with HIPAA. Under HIPAA, covered entities may use or disclose protected health information for treatment, payment and health care operations without a consent. Part 2’s enabling legislation requires consent to be utilized except in limited circumstances. As such, SAMHSA did not adopt the HIPAA standard.