Confidentiality of Substance Abuse Records: Everything You Want Someone Else to Know so You Don't Have to Remember It.
One good thing about federal law governing substance abuse records is that it is crystal clear. Okay, there might be other good things, but that is not one of them.
Luckily for all of you, we are here to interpret the somewhat murky clarifications issued earlier this year (January 3, 2018) to the federal law governing substance abuse treatment program records.
First, here are a few catchy terms for you to use if you want to sound cool at cocktail parties. You can thank us later.
- "AODA" means Alcohol and Other Drug Abuse.
- "Part 2 Programs" means AODA programs regulated by 42 CFR Part 2—the only law never given any kind of nickname by anyone, although we are hereby calling it "Fred."
- "Part 2 Records" means the patient medical records (in whatever form) from Part 2 Programs.
- "2017 Rule" means the update to 42 CFR Part 2 made in…you guessed it…January 2017.
- "2018 Rule"—this rule… you know, because it’s from 2018… no reason this can’t be fun.
The 2018 Rule is in Addition to the New Rules Issued a Year Ago
42 CFR Part 2 (“Fred”) remained unchanged for decades prior to the 2017 Rule. The health care system as a whole—and AODA treatment and health information technology in particular—has changed significantly since then, and Fred was getting stale. The first set of revisions in decades was promulgated by the Substance Abuse and Mental Health Services Administration (SAMHSA) in January 2017. SAMSHA must have had a really powerful energy drink in the last couple of years because one year later, out came the 2018 Rule. For more on that 2017 Rule see our previous update here.
SAMHSA's goal with the 2018 Rule was to synchronize Fred with HIPAA, at least somewhat, and specifically to: (1) promote information flow between providers, including a clinically complete patient record; (2) allow providers and administrators of services greater discretion; (3) facilitate interoperability; (4) improve compliance; (5) enhance privacy protections by making confidentiality restrictions more uniform across health care settings; (6) promote more innovative models of health care delivery; (7) establish uniform, workable regulations with respect to treatment, payment, and operations; and (8) improve patient care and reduce stigma and potential harm to patients. Sounds great right?! We like it already… go on, SAMHSA.
The 2018 Rule Leaves a Lot Unchanged
- Patient consent for disclosure of Part 2 Records is still the default.
- Redisclosure by recipients is still prohibited—that is the default. (Sneak preview: The 2018 Rule does limit this prohibition! YAY!)
- The definition of Part 2 Program has not changed.
- Part 2 is still very stringent and much more restrictive than other confidentiality laws, including HIPAA, even after the couples therapy attempted in the 2018 Rule.
An OPTIONAL Shorter Redisclosure Prohibition Notice!
Don’t you love options? With health care so regulated, isn’t it heavenly to have a rule that offers options rather than mandating something? One very wonderful thing about the 2018 Rule is that Part 2 Programs MAY (not must!) use a shorter, more abbreviated version of the required notice to recipients of Part 2 records. In fact, the notice may be as short as this: “42 CFR Part 2 prohibits unauthorized disclosure of these records.” SAMSHA indicates that this new flexibility was intended to conform to standard free-text space within electronic medical records. You can still use your old one if you wish! Either one works.
Disclosures for Payment and Health Care Operations
When Part 2 programs disclose information—pursuant to patient consent—the recipient of that information may redisclose the information—for certain purposes—without the patient's consent. This has been a thorn in the side of anyone receiving records from a Part 2 Program, because the individual patient consent requirements are onerous and difficult to achieve. The business partners receiving the information are called "lawful holders" and there are a number of hoops that the lawful holders (and the Part 2 Programs) must jump through to avoid the requirement of individual patient consent. Nevertheless, it is a step in the direction of more flexibility and we will take it!;
Note that this new flexibility DOES NOT APPLY TO DISCLOSURES FOR TREATMENT—only to disclosures for health care operations and payment. (Did you catch that? We hope so—that is why it is in all caps.)
For health care operations, the definition is narrower than it would be under HIPAA because we are not talking about the broad "business associate" relationship that would apply under HIPAA. Part 2 entities and their subcontractors do not ring the same bells. Rather, a Part 2 Program may disclose Part 2 Records to "lawful holders," a narrower concept than business associates.
By way of example, let's imagine that you operate an alcohol treatment program that receives federal funds and is thus regulated as a Part 2 Program. Your patient consents to you disclosing Part 2 Records to your local hospital, and that hospital needs to send the records to their trusty lawyer for legal advice. Previously, the hospital would need the patient to authorize that disclosure. However, under the 2018 Rule, the hospital in our example (a "lawful holder") could disclose the Part 2 Records to their trusty (and brilliant and good looking) lawyer, for the purpose of the hospital's health care operations, without that individual patient’s consent. To do this, certain safeguards must be in place:
- A contract in place between the contractor and the hospital—these have to be in place by Feb. 2, 2020 if the hospitals want to disclose to their contractors without consent. (Again, this is not a BAA lookalike, and a general “compliance with all applicable laws” will not cut it.)
- The redisclosure notice (abbreviated or not—either one works) has to be sent by the hospital (lawful holder) to the third-party contractor.
- The hospital (lawful holder) must implement appropriate safeguards.
- The hospital must require that the contractor report any breaches, etc.
- The purpose section of the consent form must be consistent with the role/services provided by the contractor or subcontractor (e.g., “payment and health care operations”).
Nothing about this is mandatory—it is optional, a way to make things easier for Part 2 Programs and their contractors to disclose information necessary to carry out their business and get paid. The preamble to the 2018 Rule includes a sample, non-exhaustive list of permissible activities that SAMSHA considers to be payment and health care operations activities, including clinical processional support services (e.g., quality assessment and improvement initiatives, utilization review and management); patient safety activities; activities pertaining to training student trainees and health care/non-health care professionals; assessing practitioner competence; fraud, waste, and abuse activities; underwriting and enrollment; conducting or arranging for medical review, legal services, and auditing; business planning and development; resolving internal grievances; determination of eligibility of coverage; and medical necessity reviews. Despite this long list, SAMSHA notes that the 2018 Rule and these activities are not intended to cover care coordination or case management, and disclosures of Part 2 Records to contractors and subcontractors for such purposes are not permitted without individual consent under this section.
Disclosure for Audits and Evaluations, Too?
Under the 2018 Rule, the “lawful holders” (the hospital in our example) may disclose to the government in the event of an audit or evaluation performed on behalf of federal, state, or local governments providing financial assistance to, or regulating the activities of, “lawful holders” and Part 2 Programs—which is not that big of a change. Part 2 Programs could already do that. However, the 2018 Rule now clarifies SAMSHA’s recognition that audits and evaluations may be performed by contractors and subcontractors on behalf of third-party payers or quality improvement organizations.
SAMSHA is On a Roll! Anything Else Coming Down the Pike?
Spoiler: Maybe. With the 2017 rule and this 2018 Rule, it seems like SAMSHA would be ready to take a break on rulemaking, right? Doesn’t look like it. In the preamble to the 2018 Rule, SAMSHA noted that it plans to explore additional opportunities to align Part 2 with HIPAA (to the extent possible in light of the fact that Part 2 provides more stringent federal protections than HIPAA), and additional Part 2 rulemaking may be coming our way soon.
So, SAMSHA has taken some big leaps forward to recognize that just a few things have changed since Ronald Reagan was president. The 2018 rule offers much-needed flexibility and reflects the current technological state of the industry far better than the original rules. There are parts of Fred that still make us all a little seasick—but he has definitely improved with age!
If you have any questions about the 2018 Rule or Part 2 generally, please contact Sarah Coyne at (608) firstname.lastname@example.org, Meghan O’Connor at (414) email@example.com, or your Quarles & Brady attorney.