On February 5, 2016, the Department of Health and Human Services’ Substance Abuse and Mental Health Services Administration (SAMHSA) announced a proposed rule (the Proposed Rule) to address changes to the federal Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 C.F.R. Part 2 (Part 2). Under the current Part 2 regulations, a federally assisted substance use disorder program (a Part 2 Program) may only release identifiable information related to substance use disorder diagnosis, treatment, or referral for treatment with the individual’s express consent, unless one of the limited exceptions applies.
The Proposed Rule was prompted by the need to update and modernize the Part 2 regulations, given that the Part 2 regulations were last substantively updated in 1987. The goal of the Proposed Rule is to facilitate the electronic exchange of substance use disorder information for treatment and other legitimate health care purposes, such as through participation in a health information exchange (HIE), while ensuring appropriate confidentiality protections for records that might identify an individual as having a substance use disorder. As such, the Proposed Rule, if adopted, would impact a wide range of providers in addition to alcohol and drug treatment facilities or other providers subject to Part 2, as well as health information organization operators. For example, the Proposed Rule may impact providers who participate in an HIE and treat patients for any reason, including hospitals, skilled nursing facilities, medical groups, and individual physicians, if the patients are or have previously been part of substance use disorder programs, and the program’s treatment information regarding the patient may be useful for patient care. A summary of some of the key proposed changes are below. The Proposed Rule can be read here.
The current Part 2 regulations require that unless a limited exception applies, a patient must provide written consent for a Part 2 Program to disclose patient identifying information, and the written consent form must include the name or title of the individual, or the name of the organization, to which disclosure may be made. The intent was for the patient to be able to identify, at the time of consent, exactly who is authorized to receive their information.
However, according to reports by stakeholders to SAMHSA, this requirement makes it difficult to include Part 2 Programs in organizations that facilitate the exchange of health information, such as HIEs. Unlike under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the current Part 2 regulations a Part 2 Program may not disclose information for treatment purposes to a patient’s treating provider outside of the Part 2 Program without the patient’s written consent.
SAMHSA now proposes to allow a patient to include a general designation in the “To Whom” section of the consent form under certain circumstances. In particular, in the case of an entity that does not have a treating provider relationship with the patient (such as an HIE), SAMHSA proposes to permit the designation of the name of the entity and a general designation of a class of participants, so long as those participants all have a treating provider relationship with the patient. For example, the patient could designate an HIE and “my treating providers” on the consent form. SAMHSA anticipates that providing more flexibility for a general designation with respect to whom information can be disclosed will, among other things, increase participation in HIEs and organizations that coordinate care.
As an alternative approach to accomplish the same goal, SAMHSA is considering adding a definition of “organization” which would permit more flexibility regarding to whom disclosure may be made. As noted above, the current Part 2 regulations permit a patient to identify the name of the organization in the “To Whom” section of the consent form, in lieu of the name or title of an individual. SAMHSA has previously interpreted the term “organization” narrowly to mean the information can be disclosed to a lead organization, but the information cannot be further shared with the organization’s members or participants. In other words, historically all members or participants would also need to be listed on the consent form, and a new consent would be required for each member or participant that joins the organization.
Under SAMHSA’s proposed alternative approach, “organization” would be defined more broadly to mean: (1) a treating provider of the patient; (2) a third-party payer that requires patient identifying information for reimbursement of services; or (3) an organization that is not a treating provider, but serves as an intermediary by providing patient identifying information to members or participants that have a treating provider relationship with a patient, or as otherwise specified by the patient.
Because SAMHSA is proposing to permit a general designation in the “To Whom” section of a consent form under certain circumstances, SAMHSA states that it wants patients to be aware of the information they are authorizing for disclosure, and the description on the consent form would be required to include an explicit description of the amount and kind of substance use disorder treatment information that may be disclosed. For example, “all of my substance use disorder-related claims/encounter data” would be a sufficient description, but “all of my records” would not. In addition, the “From Whom” section of the consent form must specifically name the Part 2 Program or other lawful holder of patient identifying information permitted to make the disclosure.
Lastly, under the Proposed Rule the consent form would be required to include a statement that the patient understands the terms of the consent and, when using a general designation in the “To Whom” section, that the patient has a right to obtain, upon request, a list of entities to which the patient’s information has been disclosed, as discussed further below. Notably, these are not requirements for an authorization to be compliant under HIPAA, so to the extent this requirement in the Proposed Rule is finalized, those Part 2 programs that use HIPAA-compliant authorizations will need to add additional language to comply with the Part 2 Regulations as well.
List of Disclosures
In connection with the proposed flexibility to include a general designation in the “To Whom” section of the consent form, SAMHSA also proposes that patients who include such a general designation are entitled to a list of entities to which their information has been disclosed upon request. The patient’s request would be required to be in writing, including by electronic means, and the Part 2 Program would be required to respond to a request within thirty calendar days of receipt of the request. If the Part 2 Program’s response is sent electronically but not by encrypted transmission, the patient must first be notified of the potential risks associated with unsecure transmissions.
SAMHSA states that the proposed change “would facilitate patients’ participation in advances in the health care delivery system by increasing their confidence that they could be informed, upon request, of who received their information . . . .” However, SAMHSA also notes that it anticipates there will likely be few such requests for a list of disclosures by patients, based on the small number of requests that covered entities tend to receive under HIPAA’s similar existing requirement for accounting of disclosure.
Security of Records
The current Part 2 regulations state that written records must be maintained in a secure room, locked file cabinet, or other similar container when not in use, and each Part 2 Program must have written policies and procedures that regulate and control access to, and use of, such records.
In addition to expanding these security requirements to apply to electronic records as well as paper records, the Proposed Rule clarifies that Part 2 Programs and other lawful holders of patient identifying information must have formal security policies and procedures in place to reasonably protect against unauthorized uses and disclosures of patient identifying information and protect against reasonably anticipated threats or hazards to the security of such information.
The Proposed Rule includes an enumerated list of topics that must be addressed in the security policies and procedures, such as sanitization of hard copy and electronic media. The enumerated list is similar to the requirements under the HIPAA Security Rule, although not as extensive. On a related note, the Proposed Rule addresses disposition of records by discontinued programs, and SAMHSA emphasizes that sanitizing electronic media is different than merely deleting electronic records. Rather, the data must be rendered irretrievable.
Other Changes and Clarifications of Note
Under the current Part 2 regulations, Part 2 Programs or other lawful holders of patient identifying information protected by Part 2 are permitted to disclose patient identifying information without the patient’s consent to researchers under certain limited circumstances.
SAMHSA proposes revising this exception to allow patient identifying information to be disclosed without patient consent for research purposes if: (1) the researcher is a HIPAA covered entity or business associate and provides documentation of the patient’s authorization or an Institutional Review Board’s waiver of the patient authorization requirement, and the researcher is otherwise in compliance with the HIPAA rules regarding research; or (2) the researcher is subject only to the HHS Common Rule (45 C.F.R. Part 46, subpart A) and provides documentation that the researcher is in compliance with the applicable requirements, including with respect to informed consent; or (3) the researcher is subject to both HIPAA and the HHS Common Rule, and the researcher is in compliance with both.
In addition, SAMHSA proposes to address linkages to data sets from federal data repositories for research purposes, stating that “the process of linking two or more streams of data opens up new research opportunities.” SAMHSA is also seeking comments as to whether to expand the proposed data linkages provision to non-federal repositories, and if so, what privacy and security safeguards should be required.
SAMHSA also proposes adding a number of clarifications to the current Part 2 regulations, revising existing definitions and including new definitions, and generally using terminology in a consistent manner throughout the regulations. For example, the term “written” would expressly include paper and electronic documentation. As another example, SAMHSA proposes addressing the applicability of the Part 2 Regulations to general medical practices, as well as general medical facilities (which are already addressed in the current regulations). Pursuant to the Proposed Rule, a practice comprised of primary care providers with an identified unit that both holds itself as providing, and does provide, substance use disorder diagnosis, treatment, or referral for treatment, and otherwise meets the requirements for applicability, would be subject to the Part 2 regulations. Notably, the term “federally assisted,” which is one of the requirements for the Part 2 regulations to apply, is defined broadly, and would include a physician’s participation in the Medicare program.
Solicitation of Comments
HHS has solicited comments on a broad range of topics related to the Proposed Rule, which must be received no later than 5:00 p.m. on April 11, 2016.
State Law Considerations
The Proposed Rule would revise 42 C.F.R. Part 2, but does not affect a Part 2 Program’s obligation to comply with applicable state law. For example, in California, certain narcotic, alcohol, and other drug abuse programs are subject to Health and Safety Code Section 11845.5, which addresses the confidentiality of patient records in connection with alcohol or drug abuse treatment or prevention.
 Pursuant to state law, a provider of substance use disorder diagnosis, treatment, or referral for treatment may be subject to the Part 2 regulations although the provider does not fall within the definition of a federally assisted program. For example, in California all licensed residential alcohol and drug treatment and recovery facilities are required to keep resident information and records confidential in conformity with 42 C.F.R. Part 2. See 9 C.C.R. § 10568.
 The Proposed Rule defines a lawful holder of patient identifying information as an entity that has received such information as the result of patient consent coupled with the requisite re-disclosure notice, in compliance with the Part 2 regulations, or that falls within one of the limited exceptions that permits disclosure without patient consent.
 Providing a list of individuals would be optional under the Proposed Rule.