Earlier this year the Substance Abuse and Mental Health Services Administration issued revised regulations governing the confidentiality of health information in federally-assisted substance use disorder programs. Our summary of the new regulations is here. These regulations are called the Part 2 regulations, because they are found in 42 CFR Part 2, and SAMHSA calls substance use disorder programs Part 2 programs.
One of SAMHSA's goals in updating the rule was to make it easier for people with substance use disorders to participate in health information exchanges, accountable care organizations and other organizations that facilitate the exchange of health information. The new rule does give these organizations more flexibility, but Part 2 program information still needs special handling in HIEs and ACOs.
HIPAA typically treats HIEs and ACOs as business associates of participating health care providers. As a rule, participants should have business associate agreements with the HIE or ACO. Some HIEs and ACOs subcontract the storing and processing of data to a data service provider, in which case HIPAA requires a business associate agreement between the HIE or ACO and the data service provider.
The BAA allows a participant to share general health information with the HIE or ACO, and it allows the HIE or ACO to use or disclose the health information for any purpose for which the participant could use and disclose it. In particular, HIPAA allows participants to exchange information through an HIE or ACO for treatment and payment without the consent of the patient, and it does not require any accounting to the patient for these disclosures.
The Part 2 regulations are more restrictive. As a rule, they require patient consent for disclosures of Part 2 information outside the Part 2 program, including disclosures for treatment and payment. And while the new rule has made the consent requirements more flexible, they are still rigorous, and the added flexibility comes at a cost.
Many heath information exchanges have a "break-the-glass" function, which allows providers access to health information in an emergency without the regular safeguards. The Part 2 regulations allow access to Part 2 program information without consent in an emergency, but they impose extra documentation requirements on the program. If an HIE or ACO provides a break-the-glass function for Part 2 program information, it will need to obtain the information that has to be documented, and provide it to the Part 2 program.
One thing that the revised rule did not change is the information that it protects. The rule protects the identity of patients, current or former, living or deceased, and any information about them, paper or electronic, created, received or acquired by a federally assisted program. A program is--
- An individual or entity (other than a general medical facility) that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or
- An identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or
- Medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.
Only federally assisted programs are covered, but this includes not only direct and indirect recipients of federal financial assistance, but also programs operating under any federal license or registration, and programs that have exemption from federal income tax.
In addition, the regulations apply to protected information in the hands of entities that have direct administrative control over a Part 2 program, and anyone else who receives patient records directly from a Part 2 program or another holder of the information and is notified of the prohibition on re-disclosure. Because most disclosures must be accompanies by a notice of the prohibition on re-disclosure, this is a far-reaching extension of the protection that requires HIEs and ACO participants that receive information from a Part 2 program to keep the Part 2 protections for the information, even if they are not themselves Part 2 providers. An HIE or ACO that permits the exchange of Part 2 information would need to continue to segment the data and flag it as protected in the hands of recipients.
This bulletin deals first with disclosure by a Part 2 program to the HIE or ACO, and then with access by other participants in the HIE or ACO.
Disclosure to the HIE or ACO
The rule allows a Part 2 program to disclose information to a "qualified service organization," or QSO without patient consent. A QSO is someone who provides services to a Part 2 program, including data processing, bill collecting, population health management or other professional services. A typical HIE or ACO would be a QSO of its participants. The Part 2 program must have a written agreement with the QSO under which the QSO acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records from the Part 2 program, it is fully bound by the Part 2 regulations, and agrees that, if necessary, it will resist in judicial proceedings any efforts to obtain access to patient identifying SUD information, except as permitted by the regulations. This agreement is called a qualified service organization agreement, or QSOA. It could be included in the ACO's or HIE's participant BAA, or it could be a separate agreement with participants that have Part 2 programs.
HIEs and ACOs typically contract some data storage and processing functions to a data services provider. For general health information, HIPAA allows this with a business associate contract or subcontract. The Part 2 regulations do not expressly allow disclosures to subcontractors. However, in guidance on the earlier rule, SAMHSA has said that a QSO may disclose Part 2 information to a "contract agent" of the QSO acting on behalf of the QSO. SAMHSA says that in this case both the HIE and its agent are bound by Part 2, and neither organization can disclose the information except as permitted by Part 2. A data services provider that stores and manages HIE data under contract to the HIE would probably be a "contract agent" of the HIE.
Neither the Part 2 regulations nor the SAMHSA guidance say what agreement - if any - a QSO must have with its contract agent relating to compliance with Part 2. HIPAA would require a business associate contract (or subcontract). HIEs should consider adding the terms of a QSOA to the business associate subcontract.
Disclosure Back to the Part 2 Program
An HIE or ACO can allow a Part 2 program to have access to its own Part 2 data without patient consent. However, access must be limited to personnel within the Part 2 program, and personnel within the entity that has direct administrative control over the program who need the data in connection with their duties. This would require a general health care provider that operates a Part 2 program to identify the particular personnel who are allowed access to Part 2 data within the ACO or HIE. Disclosures to other personnel of the provider for general health care services would be on the same footing as disclosures to third-party providers, and would require patient consent, except in an emergency.
Disclosure to Other ACO or HIE Participants - Patient Consent
Except in an emergency, the rule requires patient consent for participants in an ACO or HIE to exchange of Part 2 information for treatment or payment. This is a critical difference from HIPAA, which permits disclosures of general health information for treatment and payment without patient consent.
An HIE or ACO would typically look to the Part 2 provider to obtain and document the required consent, and to provide assurances that it has done so. However, the HIE or ACO would need to be able to accommodate any limitations on the consent, and to help the participants document compliance with the rule. And the ACO or HIE could handle the consent process for participants - like HIPAA, the Part 2 rules would allow electronic consents.
Amount and Kind of Information. A consent for the disclosure of Part 2 information must specify "how much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed." In the preamble to the new rule, SAMHSA said that a consent may include ''all my substance use disorder
information'' as an option for the patient, as long as more granular options are also included on the consent form. SAMHSA says that these might designate the types of information to be disclosed, such as diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary, elements of a medical record such as clinical notes and discharge summary, employment information, living situation and social supports, and claims/encounter data.
This presents obvious challenges for segmenting and data and matching it to consents. An HIE or ACO may want to insist either that participants obtain consents to the release of "all substance use disorder information," or, if participants obtain a more granular consent, that they put into the exchange only the data covered by the consent.
Permitted Recipients - The New General Consent. Under the prior rule a consent had to designate the name or title of each individual or the name of each organization to which disclosure was to be made. In guidance on the rule, SAMHSA said that this required all the potential recipients to be named in the consent, or in an attachment to the consent, and that a separate consent would be required to add additional recipients through an ACO or HIE.
This is one area in which the new rule provides flexibility: now, a patient may give a general consent (also called a "to whom" consent). This allows a general designation of a class of recipients that have a treating provider relationship with the patient, such as "all my past, present and future treating providers."
The general consent only covers treating providers - other participants in an ACO or HIE, such as health plans, would still have to be designated by name. Moreover, use of a general consent requires a mechanism to determine whether a treating provider relationship exists (or existed) between the patient and each recipient of the information. This again presents challenges. In commentary to the new rule, SAMHSA suggests that an HIE could require participant providers to attest to having a treating provider relationship with a patient, or the HIE might provide a patient portal where patients can designate their treating providers.
Accounting of Disclosures under a General Consent. A provider that uses a consent with a general designation must include a statement on the consent form that the patient is entitled, upon request, to a list of entities to which his or her information has been disclosed pursuant to the general designation. This is another important difference from HIPAA, which does not require an accounting of disclosures for treatment and payment through an HIE. An ACO or HIE that manages disclosures of Part 2 information under a general consent would need to track this information in case the patient requested it.
Expiration of Consents. Like a HIPAA authorization, a Part 2 consent must be limited in time. It can have a specific expiration date, event, or condition, and the consent may last no longer than is reasonably necessary to serve the purpose for which it is provided. The regulations do not allow an indefinite consent that lasts until it is revoked. An HIE or ACO would need to have a mechanism to document and act on the expiration of a consent.
Notice to Recipients and Continuing Protection. Like the old rule, the new one requires each disclosure under a patient consent to be accompanied by a written statement to the recipient:
This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder.
In guidance under the old rule, SAMHSA said that this notice must be transmitted electronically with each electronic disclosure - so a general notification on a portal or web site would not be sufficient. Nothing in the new rule suggests any greater flexibility now.
The implication of this notice is that the recipient of the information must protect it as though the recipient itself were a Part 2 program. A general consent could allow further disclosures to other treating providers, but these disclosures would need to be restricted and documented in the same way as the original disclosure, and the Part 2 protections would follow the information indefinitely. This means that the HIE or ACO would need to continue to flag the data as protected even in the hands of general health care providers who received it under a patient consent.
Breaking the Glass
Some HIEs and ACOs allow participants to have access to health information in emergencies, even if a participant does not have the necessary credentials. Typically, use of a "break-the-glass" function requires an attestation of need at the time of access, and triggers a review to ensure that the access was appropriate. The Part 2 regulations allow disclosure of Part 2 information to medical personnel without patient consent to the extent necessary to meet a "bona fide medical emergency" in which the patient's prior consent cannot be obtained. This would include emergencies where the patient is incompetent to consent, but it does not permit access if the patient could consent but refuses, even in an emergency. The information accessed must be limited to what is necessary to treat the emergency (but this could be the entire Part 2 record, if that is what the treating provider needs).
In an ordinary break-the-glass situation, the user would need to attest only that he or she was a provider who needed the information for treatment. Where Part 2 information is concerned, the provider would need also to attest to a "bona fide medical emergency." The regulations do not define the term, but leave it to the treating provider to determine whether there is a medical emergency. It could be a physical or mental health emergency, but it must be an emergency - SAMHSA says that, for example, concern about possible drug interactions may not suffice. SAMHSA says also that the determination whether an emergency exists cannot be automated: an electronic health record system can flag conditions that may be an emergency, but the treating provider must make the determination in each case. The treating provider is whoever is treating the emergency - he or she need not be a Part 2 program provider.
The rule requires the Part 2 program to document emergency disclosures in the patient's records immediately following the disclosure. This documentation must include--
- The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;
- The name of the individual making the disclosure;
- The date and time of the disclosure; and
- The nature of the emergency.
Because the Part 2 program is required to maintain this documentation in the patient's records, an ACO or HIE that grants access to Part 2 data in an emergency will need to notify the Part 2 program, and to collect and pass on all the information that the Part 2 program is required to document.
Information disclosed without consent in an emergency does not have to be accompanied by the notice about prohibitions on further disclosure, and, once disclosed to a general health care provider, it would no longer be protected by Part 2 - so it could be included in the emergency provider's general health record.
Hooper, Lundy & Bookman provides a range of legal services relating to health information privacy, security and technology. For more information, please contact: In San Francisco, Paul Smith or Steve Phillips at 415.875.8500; in Los Angeles, Hope Levy-Biehl or Eric Chan at 310.551.8111; in Washington, D.C., Bob Roth at 202.580.7701; or in Boston, Amy Joseph at 617.532.2702.