The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), issued two notices of proposed rulemaking (“NPRMs”) last week. The NPRMs relate to the federal regulations governing the confidentiality of health information in federally-assisted substance use disorder (SUD) programs, found in 42 CFR Part 2 and known as “Part 2.” These two rules are the most significant revision to Part 2 since SAMHSA issued a final rule in January 2018 (our summary can be found here), and provide guidance and clarification for Part 2 programs and lawful holders regarding permitted disclosures, with and without patient authorization.
Under current regulations, Part 2 generally requires a federally-assisted SUD program to obtain a patient’s consent before disclosing his or her identifying information outside of the program, including disclosures to other health care providers. However, in an effort to address one of the largest drug crises in the nation’s history, SAMHSA, along with HHS and the U.S. Department of Justice (DOJ), has determined that the prompt revision of Part 2 is necessary. The NPRMs are part of the Administration’s “Regulatory Sprint to Coordinated Care,” which also includes proposed rulemaking to update other laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the federal physician self-referral law (the Stark Law), and the anti-kickback statute.
In connection with the release of the Part 2 rulemaking, HHS Secretary Alex Azar said that the agency believes it is not authorized to fully align Part 2 with HIPAA and supports action by Congress to improve data sharing for better opioid response. After legislation for this alignment failed to be included in the final opioids package passed last year under the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment (SUPPORT) for Patients and Communities Act, bipartisan legislation has been introduced in both chambers to align 42 CFR Part 2 with HIPAA’s patient privacy protections. The Overdose Prevention and Patient Safety Act (H.R. 2062), which passed the House of Representatives last year, was introduced by Reps. Earl Blumenauer (D-OR) and Markwayne Mullin (R-OK) and the Senate companion, the Protecting Jessica Grubb’s Legacy Act (S. 1012) was introduced by Sens. Joe Manchin (D-WV) and Shelley Moore Capito (R-WV). Many provider groups support this legislation, while substance abuse advocates have raised concerns due to privacy protections. Discussion on possible Congressional action following the release of these rules will likely continue when Congress returns in September.
Below follows a brief summary of the major provisions in the two NPRMs.
Proposed Definitional Changes (42 C.F.R. §§ 2.11, 2.12, 2.32)
To start, the proposed rule modifies the definition of what constitutes a “record” and the “applicability” of Part 2 in an effort to give health care providers clarity about what information is subject to Part 2’s protections and to ensure non-Part 2 providers are not discouraged from coordinating or communicating with Part 2 programs or recording SUD information out of concern of inadvertently violating Part 2’s heightened confidentiality requirements. Specifically, the proposed rule would amend the definition of records to note that “information conveyed orally by a part 2 program to a non-part 2 provider for treatment purposes with the consent of the patient does not become a [part 2 record] … in the possession of the non-part 2 provider merely because that information is reduced to writing by that non-part 2 provider.” Additionally, the proposed rule goes on to clarify that a non-Part 2 treating provider’s act of recording SUD information in a patient’s medical record when disclosed willingly by the patient would not be subject to Part 2. However, any SUD patient records originating from a Part 2 program remain subject to the existing rule’s prohibition on redisclosure and must be segregated from the patient’s general medical records when received by a non-Part 2 provider (unless orally received, as discussed above). SAMHSA notes that by segregating records received from a Part 2 program, non-Part 2 providers can ensure that new records (e.g., a treatment note based on a direct clinical encounter with the patient) created by during their own patient encounters would not become subject to Part 2.
Proposed Consent Form Changes (42 C.F.R. § 2.31)
The proposed rule also simplifies how patients can send their SUD records to entities or agencies without a treating provider relationship. The existing regulations under Section 2.31 require patients to identify a specific person as a recipient within an entity to receive their SUD records when consenting to such disclosure. As a result, patients often struggle applying for and receiving non-medical services and benefits from governmental agencies such as the Social Security Administration or non-governmental agencies including local sober living or halfway house programs, because they are unable to designate a specific employee to receive their SUD information on behalf of the named entity. Under the proposed rule, patients would no longer need to specify an individual person, but rather may provide consent for the entity as a whole on the “to whom” section of a consent form for disclosure of their SUD records. In doing so, SAMHSA notes that it hopes to “empower patients to consent to the release and use their health information in whatever way they choose.”
Proposed Authorized Disclosure Changes
Payment and Health Care Operations (42 C.F.R. § 2.33). Under the current Part 2 regulations, lawful holders of Part 2 records are permitted to further disclose such records to contractors, subcontractors, and legal representatives, for the purpose of payment and certain health care operations. In an effort to provide further clarity regarding the scope of permitted disclosures in this context, SAMHSA proposed to add an illustrative (not exhaustive) list of permissible activities that are considered to be payment and health care operations activities. For example, this list includes activities such as billing and claims management, quality assessment, and business management and general administrative activities. However, SAMHSA also emphasizes that this provision is not intended to cover care coordination or case management – a significant difference from the broader definition of health care operations under HIPAA – emphasizing the importance of patient choice in disclosing information to health care providers with which they have direct contact.
Central Registries and Prescription Drug Monitoring Programs (42 C.F.R. §§ 2.34, 2.36). SAMHSA recognizes that, given the opioid epidemic, it is important for all providers that work with SUD patients, including non-opioid treatment program (non-OTP) providers, to access information in central registries to prevent duplicative enrollment, as well as to inform prescription decisions as part of a plan of care. Currently, the regulations permit a central registry to disclose certain patient information when asked by a “member program” whether the patient is enrolled in another member program, but central registries are not permitted to disclose to non-OTP providers. The proposed rule would expand the scope of Section 2.34 to permit disclosure of certain patient information to all treating providers on request, for purposes of informed decision-making and coordination of care.
Similarly, given the opioid epidemic, SAMHSA recognizes the value of opioid treatment program (OTP) providers disclosing patient identifying information to a prescription drug monitoring program (PDPM) for greater patient safety, treatment, and care coordination among a patient’s providers. SAMHSA proposed to add a new section, Section 2.36, to permit OTPs and other lawful holders to disclose data to PDPMs when dispensing medications upon prior written consent of the patient.
Medical Emergencies (42 C.F.R. § 2.51). SAMHSA proposed permitting a Part 2 program to disclose patient identifying information to medical personnel without patient consent in the event that a state or federal authority declares a state of emergency and the Part 2 program is closed and unable to provide services or obtain the patient’s informed consent (in addition to the current ability to disclose such information in the event of a bona fide medical emergency). SAMHSA emphasizes that patient consent should be obtained if possible, but recognizes that in the event of a state of emergency, such as a hurricane or earthquake, obtaining patient consent may not be feasible and the inability of patients to access needed care through their usual providers can itself lead to a medical emergency.
Research (42 C.F.R. § 2.52). Currently, Part 2 programs are permitted to disclose patient identifying information for research without patient consent under limited circumstances. In particular, Part 2 programs may disclose patient identifying information where the recipient is a HIPAA covered entity or business associate with a valid authorization from the patient or waiver or alteration of authorization in compliance with HIPAA, or the recipient is subject to HHS regulations regarding the protection of human subjects in research (otherwise known as the Common Rule), including informed consent requirements, or the research meets an exemption to such regulations. However, SAMHSA acknowledges the current rules limit other legitimate stakeholders from obtaining data for research purposes, and it was not SAMHSA’s intent to do so.
In order to more closely align the research disclosure provisions under Part 2 with HIPAA and the Common Rule, SAMHSA proposed to expand the applicable provision to allow research disclosures to individuals and organizations that are neither HIPAA covered entities nor subject to the Common Rule, so long as the data is disclosed in accordance with the HIPAA Privacy Rule provisions governing disclosures for research purposes. SAMHSA proposed to clarify that this data may be disclosed to workforce members of HIPAA covered entities for purposes of employer-sponsored research, and proposed to permit research disclosures to recipients of FDA regulations for the protection of human subjects in clinical investigations (some research studies may fall under the FDA regulations but not the Common Rule).
Audit and Evaluation (42 C.F.R. § 2.53). Under the current regulations, disclosures by Part 2 programs or other lawful holders are permitted to individuals and entities who are performing the audit or evaluation on behalf of certain governmental agencies, third-party payers, quality improvement organizations, and under certain circumstances, others determined qualified to conduct an audit or evaluation of the Part 2 program or lawful holder, assuming certain conditions are met. Different rules apply depending on the context, including whether the records will be reviewed only on the premises of the Part 2 program or other lawful holder or removed from the premises (or transferred to another electronic system or device).
SAMHSA recognizes there has been confusion about the scope of these provisions and proposed clarifying changes, stating that “the concept of audit or evaluation is not restricted to reviews that examine individual part 2 program performance.” The proposed regulations would clarify that audits and evaluations can include reviews related to changing policies to improve patient outcomes across Part 2 programs or to determine the need for adjustment to payment policies. SAMHSA also clarifies that the terms “audit” and “evaluation” include reviews to determine whether patients are receiving appropriate services in an appropriate setting, such as in the context of a licensing or certification survey to ensure compliance with applicable laws. Another helpful clarification is with respect to disclosures to an “entity that has direct administrative control over the program.” SAMHSA clarifies that this phrase references the situation where the Part 2 program is a component of a larger behavioral health or general health program, and proposed to add language to expressly state that auditors may include entities with direct administrative control.
Disclosures to Investigate/Prosecute Crimes (42 C.F.R. §2.63(a)(2)). SAMHSA also proposed to revert to pre-2017 language regarding the disclosure of confidential communications in connection with the investigation or prosecution of certain crimes. In particular, the proposed rule would remove the phrase “allegedly committed by the patient” from the following permitted disclosure under Section 2.63(a)(2):
investigation or prosecution of an extremely serious crime allegedly committed by the patient, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect…
This phrase was previously added in the 2017 final rule, however, SAMHSA believes that this language may have been misinterpreted and the cause of interference with investigation and prosecution of opioid-related crimes allegedly committed by individuals other than patients. Thus, SAMHSA proposed to remove this additional language.
Undercover Agents/Informants (42 C.F.R. § 2.67)
Section 2.67 has generally prohibited the placement of undercover agents or informants in a Part 2 program except as specifically authorized by a court order for the purpose of investigating a Part 2 program, or its agents or employees, for allegations of serious criminal misconduct. In the current rule, the time limitation for the period of placement for undercover agents and informants pursuant to a court order is set at 6 months. SAMHSA has determined, in consultation with DOJ, that this may be burdensome on some ongoing investigations.
Thus, the agency proposed to extend the period for court-ordered placement of an uncover agent or informant to 12 months (starting when the agent is placed or an informant is identified), while authorizing courts to further extent a period of placement through a new court order.
Disposition of Records (42 C.F.R. § 2.19)
Finally, SAMHSA has also provided further guidance on how employees, volunteers, and trainees of Part 2 programs should handle communications with patients on personal devices and accounts. In Section 2.11, records are currently defined to include information related to a patient in email and texts. Further, Section 2.19 requires that all records which are electronic must be “sanitized” within one year of the discontinuation of any Part 2 program. Read together, these two sections could be interpreted to require that personal phones or accounts need to be sanitized and thus may no longer be useable. SAMHSA has clarified that this is not its intent.
Instead, SAMHSA recognizes that patient communication may take place through personal accounts or devices of employees or volunteers or trainees. SAMHSA has clarified in the NPRM that employees, volunteers and trainees should immediately delete any patient identifying information from their personal accounts or devices and respond via authorized Part 2 program channels, unless responding from the personal account is in the patient’s best interest. SAMHSA further clarified that if any communications contain patient identifying information, the communications should be forwarded to Part 2 authorized channels and then deleted from personal accounts and devices.
For more information, the NPRMs are available at 84 Federal Register 44568 (Aug. 26, 2019) and 84 Fed Register 44566 (Aug. 26, 2019); HHS has also issued a fact sheet on the NPRMs as well. SAMHSA will be soliciting comments regarding the proposed rules until October 25, 2019.
For more information, please contact Alicia Macklin in Los Angeles, Amy Joseph in Boston, Andrea Frey or Paul Smith in San Francisco, Monica Massaro in Washington, D.C., or your regular Hooper, Lundy & Bookman contact.