This week, the Substance Abuse and Mental Health Services Administration (SAMHSA) finalized long-awaited revisions to the rules governing the confidentiality of patient records in federally-assisted substance use disorder (SUD) programs, found in 42 C.F.R. Part 2 and known as “Part 2.” The final rule comes while still awaiting implementation of changes made to Part 2 in the CARES Act (P.L. 116-136), with SAMHSA indicating that the rule is intended to serve as setting interim and transitional standards for Part 2 programs until additional regulations pursuant to the CARES Act may be promulgated.
The revised regulations respond to a number of concerns and comments raised regarding the ability to facilitate better coordination of care in response to the opioid epidemic, while maintaining strict confidentiality protections for individuals seeking treatment from Part 2 programs. Importantly, the revisions do not alter the general Part 2 requirement that a federally-assisted SUD program obtain a patient’s valid written consent before disclosing his or her identifying information outside of the program, including disclosures to other health care providers. Additionally, as noted above, the current revisions do not implement any of the changes made by the CARES Act, which will further ease the ability of Part 2 programs to disclose patient records. By law, the CARES Act amendments cannot take effect before March 27, 2021, and will require additional rulemaking in order to complete this policy change.
The effective date of this final rule is August 14, 2020. A brief summary of the key modifications follows.
Consent Requirements (42 C.F.R. § 2.31). SAMHSA finalized changes to Section 2.31 simplifying how patients can share their records outside of the Part 2 program. Under the prior version of the regulations, patients needed to specify the name of an individual person within an entity or agency to whom such a disclosure could be made, excepting certain disclosures to treating providers and third-party payers. By way of example, if a patient wanted a Part 2 program to disclose impairment information to the Social Security Administration for a determination of benefits, he or she would need to authorize this agency on the “to whom” section of the consent form and identify a specific individual at the agency to receive such information. In practice, this requirement created an operational barrier for many Part 2 programs in terms of facilitating the coordination of patient care and assisting patients in accessing benefit programs, in cases where patients didn’t know the identity of a specific individual within such an entity or agency.
The final rule does away with this requirement, such that patients may now provide consent to the disclosure of their information without specifying an authorized individual, and rather just include the “name(s) of the individual(s) or the name(s) of the entity(-ies) to which a disclosure is to be made.” SAMHSA believes that this change will both “empower patients to consent to the release and use their health information in whatever way they choose,” and “make it easier for patients to consent to the disclosure of their information for the purposes of care coordination and case management, including to contracted organizations of lawful holders, by naming such organizations on the consent form.”
Of note for disclosures to entities that facilitate the exchange of health information (i.e., health information exchanges) and research institutions, however, a consent must still include both the names(s) of the entity(-ies) and –
- The name(s) of individual or entity participant(s); or
- A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed.
Disclosures for Payment and Health Care Operations (42 C.F.R. § 2.33). Under the Part 2 regulations, lawful holders of Part 2 records are permitted to further disclose such records to contractors, subcontractors, and legal representatives, for the purpose of payment and certain health care operations. In an effort to provide further clarity regarding the scope of permitted disclosures in this context, SAMHSA has added an illustrative (but not exhaustive) list of permissible activities that are considered “payment and health care operations activities.” The list includes activities such as billing and claims management, quality assessment, and business management and general administrative activities. SAMHSA also expanded the list to expressly include care coordination and case management activities—a deviation from prior iterations of rule-making—to make Part 2 more consistent with HIPAA’s definition of health care operations.
Disclosures for Research (42 C.F.R. § 2.52). In order to more closely align the research disclosure provision under Part 2 with HIPAA and the Common Rule, SAMHSA had also proposed to expand the applicable provision to allow research disclosures to individuals and organizations that are neither HIPAA covered entities nor subject to the Common Rule, so long as the data is disclosed in accordance with the HIPAA Privacy Rule provisions governing disclosures for research purposes. SAMHSA also proposed to permit disclosures to workforce members of HIPAA covered entities for purposes of employer-sponsored research, as well as to permit research disclosures to recipients of FDA regulations for the protection of human subjects in clinical investigations (some research studies may fall under the FDA regulations but not the Common Rule).
The final rule finalizes the above changes, with the exception of the proposed change allowing research disclosures to members of the workforce of a HIPAA covered entity. SAMHSA indicated that it would not be finalizing this policy given confusion and concern that the proposal would permit employers to conduct research on their employees.
Audit and Evaluation (42 C.F.R. § 2.53). Under the current regulations, disclosures by Part 2 programs or other lawful holders are permitted to individuals and entities who are performing the audit or evaluation on behalf of certain governmental agencies, third-party payers, quality improvement organizations, and under certain circumstances, others determined qualified to conduct an audit or evaluation of the Part 2 program or lawful holder, assuming certain conditions are met. Different rules apply depending on the context, including whether the records will be reviewed only on the premises of the Part 2 program or other lawful holder or removed from the premises (or transferred to another electronic system or device).
Recognizing that there has been confusion about the scope of these provisions and proposed clarifying changes, SAMHSA clarified in the final rule specific situations that fall within the scope of permissible disclosures for audits and/or program evaluation purposes, including reviews related to changing policies to improve patient outcomes across Part 2 programs or to determine the need for adjustment to payment policies. SAMHSA also clarified that the terms “audit” and “evaluation” include reviews to determine whether patients are receiving appropriate services in an appropriate setting, such as in the context of a licensing or certification survey to ensure compliance with applicable laws.
Another helpful clarification is with respect to disclosures to an “entity that has direct administrative control over the program.” SAMHSA notes in the commentary to the final rule that this phrase references situations where a Part 2 program is a component of a larger behavioral health or general health program, and finalized language to expressly state that auditors may include entities with direct administrative control where those persons, in connection with their audit or evaluation duties, need to know the information.
However, SAMHSA was clear that the final rule primarily clarifies activities that are already permissible under Part 2. The only new authority provided is found in the new Section 2.35(g), which permits disclosure of patient identifying information to federal, state, or local government agencies for audits or evaluations mandated by statute or regulation, if such processes cannot be carried out using de-identified information (SAMHSA encourages Part 2 programs to do whenever possible, but notes that it recognizes for many it may be cost-prohibitive or too cumbersome).
Medical Emergencies (42 C.F.R. § 2.51). SAMHSA also finalized its proposal permitting a Part 2 program to disclose patient identifying information to medical personnel without patient consent in the event that a state or federal authority declares a state of emergency as the result of a natural or major disaster and the Part 2 program is closed and unable to provide services or obtain the patient’s informed consent (in addition to the current ability to disclose such information in the event of a bona fide medical emergency). SAMHSA emphasized that patient consent should be obtained if possible, but recognizes that in the event of a state of emergency, such as a hurricane or earthquake, doing so may not be feasible and the inability of patients to access needed care through their usual providers can itself lead to a medical emergency.
Definitional Changes (42 C.F.R. §§ 2.11, 2.12, 2.32). SAMHSA amended the definition of “records” to create an exception so that information conveyed orally (as opposed to in writing) to a non-Part 2 program for treatment purposes with patient consent does not become a “record” subject to Part 2, even if the recipient reduces the information to writing. Additionally, SAMHSA clarified that the non-Part 2 treating provider’s act of recording SUD information in a patient’s medical record when disclosed willingly by the patient would not be subject to Part 2. However, any SUD patient written records originating from a Part 2 program remain subject to the regulations and their current prohibition on redisclosure, and must be segregated from the patient’s general medical records when received by a non-Part 2 provider.
Central Registries and Prescription Drug Monitoring Programs (42 C.F.R. §§ 2.34, 2.36). SAMHSA recognizes that, given the opioid epidemic, it is important for all providers that work with SUD patients, including non-opioid treatment program (non-OTP) providers, to access information in central registries to prevent duplicative enrollment, as well as to inform prescription decisions as part of a plan of care. SAMHSA finalized an expanded Section 2.34 to permit disclosure of certain patient information to all treating providers on request, for purposes of informed decision-making and preventing duplicative treatment plans.
Similarly, given the opioid epidemic, SAMHSA recognizes the value of opioid treatment program (OTP) providers disclosing patient identifying information to a prescription drug monitoring program (PDPM). SAMHSA thus finalized a new Section 2.36, to permit OTPs and other lawful holders to disclose data to the respective state PDPM when dispensing medications upon prior written consent of the patient
Undercover Agents/Informants (42 C.F.R. § 2.67). Section 2.67 has generally prohibited the placement of undercover agents or informants in a Part 2 program except as specifically authorized by a court order for the purpose of investigating a Part 2 program, or its agents or employees, for allegations of serious criminal misconduct, and in such cases for no more than 6 months. SAMHSA finalized changes which extend this period to 12 months, while authorizing courts to further extent a period of placement through a new court order.
Disposition of Records (42 C.F.R. § 2.19). Finally, SAMHSA includes additional guidance in the final rule preamble on how employees, volunteers, and trainees of Part 2 programs should handle communications with patients on personal devices and accounts. SAMHSA further clarified that if any patient contact is made through the personal email or cell phone account of an employee, volunteer, or trainee, then the Part 2 requirement of “sanitization” following discontinuation of the Part 2 program can be met by deleting the message(s).
 In August 2019, HHS issued two notices of proposed rulemaking (“NPRMs”) related to Part 2. The current final rule only addresses one of those NPRMs, available at 84 Federal Register 44568 (Aug. 26, 2019). The final rule does not address proposed changes to section 2.63(a)(2) regarding disclosures to investigate or prosecute crimes. In addition to the final rule, SAMHSA also published this Fact Sheet which provides additional detail of what has and hasn’t changed under the new rule.
 For example, SAMHSA noted in the commentary to the final rule that the “language of § 2.33(b) represents an interim and transitional step towards more flexibility in consented-to disclosures for purposes of care coordination and case management, consistent with the realignment to the HIPAA privacy rule that is required by several provisions under the CARES Act. Again, HHS intends to publish a new NPRM and subsequently to issue final implementing regulations for the CARES Act in the future.”
 SAMHSA confirmed in the final rule at 85 Fed. Reg. 42987.
 SAMHSA had originally included the list in the preamble to the 2018 updates to Part 2, but did not include in the final rule itself out of concern that “rapid changes occurring in the healthcare payment and delivery system could render any list of activities included in the regulatory text outdated.”
For more information, please contact Alicia Macklin in Los Angeles, Amy Joseph in Boston, Andrea Frey or Paul Smith in San Francisco, Monica Massaro in Washington, D.C., or your regular Hooper, Lundy & Bookman contact