HHS Finalizes Amendments to Confidentiality Rules for Alcohol and Drug Abuse Patients

For the first time in thirty years, the Substance Abuse and Mental Health Services Administration (“SAMHSA”), a branch of the U.S. Department of Health and Human Services (“HHS”), issued a final rule amending 42 CFR Part 2 (commonly referred to as “Part 2”) which governs the confidentiality of alcohol and drug abuse patient records. The new rule aims to tackle privacy issues that deter many patients from obtaining treatment for substance use disorders and modernize the information exchange regulations to accommodate new health care delivery models that focus on integration of care. SAMHSA originally proposed the new rule in February 2016 and has now moved forward in finalizing the rule, which will become effective on February 17, 2017. Outlined below are some of the most significant changes implemented by the new rule.

A.  Changes to Consent Requirement for Disclosure of Patient Records

Under the existing regulations, before a provider could disclose patient records, the patient was required to sign a consent which named each entity or individual to which the disclosure would be made. This requirement was becoming more burdensome to satisfy as new integrated health care systems, which are founded on information exchange amongst providers, were introduced to the market. In integrated health care systems, such as Health Information Exchanges, Coordinated Care Organizations, Managed Care Organizations and Accountable Care Organizations, the patient would have to provide consent for each individual provider who participates in the patient’s care to permit an open exchange of information.

The new rule allows patients to make general designations with respect to what entities or individuals may receive their patient information, rather than specifically listing each provider to whom disclosures may be made. General designations may be made to entities that have a treating provider relationship with a patient, or in other words, entities that employ or privilege one or more individuals who have a treating provider relationship with the patient. A “treating provider relationship” is established, regardless if there is an actual in-person encounter, when a patient agrees to, and a provider undertakes the diagnosis, evaluation or treatment of any condition. For example, consent can be given for disclosure of patient information to a Managed Care Organization “and all treating providers.” Such consent would satisfy the proposed rule and it would be the named organization’s responsibility to establish methodologies for determining which of their providers have a treating provider relationship with the patient.

The new rule also requires providers to include a statement on their consent form that informs patients that, upon written request, they may obtain a list of all disclosures that were made pursuant to their general designation within the previous two years. An entity that receives such request must respond within 30 days by providing the names of all individuals to whom disclosures were made, the date of the disclosure, and a short summary of the patient identifying information which was disclosed.

B.  Additional Clarifications in the New Rule

(1) Electronic Patient Records 

The new rule incorporates electronic patient records throughout Part 2. Specifically, security requirements for patient records will now apply to both written and electronic records. In addition, entities will be required to establish formal policies and procedures to protect electronic records from unauthorized disclosures and to ensure that such files are properly sanitized when the entity terminates its Part 2 program. Such sanitization should include purging, destroying and/or de-identifying patient information in a manner that minimizes risk of re-identification.

(2) Prohibition on Re-Disclosure

The new rule also clarifies that the prohibition on re-disclosure of previously disclosed patient information only applies if the re-disclosure would identify the patient as being diagnosed with, treated for, or referred for treatment of a substance use disorder. In other words, the prohibition on re-disclosure does not apply to disclosures of other unrelated health conditions, such as high blood pressure, that a substance abuse patient may receive from a Part 2 program, as long as the disclosure would not directly or indirectly reveal that the patient has a substance use disorder.

(3) Research Disclosure Exception to Consent Requirement

Under the new rule, a Part 2 program, or any other lawful holder of Part 2 program data, may disclose patient identifying information for scientific if the researcher receiving such patient information meets one of the following three requirements: (1) the researcher is a HIPAA covered entity or business associate and provides documentation that he/she obtained research participants’ authorization, or a waiver or alteration of authorization, for use or disclosure of their information for research purposes consistent with the HIPAA Privacy Rule; (2) the researcher is subject to only the HHS Common Rule and provides documentation that the researcher is in compliance with the rule, including requirements relating to informed consent or a waiver of consent; or (3) the researcher is both a HIPAA covered entity or business associate and subject to the HHS Common Rule and he/she satisfies the requirements of both (1) and (2).

(4) Qualified Service Organizations Exception to Consent Requirement

Finally, the new rule amended the definition of Qualified Service Organizations (“QSOs”) to clarify that population health management is a type of service that may be offered by a QSO to a Part 2 Program. Part 2 Programs are permitted to disclose patient information without patient consent to QSOs, and therefore, this permission now extends to disclosure of patient information to QSOs for purposes of monitoring and improving health outcomes of their patient population.