Skip to main content

The Substance Abuse and Mental Health Services Administration (SAMHSA) of the U.S. Department of Health and Human Services (HHS) recently issued a Final Rule implementing changes to the regulations governing the Confidentiality of Substance Use Disorder Patient Records. The revisions go into effect Aug. 14, 2020, and are intended to facilitate better care coordination in response to the opioid epidemic while maintaining Part 2’s confidentiality protections against unauthorized disclosure and use. While the Final Rule expands the situations where a Part 2 program may disclose records, it does not alter the core confidentiality protection of substance use disorder (SUD) patient records created by federally assisted SUD treatment programs.

This GT Alert summarizes the Final Rule’s changes to Part 2.

Revised ‘Records’ Definition (§ 2.11)

Previously, the term “Records” was defined as “any information, whether recorded or not, created by, received, or acquired by a Part 2 program relating to a patient.” The Final Rule adds an exception to this definition, that “information conveyed orally by a part 2 program to a non-part 2 provider for treatment purposes with the consent of the patient does not become a record subject to this part in the possession of the non-part 2 provider merely because that information is reduced to writing by that non-part 2 provider.” The effect of this change is to permit a Part 2 program to freely discuss the consenting patient’s SUD information orally with the patient’s primary care provider or other non-Part 2 treating provider, and the non-Part 2 provider can document such information in the non-Part 2 provider’s medical record without fear that the non-Part 2 provider’s own records would thereafter become subject to Part 2 confidentiality restrictions and requirements.

Applicability (§ 2.12)

The Final Rule further revises the regulatory text to state that the recording of information about a patient’s SUD by a non-Part 2 treating provider does not, by itself, render a medical record subject to the restrictions of Part 2, provided that the non-Part 2 provider segregates any specific SUD records received from a Part 2 program either directly, or through another lawful holder, to ensure such SUD records retain Part 2 confidentiality protections.

Consent Requirements (§ 2.31)

Since January 2017, SUD patients could only consent to the release of their SUD records to a recipient entity without a treating provider relationship that was not a third-party payer (e.g., entities providing social security benefits, local sober-living or halfway house programs, etc.) if the consent form also contained the name of the individual person at the recipient entity who would receive the SUD records. This requirement inadvertently caused challenges for patients because it was unclear at the time of requesting records for non-treatment purposes who specifically would need access to the SUD records. The Final Rule revises § 2.31 to allow patients to consent to the disclosure of their SUD records to a wide range of entities on the consent form without naming a specific individual to receive this information on behalf of a given entity. This change also makes it easier for patients to consent to the disclosure of their information for purposes of care coordination and case management by naming such organizations on the consent form. The consent requirements also revised the consents for disclosure of information to information exchanges and research institutions.

Prohibition on Re-Disclosure (§ 2.32)

Due to confusion regarding the existing re-disclosure restrictions, many non-Part 2 providers manually redacted portions of their disclosures to remove references identifying a patient as having or having had a SUD. The Final Rule revises the regulations to clarify that non-Part 2 providers do not need to redact information in their files that identifies a patient as having or having had a SUD if the non-Part 2 provider has means of identifying the Part 2-covered data (e.g., by segregating or segmenting the files received from a Part 2 program). Additionally, the Final Rule adds language to state that only the Part 2 record is subject to the prohibition on re-disclosure, unless further disclosure is either expressly permitted by written consent of the individual whose information is being disclosed in the record or is otherwise permitted by Part 2.

Disclosures Permitted with Written Consent (§ 2.33)

In the Final Rule, SAMHSA updates examples of permissible activities that it considers to be payment and health care operations activities under Part 2 as follows:

  1. Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
  2. Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
  3. Patient safety activities;
  4. Activities pertaining to:
    — the training of student trainees and health care professionals;
    — the assessment of practitioner competencies;
    — the assessment of provider and/or health plan performance; and/or
    — the training of non-health care professionals; 
  5. Accreditation, certification, licensing, or credentialing activities;
  6. Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and/or ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
  7. Third-party liability coverage;
  8. Activities related to addressing fraud, waste and/or abuse; Conducting or arranging for medical review, legal services, and/or auditing functions;
  9. Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;
  10. Business management and/or general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
  11. Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
  12. Resolution of internal grievances;
  13. The sale, transfer, merger, consolidation, or dissolution of an organization;
  14. Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
  15. Risk adjusting amounts due based on enrollee health status and demographic characteristics;
  16. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and
  17. Care coordination and/or case management services in support of payment or health care operations.

To further clarify that the above list is not exhaustive, the Final Rule adds that “other payment/health care operations activities [that are] not expressly prohibited [by Part 2]” may also be appropriate disclosures permitted with written consent pursuant to this provision.

Disclosures to Prevent Multiple Enrollments (§ 2.34)

Existing rules limited which providers could check a central registry to determine whether a patient was receiving opioid treatment. This hampered providers’ ability to ensure patient safety and prevent duplicative treatment plans, including medication that could place a patient receiving SUD treatment at risk. The Final Rule makes non-opioid treatment program (“non-OTP”) providers with a treating provider relationship with the patient eligible to query a central registry to determine whether the specific patient is already receiving opioid treatment. This prevents duplicative enrollments and prescriptions for excessive opioids, as well as adverse effects of drug interactions with other needed medications. Additionally, the rule permits non-member treating providers to access the central registries.

Disclosures to Prescription Drug Monitoring Programs (PDMPs) (§ 2.36)

SAMHSA had guidance stating that opioid treatment programs could not disclose patient information to a PDMP unless a Part 2 exception applied. SAMHSA has rescinded that guidance and amended the regulations to explicitly allow disclosure to PDMPs in certain situations. The Final Rule permits Part 2 programs to report any SUD medication prescribed or dispensed by it to the applicable state PDMP if state law requires the Part 2 program to report to the PDMP and the Part 2 program receives Part 2 compliant consent from the patient or the patient’s representative prior to its disclosure to the PDMP.

Medical Emergencies (§ 2.51)

Part 2 programs were only able to disclose patient identifying information to medical personnel without patient consent when there was a bona fide medical emergency in which the patient’s prior written consent could not be obtained. The Final Rule adds another “medical emergency” exception that allows disclosure to medical personnel when the Part 2 program is closed, unable to provide services, or unable to obtain the prior written consent of the patient during a temporary state or federally declared state of emergency due to a natural or major disaster. This new disclosure exception’s applicability is immediately rescinded when the Part 2 program resumes operation. The Part 2 program still must document the disclosure in the patient’s medical records.

Research Disclosures (§ 2.52)

The Final Rule allows disclosure of patient identifying information for research without patient consent. Specifically, the Final Rule allows research disclosures of Part 2 data by Part 2 programs who are HIPAA-covered entities or business associates if the data will be disclosed in accordance with the HIPAA standard for use and disclosures for research purposes. Additionally, Part 2 programs now will be permitted to make research disclosures to recipients who must comply with the FDA regulations for the protection of human subjects in clinical investigations, with appropriate documentation of compliance with FDA regulatory requirements.

Disclosures During Audits and Evaluations (§ 2.53)

Part 2 allowed disclosure of patient identifying information in the course of an audit or evaluation. However, the Final Rule clarifies that:

  • Government and third-party payer entities may conduct audits or evaluations to identify actions at the agency or payer level needed to improve patient care and outcomes, to target limited resources more effectively, or to determine the need for adjustments to payment policies for the care of patients with SUD;
  • Audit and evaluations may include reviews of appropriateness of medical care, medical necessity, and utilization of services;
  • Auditors may include quality assurance organizations, quality improvement organizations performing QIO reviews, and entities with direct administrative control over the Part 2 program (i.e., the SUD unit is a component of a larger behavioral health program or of a general health program); and
  • Part 2 programs may disclose patient identifying information to federal, state, or local government agencies, and to their contractors, subcontractors, or legal representatives for audit and evaluations required by statute or regulation if those audits or evaluations cannot be carried out using deidentified information.

Other Notable Changes

SAMHSA also made notable changes to the period undercover agents and informants may remain in Part 2 programs and clarified how Part 2 programs should handle communications on personal devices and accounts.

Undercover Agents and Informants

After Aug. 14, 2020, a court-ordered undercover agent or informant may be placed in a Part 2 program for a total of 12 months (up from 6 months) and that 12-month period may be extended by a new court order. The time period begins when the undercover agent or informant is placed on site with the Part 2 program.

Communications Using Personal Devices and Accounts

SAMHSA has also provided guidance on how Part 2 program employees (or volunteers or trainees) should handle patient communications received through personal email accounts or cell phones not used in the regular course of business for the Part 2 program. Instead of sanitizing the personal device and rendering the patient identifying information non-retrievable (and the device unusable) when that Part 2 program is discontinued, the employee should take action when the communication is received. Specifically, the employee should:

  • Immediately forward the text or email to an authorized channel,
  • Immediately delete the messages from his/her personal account and any synced personal devices, and
  • Only respond via the authorized channel unless a response from the personal account is in the best interest of the patient. If the best interest of the patient requires a response from the personal account, the messages should be forwarded to an authorized channel and subsequently deleted.

The changes ushered by this Final Rule will be followed by additional rulemaking within the next nine months, reshaping Part 2’s disclosure requirements and exceptions. As detailed in a previous GT Alert, further revisions significantly overhauling Part 2 to align it more closely with the HIPAA Privacy Rule will be promulgated by March 27, 2021.