By: Jason D. Gregoire, Esq.,
Sheehan Phinney Bass & Green, PA

In January 2017, the Substance Abuse and Mental Health Services Administration (SAMHSA) made the first major, substantive amendments to 42 C.F.R. part 2 (part 2), the federal regulations governing confidentiality of substance use disorder treatment records, since 1987. The amendments were largely aimed at allowing the exchange of patient identifying information (PII) within clinically integrated networks, accountable care organizations, and health information exchanges. The amendments also clarified the permissible purposes for which a part 2 program may disclose PII to contractors and vendors known as Qualified Service Organizations.

When SAMHSA issued the January 2017 amendments, it also issued a supplemental notice of proposed rulemaking (SNPRM) in which it sought comments on topics such as an abbreviated notice of prohibition on re-disclosure, alignment of part 2 with HIPAA/HITECH, and the ability to re-disclose PII for treatment, payment, and health care operations purposes. On January 3, 2018, SAMHSA issued a final rule (Final Rule), which further amends the part 2 regulations. The Final Rule became effective on February 2, 2018 and contains three major changes.

I. Re-Disclosures by Lawful Holders for Payment and Health Care Operations
(42 C.F.R. § 2.33)

First, the Final Rule permits a “lawful holder” of PII to re-disclose PII to its contractors, subcontractors, or legal representatives for payment and/or health care operations purposes. A “lawful holder” is an individual or entity who has received PII under a part 2-compliant patient consent. SAMHSA has provided the following examples of “lawful holders”: a patient’s treating provider, a hospital emergency room, an insurance company, an individual or entity performing an audit or evaluation, or an individual or entity conducting scientific research. Importantly, a part 2 program is not a “lawful holder” and, thus, part 2 programs cannot disclose PII for payment or health care operations without a valid patient consent.

Before the Final Rule, lawful holders were not allowed to re-disclose PII to any of their contractors, subcontractors, or legal representatives for payment or health care operations without a separate patient consent from the consent obtained by the part 2 program. Under the Final Rule, lawful holders may now re-disclose PII to those contractors, subcontractors, or legal representatives it engages for payment or health care operations purposes. For example, a patient’s treating provider who receives PII from a part 2 program under a patient consent may now disclose this PII to its third-party billing service for payment. Unlike HIPAA, the Final Rule does not allow part 2 programs or lawful holders to disclose PII for diagnosis, treatment, referral for treatment, case management, or care coordination purposes, so patient consent is still required.

When disclosing PII under the new standard described above, lawful holders must provide contractors, subcontractors, or lawful holders with the notice of prohibition on re-disclosure required by part 2. Additionally, lawful holders may only re-disclose information necessary for the contractor, subcontractor, or legal representative to perform its duties under the parties’ contract.

In light of this new category of permissible disclosures, the Final Rule also mandates that lawful holders have a written contract, or “comparable legal instrument,” with any contractor, subcontractor, or legal representative to whom the lawful holder intends to re-disclose PII for payment or health care operations purposes. The contract or legal instrument must state that the party receiving the information from the lawful holder is “fully bound by the provisions of part 2 upon receipt of the [PII].” The contract must also require the recipient of PII to adopt “appropriate safeguards” to prevent unauthorized uses and disclosures. In addition, the contract must require the recipient to report any unauthorized uses, disclosures, or breaches of PII to the lawful holder. Moreover, the contract may not permit a recipient to re-disclose information to a third party unless that third party is a contracted agent of the recipient who is helping the recipient provide services described in the contract with the lawful holder, and as long as the third party only discloses PII back to the recipient (i.e., above-stream contractor) or lawful holder. The Final Rule gives lawful holders two years—February 2, 2020—to implement new contracts or bring their existing contracts into compliance.

SAMHSA published a list of 17 illustrative payment and health care operations activities in the preamble to the Final Rule, but chose not to codify this list in the body of the regulations because “the health care system continues to evolve.” Examples of the 17 permissible payment and operations activities include (a) billing, claims management, and collection activities; (b) clinical professional support services (e.g., utilization review, and quality assessment improvement initiatives); (c) assessment of practitioner competencies, and training of health care professionals and student trainees; (d) arranging for medical review, legal services, and auditing functions; (e) accreditation, certification, licensing, or credentialing activities, and (f) activities related to addressing fraud, waste, and abuse.

II. Abbreviated Notice of Prohibition on Re-Disclosure (42 C.F.R. § 2.32(a))

Since 1983, part 2 has required part 2 programs to provide a nearly one-page notice of prohibition of re-disclosure when it discloses PII to a third-party with patient consent. However, in recent years part 2 providers have complained about the length of the required notice because many electronic health record (EHR) systems do not have sufficient space to allow providers to enter the required notice. This is because most EHR systems have a standard limit of 80 characters in the free text space that may be used to transmit the notice of prohibition on re-disclosure.

Accordingly, in recognition of the widespread use of EHRs, and in order to facilitate further adoption of EHR systems, SAMHSA has approved the following abbreviated notice: “Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records.” Part 2 programs can now use either the long-form or short-form notice whenever disclosing PII electronically or in paper form.

III. Audit and Evaluation Activities (42 C.F.R. § 2.53)

In the SNPRM, SAMHSA proposed changes to clarify that audits and evaluations may be performed on behalf of federal, state, and local governments providing financial assistance to, or regulating the activities of, part 2 programs and lawful holders. SAMHSA also proposed changes to make clear that audits and evaluations may be performed on behalf of third-party payors, Medicare, Medicaid, or the Children’s Health Insurance Program and that these entities may re-disclose PII to their contractors, subcontractors, or legal representatives.

In the Final Rule, SAMHSA clarified that the above-referenced audits may be performed and that federal, state, local, and payor entities may disclose PII to contractors, subcontractors, and legal representatives assisting them with audits or evaluation activities. The information can be used to audit or evaluate the part 2 program or to investigate or prosecute criminal or activities, as authorized by a court order in compliance with part 2’s court order requirements.
Information disclosed under Section 2.53 may only be disclosed back to the part 2 program or lawful holder who disclosed to the entity performing the audit or evaluation activities.

IV. Alignment of Part 2 with HIPAA/HITECH

Since the issuance of the Final Rule, commentators have critiqued SAMHSA for failing to take meaningful steps to align part 2 with HIPAA. Specifically, commentators have lamented that SAMHSA did not authorize disclosures for treatment purposes without a patient authorization as allowed by HIPAA.

In the comments to the Final Rule, SAMHSA explained that it attempted to align the Final Rule with HIPAA and the HITECH Act “to the extent feasible,” but that the limitations in the governing statute, 42 U.S.C. § 290dd-2, prevented SAMHSA from going further. SAMHSA also included stressed that part 2 imposes “more stringent federal protections than other health privacy laws such as HIPAA.” Nevertheless, SAMHSA specified that it will continue to review these issues and “plans to explore additional alignment with HIPAA.”

V. Conclusion

The Final Rule became effective on February 2, 2018. The amendments concerning audit and evaluation activities and the abbreviated notice of prohibition on re-disclosure are immediately effective. Contracts and legal instruments between lawful holders and contractors, subcontractors and legal representatives must be brought into compliance with the above-stated requirements by February 2, 2020. Part 2 programs, lawful holders, and contractors should consult with legal counsel and other advisors to ensure they are taking all necessary steps to come into compliance with the Final Rule and the 2017 rule amendments.

Note that all quoted language in this article comes from the Final Rule, which can be found at 83 Fed. Reg. 239 (Jan. 3, 2018).