HHS Proposes Changes to Substance Use Disorder Data Confidentiality Rules to Improve Care Coordination

The Substance Abuse and Mental Health Services Administration (“SAMHSA”) has published a notice of proposed rulemaking (“NPRM”) to revise its regulations on the Confidentiality of Substance Use Disorder Patient Records at 42 C.F.R. part 2 (“Part 2”). The NPRM, which is part of the Department of Health & Human Services’ (“HHS”) Regulatory Sprint to Coordinated Care, creates incremental steps to balancing the need for increased information exchange for care coordination among substance use disorder (“SUD”) treatment providers while maintaining safeguards for the confidentiality of SUD patient records. Other changes described in the NPRM are intended simply to improve clarity due to confusion around certain Part 2 requirements.

Entities that have been struggling to access or share SUD information for care coordination have an opportunity to submit comments by October 25, 2019.

I. Background

The Part 2 regulations were promulgated to protect the confidentiality of patient records created by “Part 2 programs” due to the stigma associated with SUDs that can deter patients from seeking treatment since SUD patients may encounter discrimination or other negative consequences if their information is improperly disclosed or accessed. To be considered a Part 2 program, an individual or entity must be both “federally assisted” and a “program” as defined under the regulations. Programs generally include individuals and entities that hold themselves out as providing, and do provide, SUD diagnosis, treatment, or referral for treatment.

Part 2 generally prohibits Part 2 programs from sharing SUD-related information without written patient consent except in limited circumstances, such as in a bona fide medical emergency, for research, in the course of an audit or evaluation, or pursuant to a court order. These prohibitions have often caused confusion and frustration among health care providers, health plans, and other health care entities that may share, receive, or otherwise maintain Part 2 records as part of treating individuals with SUDs, particularly because they are often much more restrictive than the requirements of other health care information confidentiality laws such as the Health Insurance Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”).

II. Important Takeaways of the Part 2 NPRM

A.     For Health Care Providers Who Are/Are Not Subject to Part 2

SAMHSA seems to be attempting to limit the scope and applicability of the Part 2 Rules through a variety of proposed policies. First, SAMHSA’s NPRM proposes various amendments to the Definitions and the Applicability sections of Part 2 to clarify the types of “records” that are subject to Part 2’s restrictions, and when Part 2 does not apply to treatment records created by a non-Part 2 providers.

For example, if the NPRM’s changes are finalized, the following fact scenarios would not subject the resulting medical records to Part 2’s restrictions:

• SUD information is conveyed orally by a Part 2 program to a non-Part 2 provider for treatment purposes with patient consent, and the non-Part 2 provider reduces the information to writing.
• A non-Part 2 provider receives SUD records from a Part 2 program and uses these records to inform subsequent independent conversations with the patient, and then creates new records based on these patient conversations that mention the patient’s SUD status and related care.

In contrast, if a non-Part 2 provider directly incorporates written SUD record information from a Part 2 program into the non-Part 2 provider’s own records, such records would generally be subject to Part 2’s restrictions. These amendments should clarify non-Part 2 providers’ obligations with respect to their own records and help resolve common misunderstandings about the applicability of Part 2, which in turn will help care coordination efforts.  

The intent of this provision is to allow a non-Part 2 provider to receive SUD information from a Part 2 program and use that information to inform a treatment discussion with the patient without fear of creating records subject to Part 2 protection. SAMHSA expressly notes that a non-Part 2 provider would not be able to abuse the rules by transcribing extensively from a Part 2-covered record without having a clinical purpose for doing so.

SAMHSA also proposes to allow non-opioid treatment program (“non-OTP”) providers that have a treating provider relationship with a particular patient to query a central registry. SAMHSA also proposes to allow OTPs and other lawful holders to enroll in PDMPs and disclose dispensing and prescribing data to PDMPs as required under applicable state law and subject to patient consent. These changes are intended to help prevent duplicative enrollments in SUD care, excessive opioid prescriptions, and SUD-related adverse drug events.

The NPRM does not, however, change a non-Part 2 provider’s obligation to maintain compliance with Part 2 for SUD records directly received from Part 2 programs. If a non-Part 2 provider wants to maintain a copy or transcription of the Part 2 entity’s SUD records for a particular patient, those records still must be maintained separately to ensure that the entire record held by the non-Part 2 entity is not subject to Part 2’s onerous restrictions. SAMHSA notably declined to include a formal definition of “segmented” and “segmentation,” because a formal definition might have unforeseen technical consequences for electronic health records (“EHRs”) and health information exchanges (“HIEs”) in the future.  We describe the implications for EHRs and HIEs later in this alert. 

Providers should take note of SAMHSA’s proposal to amend these provisions by allowing a patient to consent to the disclosure of her information by a Part 2 program to an entity without a treating provider relationship.  Under current Part 2 regulations, if a patient wants to consent to the disclosure of her Part 2 information to an entity lacking a treating provider relationship with the patient, the patient must either (1) designate the entity if it is a third-party payer, or (2) designate by name the specific individual who would receive the information.  If finalized, the NPRM’s changes to the regulation would allow Part 2 programs to share a patient’s SUD records if the patient’s consent simply lists the organization on the “to whom” portion of the consent form instead of identifying a specific individual at the organization. For example, if a patient wants a Part 2 program to disclose her information to the Social Security Administration for a determination of benefits, the patient may do so by listing the Social Security Administration on the consent form. This change should make it easier for patients to consent to the disclosure of their Part 2-covered information when needed to apply for services and benefits. 

Last, the NPRM proposes to allow a Part 2 program to disclose Part 2 information to medical personnel without patient consent as necessary to deliver SUD services in a natural or major disaster. Such a disclosure is permissible if the Part 2 program is closed and unable to either provide services or obtain the patient’s consent due to a state of emergency as declared by a state or federal authority.

B.     For Health Plans That Receive, Process, and Send Part 2 Information

In the NPRM, SAMHSA reiterates the clarification it issued in the 2018 Part 2 rule,[1] that if a patient consents to the disclosure of her Part 2 information for payment or certain health care operations, the recipient of such information (i.e., a “lawful holder”) may further disclose such information to its contractors, subcontractors, and legal representatives for payment or certain health care operations.  SAMHSA then proposes to amend § 2.33(b) to expressly include a list of 17 specific types of payment and health care operations in the regulatory text and further clarify that the list is illustrative, not exhaustive.  Of note to health plans, the 17 types of payment and health care activities include, but are not limited to:

• Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
• Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and/or ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
• Activities related to addressing fraud, waste and/or abuse;
• Conducting or arranging for medical review, legal services, and/or auditing functions;
• Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;
• Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
• Resolution of internal grievances;
• Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
• Risk adjusting amounts due based on enrollee health status and demographic characteristics; and
• Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.

Part 2 permits certain disclosures of Part 2 information in the course of conducting audits and evaluations on behalf of governmental agencies, third-party payers, and quality improvement organizations. SAMHSA proposes various changes to improve clarity about what is permissible under this provision, particularly to address confusion about what constitutes an audit or evaluation since Part 2 does not define these terms. Of note to health plans, SAMHSA proposes to clarify that audits or evaluations may include reviews to determine if a payer should be taking any additional actions at the health plan level to improve care and outcomes for covered patients in a Part 2 program. Audits or evaluations also include activities to (1) target limited resources more effectively; (2) determine the need for adjustments to payment policies for SUD care; or (3) review the appropriateness of medical care, medical necessity, and utilization of services.

C.     For Electronic Health Records/Health Information Exchanges

EHRs and HIEs should be concerned about a similar set of issues to those that we summarized for health care providers and plans, particularly because they are increasingly the primary medium for sharing SUD records between Part 2 programs and entities that are not usually subject to Part 2, and subsequently storing and potentially updating the information in those records. 

As stated above, SAMHSA considered, and then abandoned, efforts to formally define how non-Part 2 providers should separate information subject to Part 2 from other health records that they have generated independently regarding the patient’s SUD, in part because of the potential technical implications for EHRs and HIEs.

SAMHSA also proposes other amendments to the consent requirements at § 2.31, including providing that if the intended recipient of the Part 2 records is an HIE or research institution, the written consent must include the name of the entity and either (1) the name(s) of an individual or entity participant(s), or (2) a general designation of an individual or entity participant(s) or class of participants, limited to a participant(s) who has a treating provider relationship with the patient. Therefore, where the recipient is an HIE or research institution, SAMHSA continues to limit the ability to use a general designation (e.g., “all my treating providers”) in the “to whom” section of the consent to those with a treating provider relationship. This is intended to help ensure that where a general designation is used, Part 2 information is only disclosed to individuals and entities on the patient’s health care team with a need to know the information. These changes nonetheless provide some additional flexibility by permitting HIEs to list on a consent form “entity participants” that do not have a treating provider relationship with a patient. This is a modest improvement over Part 2’s current restrictions on such disclosures.  

D.    For Research Institutions

Providers that are primarily serving as research institutions should focus on SAMHSA’s proposed amendments to the consent requirements at 42 C.F.R. § 2.31, which we describe in the section related to EHRs and HIEs immediately above. 

As background, Part 2 currently permits the disclosure of covered information for research purposes without patient consent if the recipient is a covered entity or business associate under HIPAA, and either (1) has obtained and documented authorization from the patient or a waiver or alteration of authorization consistent with HIPAA, or (2) is subject to HHS regulations regarding the protection of human subjects under the Common Rule. SAMHSA’s NPRM proposes to align Part 2’s research provisions with those of HIPAA and the Common Rule by allowing research disclosures of Part 2 information from a HIPAA covered entity or business associate to individuals and organizations who are neither HIPAA covered entities nor subject to the Common Rule. Such information must be disclosed in accordance with HIPAA’s research provisions at 45 C.F.R. § 164.512(i). This amendment should help alleviate obstacles to research involving SUD information and streamline varying legal requirements for research-related disclosures.

SAMHSA also proposes other revisions to Part 2’s research provisions to (1) clarify that certain research disclosures may be made to a HIPAA covered entity’s workforce members for employer-sponsored research, and (2) permit research disclosures to recipients who are covered by Food and Drug Administration regulations for the protection of human subjects in clinical investigations at 21 C.F.R. part 50, subject to certain requirements.

III. Separate Rulemaking Regarding Confidential Communications

SAMHSA also issued a separate notice of proposed rulemaking to clarify the circumstances in which a court may authorize the disclosure of confidential communications made by a patient to a Part 2 program. Specifically, under the NPRM, a court may authorize such a disclosure when the disclosure is necessary in connection with the investigation or prosecution of an extremely serious crime, even if it was not allegedly committed by the patient. This amendment is intended to correct an erroneous addition to the regulatory text and help address the opioid crisis by facilitating the prompt investigation and prosecution of opioid-related crimes allegedly committed by individuals other than patients.

IV. Preparing and Submitting Comments to the NPRM

SAMHSA’s NPRMs have wide-ranging implications for the full spectrum of stakeholders in the health care industry.  Providers, plans, EHRs, and HIEs should analyze the potential impact of the NPRM for their operations and take the opportunity to submit comments for SAMHSA’s consideration. Comments on the NPRM are due on October 25, 2019 (note that comments on the separate proposed rule regarding courts authorizing the disclosure of confidential communications are due on September 25, 2019). Crowell & Moring has extensive experience with Part 2 and can advise you on understanding the implications of these proposed changes on your business.