SAMHSA Issues Final Rule Updating Substance Abuse Confidentiality Regulations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

SAMHSA Issues Final Rule Updating Substance Abuse Confidentiality Regulations

January 3, 2018
by Heather Landi
| Reprints

The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), has finalized proposed changes to the Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2, aimed at supporting payment and healthcare operations activities while protecting the confidentiality of patients.

The finalized rule, posted to the Federal Register on Tuesday, where it is available for review, builds on changes to 42 CFR Part 2 made last year. In a final rule published last January, SAMHSA updated 42 CFR Part 2 rules by allowing patients to provide a general disclosure for substance abuse information, rather than limiting authorization to a specific provider.

The Confidentiality of Substance Use Disorder Patient Records, 42 Code of Federal Regulations Part 2 (Part 2) protects the confidentiality of records relating to the identity, diagnosis, prognosis, or treatment of any patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research. Under Part 2, a federally assisted substance use disorder program may only release patient identifying information with the individual’s written consent, pursuant to a court order, or under a few limited exceptions.

The 42 CFR Part 2 regulations restricting how data of patients with substance use disorders (SUDs) is shared were written in 1975 out of concern that the information could be used against individuals, causing them to avoid seeking needed treatment.  But the way the regulation was written, it required the patient to consent every time their data was shared or accessed, which health information exchanges (HIEs) and healthcare organizations have found very difficult to implement.

The final rule published Tuesday will permit healthcare providers, with patients’ consent, to more easily conduct such activities as quality improvement, claims management, patient safety, training, and program integrity efforts, according to Elinore F. McCance-Katz, M.D., the nation’s first Assistant Secretary for Mental Health and Substance Use. “This final rule underscores our commitment to ensuring persons with substance use disorders receive integrated and coordinated care,” she said in a statement.

Dr. McCance-Katz said that modernizing Part 2 is one way that SAMHSA strengthens the nation’s efforts to reduce opioid misuse and abuse and to support patients and their families confronting substance use disorders. The rule also reflects an effort to better align Part 2 requirements with those of the Health Insurance Portability and Accountability Act (HIPAA), HHS officials said.

Major provisions in this latest rule include:

  • The final rule permits additional disclosures of patient identifying information, with patient consent, to facilitate payment and healthcare operations such as claims management, quality assessment, and patient safety activities.
  • The final rule permits additional disclosures of patient identifying information to certain contractors, subcontractors, and legal representatives for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.
  • The final rule will assist users of electronic health records (EHRs) by permitting use of an abbreviated notice of prohibition on re-disclosure more easily accommodated in EHR text fields.


The rule SAMHSA issued a year ago updating 42 CFR Part 2 was the first major, substantive revisions to Part 2 in nearly 30 years, but many in the provider community criticized the approach taken and called for closer alignment with HIPAA.  In that rule, SAMHSA aimed to facilitate the sharing of information within the healthcare system to support new models of integrated healthcare. But some associations attested at the time that the rule makes sharing clinical information for treatment purposes more difficult.

As reported by Healthcare Informatics’ Contributing Editor David Raths last January, the Partnership to Amend 42 CFR Part 2, a coalition of nearly 30 healthcare organizations committed to aligning Part 2 with HIPAA, put out a statement saying that the final rule takes helpful steps to modernize Part 2, but it does not go far enough.

“The new final rule makes important updates, but more work needs to be done. We look forward to working with our partners and Congress this year to improve the confidentiality law so that it continues to offer important patient protections without impeding good care,” said Jeffrey Goldsmith, M.D., president of the American Society of Addiction Medicine, in a prepared statement.

Some health privacy lawyers and leaders in the behavioral healthcare communities have noted that the only way to align Part 2 rules with HIPAA is through legislation. And, there have been recent efforts in Congress to accomplish that. U.S. Senators Joe Manchin (D-WV) and Shelley Moore Capito (R-WV) introduced the Protecting Jessie Grubb’s Legacy Act (Legacy Act) this week, legislation that aims to bring the regulations governing substance use treatment disorder records in better alignment with the privacy rules and protections for other medical records.


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


House Passes Bill to Align HIPAA, 42 CFR Part 2

June 22, 2018
by David Raths
| Reprints
Clinicians would be able to access entire patient record, including information about substance use disorders

The U.S. House of Representatives recently passed a bill designed to align 42 CFR Part 2 with HIPAA for the purposes of health care treatment, payment, and operations. One goal of the change is so that care can be better coordinated and providers can have appropriate access to all of a patient’s medical record, including information about substance use disorders.

“Doctors must have the whole picture on a patient’s medical history in order to safely and effectively treat that patient,” said U.S. Rep. Markwayne Mullin (R-OK), sponsor of the bill, in a prepared statement. “This includes any history of substance use disorder. The Overdose Prevention and Patient Safety Act will update the decades-old, outdated law, known as 42 CFR Part 2, which keeps mental health records separate from other health records.  H.R. 6082 will modernize how doctors access their patients’ health records by streamlining 42 CFR Part 2 with current Health Insurance Portability and Accountability Act (HIPAA) regulations. 

Earl Blumenauer (D-OR) co-sponsored the legislation.

“It is encouraging that members of Congress recognize the importance of aligning the treatment of substance use disorder (SUD) records with how all other medical and behavioral health records are managed,” said Pamela Greenberg, president and CEO of the Association for Behavioral Health and Wellness, in a statement. “Clinicians need access to a patient’s full medical history, including substance use disorder records, to assess risks and adequately care for a patient. Our members contend that Part 2 is one of the biggest – if not the biggest – barrier to fighting the opioid crisis.”

ABHW is a health plan association working to improve access and quality of care for mental health and substance use disorders.





More From Healthcare Informatics


One Consultant’s Take on GDPR and How It Raises the Stakes for U.S. Healthcare Organizations

April 23, 2018
by Heather Landi
| Reprints
Click To View Gallery

The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, is set to go into effect in one month, and the new regulation has far-reaching implications for organizations worldwide that collect personal information about European Union residents. In the U.S., physicians and healthcare providers will be facing new laws regarding the safeguarding of Personally Identifiable Information (PII) for EU patients.

GDPR was adopted in April 2016 and will be fully enforced on May 25, 2018 by the UK Information Commissioner’s Office (ICO). GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. According to many experts, the regulatory framework pertains to any organization that handles EU data, whether that organization is in the EU or not. The entire regulation can be accessed here, the EU GDPR website's frequently asked questions page can be found here and a breakdown of key changes can be found here.

Moving forward, U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to the Health Insurance Portability and Accountability Act (HIPAA) regulation and other U.S. regulations. The GDPR will affect when and how a healthcare provider must report breaches, and fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed.

According to the website of the Spiceworks virtual IT community, in a nutshell, “the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things.”

What’s more, the GDPR imposes stiff fines on data controllers and processors for non-compliance, up to 4 percent of the organization’s global annual revenue or 20 million euros, whichever is higher. According to the EU GDPR website, this is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines—a company can be fined 2 percent of global annual revenue for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors—meaning “cloud” will not be exempt from GDPR enforcement, according to the EU GDPR website.

According to the Spiceworks virtual IT community, the following are some, but not all, of the provisions organizations collecting or processing any personal data on EU residents must comply with if they want to avoid the risk of incurring potentially large financial penalties:

Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a “need to know” basis.

Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default. Additionally, an individual's consent can be removed at any time.

Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.

Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.

Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.

Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another. 

Data protection officers —Organizations that process large sums of GDPR data must assign a data protection officer (DPO).

John Barchie, a security consultant and senior fellow at Phoenix-based Arrakis Consulting, recently spoke with Healthcare Informatics’ associate editor Heather Landi to drill down further into the implications of the GDPR regulation for U.S. healthcare organizations and what steps organizations should be taking now to be compliant with GDPR. Below are excerpts of that interview, edited for length.

What are some of the key requirements of GDPR, and what do healthcare organization leaders need to know about the regulatory framework?

This is a disruptive regulation and it will require organizations to get their legal departments involved. Once it’s understood, it’s fairly straightforward. Healthcare organizations should already be fairly compliant with what GDPR is asking for. If an organization is strongly HIPAA compliant, then it will be much easier for them to absorb GDPR; if they have been going off HIPAA for a while, then GDPR is going to come as a shock.

There are some major categories that they need to be aware of—one is the concept of consent, and then the right to access. When we say the right to access, we mean the data subject’s right to access their own data. And then there is the data subject’s ‘right to be forgotten,’ and the data subject’s right to have their data portable. Then, there are the obligations of the processor and the controller—the controller is the one who is collecting the data from the data subject, and the processor is the one processing that data. If you give your data to a health system, that health system might have a sub-contractor that is processing the data. So, the health system would be the controller and the sub-contractor would be the processor. The controller and processor must have something built in called privacy by design.

The regulation requires a new role to be created called the data protection officer. In terms of HIPAA, it’s similar to the chief privacy officer, but it’s a different concept. The chief privacy officer is responsible for determining when data should legitimately be released. The purpose of the data protection officer is to ensure that the data that is processed in a legal manner for the regulation. This role is a requirement if you’re going to be GDPR compliant.

There also are implications with regard to breach notification. In the U.S., we’re used to providing breach notification after our investigation, and with GDPR, you’ll need to inform the supervisory authority within 72 hours of identifying that a breach has occurred.

What steps should healthcare organizations be taking now to be GDPR-compliant?

The first thing is, you need to read the regulations; there are 99 articles within the regulation. The biggest thing organizations can do right now is go over their consent forms and evaluate how they collect the data. And then, on the back end, they need to actually diagram out how their data is processed. With regard to their consent form, that’s going to involve the legal department, as there are new requirements above and beyond what they are used to providing for HIPAA. And on the back end, on the clinical side, they really need to take inventory of where their data is and where it is processed. By that I mean, writing it down and having diagrams and data flows; all the things a regulator is going to look for when they come in and start asking questions.

The fact is, GDPR will be disruptive, and if organizations are starting now they are not likely, in my opinion, to be compliant by May 25. If you’re not going to be compliant May 25, you need to show a willingness to comply. To show that willingness to comply, organizations should, at the very least, have their consent forms ready to go by May 25. Organizations also should know who their supervisory authority is (Article 51 of GDPR). They also should have taken inventory of all the uses and data processes. They should know, in writing, where is that data in the organization and who are we sub-contracting that data out to? The contracts with those sub-contractors also need to be updated. The goal is, if they have a working plan and even if they are only 60 percent done on the working plan when May 25 rolls around, they are probably in good shape, because they have a working plan and they are showing what’s known as a willingness to comply.

At an organization level, who should be involved in this work?

From an executive point of view, this should be a board-level item that the board discusses in a regular meeting and there should be board minutes as to how they intend to address GDPR. The executive steering committee should provide direction on how they intend to address GDPR. A program manager might need to be assigned the task of breaking out the project. The CIO should definitely be involved, as well as the CISO (chief information security officer). The head of customer service also should be involved, and, obviously, the organization’s chief privacy officer. Within IT, there has to be an understanding of where the data is and how it’s being processed. The database administrator, or the system administrator, will need to be involved. It’s not a one- or two-man show and it’s not just something IT does. There’s a lot that IT can’t do because it has to do with privacy and how information is released and handled. But, there is the technical piece that IT needs to do, such as the ‘right to be forgotten,’ that’s a big deal from an IT perspective.

What are the implications for health IT leaders specifically?

With regard to the data subject rights, the biggest one is the ‘right to be forgotten,’ which is a provision that says a data subject has the right to insist on the total and complete erasure of their data. If a data subject doesn’t want to do business with you, you should not be processing their data anymore. And that’s a technical challenge, as, technically, if you’re in a database, you’re in the database forever. With the ‘right to be forgotten,’ there needs to be a mechanism where an organization can guarantee that data is not being processed. That’s a tough row to hoe, especially for healthcare organizations or companies if they use that healthcare data as part of their research, as now that piece of research has been taken away from you, and that is the data subject’s right to say I’m not doing business with you, and by default, you’re not allowed to use my data anymore. That whole concept is foreign to healthcare organizations.

The key is, compliance officers at healthcare organizations need to read up on the regulations as GDPR changes the way organizations handle people’s data. It will be disruptive and already is disruptive to healthcare organizations that are in the middle of all this work.

Related Insights For: Privacy


ONC Names Kathryn Marchesini as Chief Privacy Officer

January 10, 2018
by Rajiv Leventhal
| Reprints

The Office of the National Coordinator for Health IT (ONC) has named Kathryn Marchesini as the federal agency’s chief privacy officer.

Marchesini, who has been working for the federal government since 2010, actually served as ONC’s acting chief privacy officer in 2014 prior to Lucia Savage being appointed permanently. According to an email that Don Rucker, M.D., National Coordinator for Health IT, sent to ONC staffers today, Marchesini “brings to her new role a wealth of experience as a senior advisor and deputy director for privacy at ONC where she advised staff and stakeholders about privacy and security implications surrounding electronic health information, technology, and health research.”

Deven McGraw was the deputy director of health information policy at the Department of Health & Human Services (HHS)’ Office for Civil Rights (OCR), a position she left in October. She had also been filling in as ONC chief privacy officer following Savage’s departure from the agency early in 2017.

Rucker noted that Marchesini has worked with the National Institutes of Health (NIH), and other federal agencies, “to provide strategic direction and substantive expertise at the intersection of privacy and security law, technology, and healthcare.” In her seven years at HHS, she served as deputy director for privacy, where she led ONC’s privacy team and helped with federal policy, guidance, and education initiatives addressing emerging health IT privacy and security-related issues, according to Rucker’s email.

Before joining HHS in 2010, Marchesini was a strategy and technology consultant at two global management consulting firms where she helped clients bridge the gap between business requirements, technology, and law.

There had been talk that ONC would have to eliminate the Chief Privacy Office in the aftermath of President Trump’s 2018 proposed budget, which at the time called for a $22 million cut to ONC funding. But Rucker has said since then that ONC will work together with OCR to support privacy functions.

See more on Privacy