SAMHSA Issues Final Rule Updating Substance Abuse Confidentiality Regulations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

SAMHSA Issues Final Rule Updating Substance Abuse Confidentiality Regulations

January 3, 2018
by Heather Landi
| Reprints

The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), has finalized proposed changes to the Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2, aimed at supporting payment and healthcare operations activities while protecting the confidentiality of patients.

The finalized rule, posted to the Federal Register on Tuesday, where it is available for review, builds on changes to 42 CFR Part 2 made last year. In a final rule published last January, SAMHSA updated 42 CFR Part 2 rules by allowing patients to provide a general disclosure for substance abuse information, rather than limiting authorization to a specific provider.

The Confidentiality of Substance Use Disorder Patient Records, 42 Code of Federal Regulations Part 2 (Part 2) protects the confidentiality of records relating to the identity, diagnosis, prognosis, or treatment of any patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research. Under Part 2, a federally assisted substance use disorder program may only release patient identifying information with the individual’s written consent, pursuant to a court order, or under a few limited exceptions.

The 42 CFR Part 2 regulations restricting how data of patients with substance use disorders (SUDs) is shared were written in 1975 out of concern that the information could be used against individuals, causing them to avoid seeking needed treatment.  But the way the regulation was written, it required the patient to consent every time their data was shared or accessed, which health information exchanges (HIEs) and healthcare organizations have found very difficult to implement.

The final rule published Tuesday will permit healthcare providers, with patients’ consent, to more easily conduct such activities as quality improvement, claims management, patient safety, training, and program integrity efforts, according to Elinore F. McCance-Katz, M.D., the nation’s first Assistant Secretary for Mental Health and Substance Use. “This final rule underscores our commitment to ensuring persons with substance use disorders receive integrated and coordinated care,” she said in a statement.

Dr. McCance-Katz said that modernizing Part 2 is one way that SAMHSA strengthens the nation’s efforts to reduce opioid misuse and abuse and to support patients and their families confronting substance use disorders. The rule also reflects an effort to better align Part 2 requirements with those of the Health Insurance Portability and Accountability Act (HIPAA), HHS officials said.

Major provisions in this latest rule include:

  • The final rule permits additional disclosures of patient identifying information, with patient consent, to facilitate payment and healthcare operations such as claims management, quality assessment, and patient safety activities.
  • The final rule permits additional disclosures of patient identifying information to certain contractors, subcontractors, and legal representatives for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.
  • The final rule will assist users of electronic health records (EHRs) by permitting use of an abbreviated notice of prohibition on re-disclosure more easily accommodated in EHR text fields.

 

The rule SAMHSA issued a year ago updating 42 CFR Part 2 was the first major, substantive revisions to Part 2 in nearly 30 years, but many in the provider community criticized the approach taken and called for closer alignment with HIPAA.  In that rule, SAMHSA aimed to facilitate the sharing of information within the healthcare system to support new models of integrated healthcare. But some associations attested at the time that the rule makes sharing clinical information for treatment purposes more difficult.

As reported by Healthcare Informatics’ Contributing Editor David Raths last January, the Partnership to Amend 42 CFR Part 2, a coalition of nearly 30 healthcare organizations committed to aligning Part 2 with HIPAA, put out a statement saying that the final rule takes helpful steps to modernize Part 2, but it does not go far enough.

“The new final rule makes important updates, but more work needs to be done. We look forward to working with our partners and Congress this year to improve the confidentiality law so that it continues to offer important patient protections without impeding good care,” said Jeffrey Goldsmith, M.D., president of the American Society of Addiction Medicine, in a prepared statement.

Some health privacy lawyers and leaders in the behavioral healthcare communities have noted that the only way to align Part 2 rules with HIPAA is through legislation. And, there have been recent efforts in Congress to accomplish that. U.S. Senators Joe Manchin (D-WV) and Shelley Moore Capito (R-WV) introduced the Protecting Jessie Grubb’s Legacy Act (Legacy Act) this week, legislation that aims to bring the regulations governing substance use treatment disorder records in better alignment with the privacy rules and protections for other medical records.

 

Topics

News

Ohio HIE Has Sent 8.1 Million Results

CliniSync, the nonprofit statewide health information exchange for Ohio, offered a year-end 2017 report, noting that almost all of its 157 hospitals are in production or live, sending results and reports to practices.

Allscripts Ransomware Update: Outages Expected through Monday

The Chicago-based Allscripts, one of the most prevalent EHR (electronic health record) vendors in the world, is still working to restore some of its IT systems following a ransomware attack last week.

Study: Inaccuracies in EHR Problem Lists Pose Problems for Risk Adjustment

Inaccuracies in EHR problem list–based comorbidity data can lead to incorrect determinations of case mix, according to a study that took place at two southern California Veterans Affairs (VA) medical centers.

Survey: 42 Percent of Companies Have Experienced Ransomware Attacks

The percentage of global companies reporting financially motivated cyber-attacks has doubled over the past two years, with 50 percent of surveyed companies associating ransom as the leading motivation for attacks over other attacks, including insider threats, hacktivism and competition, according to a report by Radware.

Allscripts Acknowledges Ransomware Attack, Says Impact is “Limited”

Health IT vendor Allscripts has acknowledged that it is investigating a ransomware incident that has impacted a limited number of its applications.

AHRQ to Fund Patient Safety Learning Laboratories

The federal Agency for Healthcare Research Quality plans to spend up to $5 million in fiscal 2018 to support as many as eight patient safety learning laboratories.