The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), issued a final rule on January 3, 2018 to the federal regulations governing the confidentiality of health information in federally-assisted substance use disorder (SUD) programs, found in 42 CFR Part 2 and known as “Part 2.” Published less than a year after SAMHSA issued a final rule extensively revising Part 2, this final rule adopts changes that were proposed by SAMHSA in a Supplemental Notice of Proposed Rulemaking issued with the final rule. This rule is effective February 2, 2018. Part 2 generally requires a federally-assisted SUD program to obtain the patient’s consent before disclosing identifying information outside the program. This includes disclosures to providers. As a rule, the consent must identify the persons or entities to whom the disclosure may be made. This would preclude the recipient – another health care provider, for example – from disclosing the information to his or her contractors, unless they were identified in the original consent. The new rule now allows lawful holders and their legal representatives to further use and disclose Part 2 patient information for purposes of payment, health care operations and audits and evaluations without patient consent. The person making the disclosure must have a contract with the recipient, and each disclosure must be accompanied by a re-disclosure notice, but the new rule includes an option for an abbreviated notice that can be more easily included in electronic communications. Below follows a brief summary of the major provisions in the final rule: Disclosures under the new rule are allowed only for payment and health care operations; consent is still required for disclosure for purposes of diagnosis, treatment, or referral for treatment. SAMHSA included a proposed non-exclusive list of 17 specific payment and operations activities in the preamble to the Final Rule. Although the proposed rule had included the 17 activities in regulatory text, the Final Rule included the list only in the preamble because of concerns that “rapid changes occurring in the healthcare payment and delivery system could render any list of activities included in the regulatory text outdated.” SAMHSA, however, reiterated its position that the payment and health care operation activities, whether included in the list of 17 activities or not, are not intended to encompass diagnosis, treatment or referral activities. To protect against payment and health care operation activities encroaching on diagnosis, treatment or referral activities, SAMHSA stated that care coordination and case management are not health care operation activities under the final rule. Notably, SAMHSA did not extend Section 2.33(b) to Qualified Service Organizations (QSOs), such as ACOs or HIEs, which remain exempt from Part 2’s restrictions on disclosure of SUD information. Instead, QSOs must still execute a QSO agreement with Part 2 programs and agree to be bound by Part 2 before providing services such as bill collecting, laboratory analyses, legal or accounting functions, or population health management. Throughout the commentary, SAMHSA addressed calls from advocates, including from the President’s White House Opioid Commission, to align Part 2’s requirements with those of HIPAA, the HITECH Act, and their implementing regulations. Although the final rule reflects alignment efforts by SAMHSA “to the extent feasible,” the agency noted that the Part 2 regulation is “separate and distinct” from other patient privacy laws and provides more stringent protections to prevent individuals from discrimination and legal consequences if their information is improperly used or disclosed. Over the next year, SAMHSA intends to continue exploring additional alignment with HIPAA, including further updates to Part 2. Hooper, Lundy & Bookman provides a range of legal services relating to health information privacy, security and technology. For more information, please contact: In San Francisco, Andrea Frey, Paul Smith, Steve Phillips or Katrina Pagonis at 415.875.8500; in Los Angeles, Hope Levy-Biehl at 310.551.8140; in Washington, D.C., Bob Roth at 202.580.7701; or in Boston, Amy Joseph 617.532.2702.
Professional