Back to News and Insights

HHS Updates Rules on Confidentiality of Substance Abuse Records


The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), issued a final rule on January 3, 2018 to the federal regulations governing the confidentiality of health information in federally-assisted substance use disorder (SUD) programs, found in 42 CFR Part 2 and known as “Part 2.” Published less than a year after SAMHSA issued a final rule extensively revising Part 2, this final rule adopts changes that were proposed by SAMHSA in a Supplemental Notice of Proposed Rulemaking issued with the final rule. This rule is effective February 2, 2018.

Part 2 generally requires a federally-assisted SUD program to obtain the patient’s consent before disclosing identifying information outside the program. This includes disclosures to providers. As a rule, the consent must identify the persons or entities to whom the disclosure may be made. This would preclude the recipient – another health care provider, for example – from disclosing the information to his or her contractors, unless they were identified in the original consent.

The new rule now allows lawful holders and their legal representatives to further use and disclose Part 2 patient information for purposes of payment, health care operations and audits and evaluations without patient consent. The person making the disclosure must have a contract with the recipient, and each disclosure must be accompanied by a re-disclosure notice, but the new rule includes an option for an abbreviated notice that can be more easily included in electronic communications. Below follows a brief summary of the major provisions in the final rule:

  • Disclosures to Contractors, Subcontractors, or Legal Representatives for Payment and/or Health Care Operations (42 C.F.R. 2.33(b)): The final rule allows an individual or entity that receives information protected by Part 2 pursuant to a written consent to disclosure for payment and/or health care operations activities to further disclose the records to contractors, subcontractors, or legal representatives to carry out payment and/or health care operations activities without additional patient consent. Organizations that disclose patient identifying information to contractors must have a written contract with the recipient that provides that the contractor is bound by the provisions of Part 2, requires the contractor to safeguard the information and to report unauthorized uses and disclosures, and restricts re-disclosure by the contractor.

Disclosures under the new rule are allowed only for payment and health care operations; consent is still required for disclosure for purposes of diagnosis, treatment, or referral for treatment. SAMHSA included a proposed non-exclusive list of 17 specific payment and operations activities in the preamble to the Final Rule. Although the proposed rule had included the 17 activities in regulatory text, the Final Rule included the list only in the preamble because of concerns that “rapid changes occurring in the healthcare payment and delivery system could render any list of activities included in the regulatory text outdated.” SAMHSA, however, reiterated its position that the payment and health care operation activities, whether included in the list of 17 activities or not, are not intended to encompass diagnosis, treatment or referral activities. To protect against payment and health care operation activities encroaching on diagnosis, treatment or referral activities, SAMHSA stated that care coordination and case management are not health care operation activities under the final rule.

Notably, SAMHSA did not extend Section 2.33(b) to Qualified Service Organizations (QSOs), such as ACOs or HIEs, which remain exempt from Part 2’s restrictions on disclosure of SUD information. Instead, QSOs must still execute a QSO agreement with Part 2 programs and agree to be bound by Part 2 before providing services such as bill collecting, laboratory analyses, legal or accounting functions, or population health management.

  • Abbreviated Notice on Re-disclosure (42 C.F.R. 2.32): Part 2 requires any disclosure of SUD records made with the patient’s written consent to include a prohibition on re-disclosure. Previously, this required a lengthy written re-disclosure statement that did not fit in the standard, 80-character free-text space used by many EHR systems. In light of concerns voiced about character limits in EHR systems, SAMHSA adopted an abbreviated notice that providers may use as an alternative to the full notice. The abbreviated notice, which is 64 characters long to fit in standard free-text space within most EHR systems, reads: “42 CFR part 2 prohibits unauthorized disclosure of these records.”
  • Disclosures for Audit and Evaluation (42 C.F.R. 2.53): The final rule clarifies that lawful holders may also disclose certain information to contractors, subcontractors and legal representatives to carry out certain types of audits and evaluations. Such audits or evaluations may be performed on behalf of federal, state, or local governments providing financial assistance to, or regulating the activities of, both Part 2 programs and other lawful holders, and they may involve payment, quality improvement, or program integrity functions, among others, as are necessary to meet the requirements of a CMS-regulated program.

Throughout the commentary, SAMHSA addressed calls from advocates, including from the President’s White House Opioid Commission, to align Part 2’s requirements with those of HIPAA, the HITECH Act, and their implementing regulations. Although the final rule reflects alignment efforts by SAMHSA “to the extent feasible,” the agency noted that the Part 2 regulation is “separate and distinct” from other patient privacy laws and provides more stringent protections to prevent individuals from discrimination and legal consequences if their information is improperly used or disclosed. Over the next year, SAMHSA intends to continue exploring additional alignment with HIPAA, including further updates to Part 2.

Hooper, Lundy & Bookman provides a range of legal services relating to health information privacy, security and technology. For more information, please contact: In San Francisco, Andrea FreyPaul SmithSteve Phillips or Katrina Pagonis at 415.875.8500; in Los Angeles, Hope Levy-Biehl at 310.551.8140; in Washington, D.C., Bob Roth at 202.580.7701; or in Boston, Amy Joseph 617.532.2702.


Andrea Frey
Senior Counsel
San Francisco
Amy M. Joseph
Katrina A. Pagonis
San Francisco
Washington, D.C.
Robert L. Roth
Washington, D.C.
Paul T. Smith
San Francisco