Governance & Risk Management , HIPAA/HITECH , Privacy
Analysis: Substance Abuse Confidentiality Rule Changes
Experts Assess Modifications and Whether Further Alignment With HIPAA Is NeededDespite receiving requests to better align a federal rule regarding the confidentiality of substance abuse records with the requirements of HIPAA, federal regulators only made minor tweaks to the confidentiality rule. Some experts say Congress would have to take action to pave the way for further changes to better align the requirements of the two regulations.
See Also: Using the Netskope HIPAA Mapping Guide
A final rule published in the Federal Register on Wednesday by the Substance Abuse and Mental Health Services Administration - or SAMHSA - of the Department of Health and Human Services makes changes regarding federal regulations governing the Confidentiality of Substance Use Disorder Patient Records, more commonly called 42 CFR Part 2.
SAMHSA announces the finalization of proposed changes to the Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2. Visit https://t.co/HvtVffTWBy to learn about the final rule.
— SAMHSA (@samhsagov) January 2, 2018
SAMHSA notes in the final rule that it had received public comments on its notice of proposed rulemaking - issued last January - in which some commenters suggested better aligning 42 CFR part 2 regulations - which pertain to the use and disclosure of data of substance disorder patients who participate in certain federal programs - with HIPAA.
Under HIPAA, patients' protected health information can be shared among covered entities and business associates for payment, treatment and healthcare business operations. Under 42 CFR part 2, however, there are much tighter restrictions on use, disclosure and redisclosure of patient records involving substance disorders.
But SAMSHA's final changes to better align 42 CFR Part 2 regulations with HIPAA were relatively narrow; they allow more flexibility for disclosures of patient data related to payment and business operations, but not much else.
Comparison to HIPAA
SAMHSA notes in the final rule that commenters advocating for better alignment of 42 CFR Part 2 regulations with HIPAA argued that the move would, among other things, promote information flow between providers, including a clinically complete patient record, to improve patient care; allow providers and administrators of services greater discretion; help facilitate interoperability; enhance privacy protections by making confidentiality restrictions more uniform across health care settings; and promote innovative models of healthcare delivery, including integrated and coordinated care.
But privacy advocate Deborah Peel, M.D., says that the stricter 42 CFR Part 2 regulations should not be watered down to better align with HIPAA, but rather that HIPAA standards need to be raised higher to match the requirements of 42 CFR Part 2.
"42 CFR Part 2 should be the standard for the use of all U.S. health data. It's the only workable, ethical and effective way to rebuild trust in physicians and health professionals and enable us to move our data to those we trust," says Peel, a psychoanalyst and founder of advocacy group, Patient Privacy Rights.
"It's time to face facts: Not only will sharing and selling intimate data about addiction and substance abuse treatment drive people away from treatment, but it threatens democracy, liberty and the freedoms we've taken for granted. The destruction of trust in doctors and medicine pales in comparison to the destruction of America's democracy. We are by far the most intimately tracked and surveilled people in the Western World. No other supposedly free, democratic nation has such comprehensive, detailed, intimate data on its entire population."
Sizing Up the Changes
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says that the most significant change by SAMHSA in the 42 CFR Part 2 Final Rule "makes it easier to share substance abuse treatment information for payment and healthcare operations. Currently, 42 CFR Part 2 generally requires substance abuse disorder programs or providers to obtain patient consent for most uses disclosures of patient information, and prohibits redisclosure in most circumstances without patient consent. This final rule will permit redisclosure of substance abuse disorder data to contractors for purposes of payment and health care operations."
While it will be easier to share substance abuse treatment information for payment and healthcare operations, patient consent will still be required for other substance disorder disclosures, such as those related to patient diagnosis, treatment or referral for treatment, to other healthcare providers, he explains.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine points out: "This final rule takes a very small step toward aligning 42 CFR Part 2 with HIPAA, since both rules now provide health plans the ability to share patient information with business associates without patient consents that specify the business associate by name."
There's still a long way to go to more fully align 42 CFR part 2 and HIPAA, Greene notes.
"But without Congress changing the statute that governs the part 2 rule, we may not be able to see the level of alignment between the two sets of regulations that many are seeking," Greene says.
Privacy attorney Kirk Nahra of the law firm Wiley Rein offers a similar assessment. "This is an additional increment in the efforts to try to make sense of the Part 2 rules - which go back to the 1970s - with a modern healthcare environment."
Although SAMHSA notes in the final rule that HHS is assessing how to move these rules closer to HIPAA, "they will never get there, because there is a statute in place that won't let the rules go that far," Nahra says.
"There remains a real question as to whether this [substance disorder] information needs to be protected differently than everything else that is protected under HIPAA, but that is a decision that Congress will need to change," he says. "For now, there will continue to be confusion and complexity, and relevant affected healthcare entities - and their contractors and their data recipients - will need to spend time and money to try to separate out how they handle this kind of information from everything else that they handle. We also will see - over a two year phase-in period - more changes that will need to be made to vendor contracts."
These additional requirements are designed to create "disincentives to disclose this category of information, but that is not always in the interest of the patient, and runs counter to some other efforts to improve information sharing efforts," he says. "While we haven't seen much enforcement of these requirements, this is still and will remain an area fraught with regulatory landmines."
Redisclosure Red Flags
Holtzman notes that 42 CFR Part 2 regulations require that each disclosure of substance abuse disorder treatment data made with patient consent include a mandated notice of the prohibition of redisclosure.
But SAMHSA in its notice of proposed rule-making had sought comment on whether an abbreviated notice of the prohibition on redisclosure of part 2 data should be allowed in some instances.
"SAMHSA considered recommendations of alternatives to communicate or alert recipients of this substance abuse disorder data of the prohibition on redisclosure," Holtzman notes. "Ultimately, in the final rule, SAMHSA rejected alternatives to the written notice while providing an option of an abbreviated notice consisting of 80 characters designed to be accommodated by the capabilities of an electronic health record system."
Breach Notification
While 42 CRF Part 2 regulations are stricter than HIPAA when it comes to use and disclosure of patient information, the regulations - including the new modifications - do not specifically address special breach notification requirements, Holtzman notes.
"42 CFR Part 2 generally requires substance abuse disorder programs or providers to obtain patient consent for most uses disclosures of patient information, and prohibits redisclosure in most circumstances without patient consent," Holtzman says.
"The SAMHSA regulations do not have specific provisions concerning notification to the patient in the event of an unauthorized use or disclosure. This same data may also be protected health information subject to the HIPAA privacy and breach notification rules when the health information is maintained by a HIPAA covered entity or their business associate.
"It is critical that in the event of an unauthorized use or disclosure of this data that the organization assess what confidentiality protections apply, and any notification requirements must be met."