Electronic Healthcare Records , Governance & Risk Management , Healthcare

HHS Proposes Changes to Substance Abuse Data Disclosures

Do the Proposals Go Too Far, or Not Far Enough?
HHS Proposes Changes to Substance Abuse Data Disclosures

The Department of Health and Human Services has issued proposed changes to privacy rules related to the sharing of patient records created by federally assisted substance use disorder treatment programs in an effort to improve treatment of those addicted to opioids and similar drugs.

See Also: Reducing Complexity in Healthcare IT

The regulation, Confidentiality of Substance Use Disorder Patient Records regulations - more commonly known as 42 CFR Part 2 – now mostly prohibits sharing data about patients’ treatment at those federally funded programs with other healthcare providers unless the patient grants permission.

Some healthcare associations and others had advocated changing the rule so it aligns with HIPAA to ease the sharing of data without a patient’s authorization. But the proposal stops far short of that, making only narrower changes, such as clarifying when disclosures can be made without patient consent during natural disasters and spelling out when providers that are not part of federally assisted programs can create substance abuse disorder records about patients who had been treated in those programs.

‘Between a Rock and a Hard Place’

Although HHS says the “reforms” are aimed at improving coordination of patient care and reducing “burdens” on healthcare providers, some regulatory experts argue that the proposals would not result in dramatic changes. Meanwhile, some patient privacy advocates worry that the changes would jeopardize privacy.

”HHS is between a rock and a hard place in attempts to revamp the patient confidentiality provisions for substance abuse treatment records,” says privacy attorney David Holtzman of the security consulting firm CynergisTek.

The proposed rule, issued by the Substance Abuse and Mental Health Services Administration and published Monday in the Federal Register, aims to improve care coordination by clarifying and modifying various permitted disclosures of substance use disorder records of patients participating in federally assisted Part 2 programs, HHS says in a statement.

"Given that with these proposals the vast majority of uses and disclosures of substance use disorder information still require consent, these proposals do not move the needle very far, with regard to the burdens on entities under 42 CFR Part 2."
—Iliana Peters, Polsinelli

”The basic framework for confidentiality protection of [substance use disorder] patient records created by federally assisted treatment programs will not be altered under the proposed rule,” HHS writes. “Further, 42 CFR Part 2 will continue to prohibit law enforcement use of [substance use disorder] patient records in criminal prosecution against the patient, and will also continue to restrict the disclosure of [substance use disorder] treatment records without patient consent unless an exception applies,” HHS says.

HHS is collecting comments on its proposed rule until Sept. 25.

Minimal Changes

Privacy attorney Iliana Peters of the law firm Polsinelli says she’s encouraged to see HHS undertaking changes to help ensure that substance use disorder information can be used and disclosed more often.

“That said, given that with these proposals the vast majority of uses and disclosures of substance use disorder information still require consent, these proposals do not move the needle very far, with regard to the burdens on entities under 42 CFR. Part 2,” she says.

”While I understand that HHS must comply with confines of the statue with regard to its rulemaking, I am surprised that given this administration’s efforts to reduce burdens on healthcare entities, the administration did not attempt more here in that regard, keeping in mind that HIPAA applies to this information in most circumstances as well.”

More Clarity?

The proposed rule would update the definition of the kind of records that are covered under 42 CFR Part 2, making it clear, for example, that treatment records created by providers who are not participating in federally assisted program - based on their own patient encounters with patients who were also treated in a program - mostly will not be covered by Part 2 regulations.

Under the proposed rule:

  • Permitted disclosures for research – without patient consent - under 42CFR Part 2 would be expanded. For instance, a HIPAA covered entity or business associate would be allowed to make disclosures for research purposes to individuals and organizations who are not HIPAA covered entities, nor subject to the Common Rule. Currently, 42CFR Part 2 only allows for far more limited disclosures of patient identifying information for research purposes without patient consent.
  • Records of patients treated at federally assisted facilities would be permitted to be shared without a patient’s consent in the event of natural disasters, such as hurricanes.
  • Disclosures of patient records for the purpose of "payment and healthcare operations" with written consent would still allowed, as in the original rule. The proposal gives 17 examples for clarity.

More Provisions

The proposed rule also would clarify that personal devices, such as smartphones, not used by a Part 2 provider in the regular course of business do not have to be completely wiped – such as to delete records - because a substance use disorder patient sent an email or text message to their physician's personal device, HHS says. Rather, the provider can fulfill the Part 2 requirement for "sanitizing" the device by deleting just that message.

Under the proposal, providers other than federally assisted substance use disorder treatment programs would have access to central registries to determine if a patient is enrolled in an opioid treatment program and receiving medications as part of substance use disorder treatment to ensure at-risk patients are not accidentally overprescribed or given prescriptions for which they are seeking treatment, HHS says.

Also under the proposed rule, a substance use disorder patient would be allowed to consent to disclosure of Part 2 treatment records to an entity – for example, the Social Security Administration - without naming a specific person as the recipient for the disclosure. HHS says this change would help patients to apply for benefits and resources more easily, for example, when using online applications that do not identify a specific person as the recipient for a disclosure of Part 2 records.

HHS also proposes changes related to information disclosures for audits and program evaluation. These changes aim to resolve “current ambiguity” under Part 2 about what activities are covered by the audit and evaluation provision, HHS says in a fact sheet about the proposals.

Sizing Up the Proposal

The proposed rule comes nearly two years after HHS issued a final rule that made some other changes to 42 CFR Part 2 to create better alignment with HIPAA (see: Analysis: Substance Abuse Confidentiality Rule Changes).

But those changes were relatively narrow, allowing more flexibility for disclosures of patient data related to payment and business operations.

The National Association of Attorneys General and several healthcare groups, including the American Hospital Association and the College of Healthcare Information Management Executives, have been pushing for closer alignment between the privacy provisions of 42 CFR Part 2 and HIPAA (see: Addressing Opioid Crisis: Call for Privacy Rule Changes).

"Opening up the most sensitive personal data, anything about our minds and bodies, for 'care coordination' will cause ... U.S. adults to lie and omit revealing this intensely personal data to their providers."
—Deborah Peel, M.D., Patient Privacy Rights

For instance, they’ve argued that even with the previous changes in 2018, 42 CFR Part 2 impedes information sharing that could lead to better treatment.

Privacy attorney Kirk Nahra of the law firm WilmerHale says that despite a continuing effort by some groups to move the Part 2 rules closer to HIPAA, the latest HHS proposals “still do not go all the way there - and that could be because of concerns about going that far or because of the underlying statute.”

HHS is reviewing a variety of regulatory proposals to address the opioid crisis and related topics concerning coordinated care, including interoperability of health IT and secure health data exchange, some experts note.

”There is a HIPAA proceeding that is looking into some of these topics as well,” Nahra says. “This new Part 2 proposal addresses a variety of both smaller and bigger picture issues.”

Nahra says the proposed changes to 42 CFR Part 2 will be “modestly helpful.” He adds: “None of them will have a substantial impact on individual privacy interests, but any movement to reduce the restrictions of Part 2 have tended to lead to concerns from some in the advocacy community - although that often reflects an underlying disagreement with the HIPAA approach overall.”

But Holtzman of CynergisTek argues that HHS’s proposed changes to allow for greater data sharing between substance abuse treatment programs and other healthcare providers would create loopholes that could result in significant compromises to the confidentiality of substance abuse treatment information.

For example, in the summary of the proposed rule, HHS highlights that there’s an opportunity for physicians and others who are not substance abuse treatment providers to transcribe information they obtain from a treatment program into the patient's electronic health record without a clinical purpose. “The HHS proposed rule leaves patients vulnerable to breaches of their confidentiality because the department does not provide any new or additional monitoring, enforcement or penalty provisions to bring accountability for what the department terms "inappropriate" disclosures of this substance abuse treatment data,” he notes.

Too Many Modifications?

Some patient privacy advocates worry that some of HHS’ latest proposals go too far.

”Unfortunately, the proposed rule is written as though the agency believes that HIPAA protects privacy, when it fact, HIPAA is a data sharing rule,” says Twila Brase, president and co-founder of privacy advocacy group Citizens' Council for Health Freedom. “The alignments it makes with HIPAA, as well as the federal Common Rule for federally funded research, allow patient data to be more broadly shared without patient consent. The Common Rule includes various exemptions and exceptions that authorize research and analysis, including of biological specimens, without patient consent.”

Brase notes, however, that her organization is pleased that HHS would maintain certain Part 2 consent requirements for health information exchanges, prescription drug monitoring programs and healthcare operations. “But we maintain the importance of these consent provisions not being tucked into a consent for treatment form, as that would be coercion, not consent,” she adds.

Psychoanalyst Deborah Peel, M.D., founder of the advocacy group Patient Privacy Rights, says that any changes to the regulation that would loosen up rules governing the confidentiality of patient records would be bad moves. “Opening up the most sensitive personal data, anything about our minds and bodies, for ‘care coordination’ will cause … U.S. adults to lie and omit revealing this intensely personal data to their providers,” she says.

”The reality is that this data is used and sold to discriminate against people with substance abuse and their relatives - some people are far more susceptible to addiction due to genetic vulnerabilities,” she says. “If coordination is really needed, anyone treating someone with substance abuse can ask that person first.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.