Governance & Risk Management , Healthcare , HIPAA/HITECH

HHS Rule to Ease Record Sharing, Guard Substance Abuse Data

Proposals to Address Patient Consent, Enforcement Penalties, Breach Notification
HHS Rule to Ease Record Sharing, Guard Substance Abuse Data
Two HHS agencies - SAMHSA and OCR - jointly issued a proposed rule to better align 42 CFR Part 2 privacy regulations with HIPAA.

Doctors and hospitals always want to know a patient's full medical history before prescribing medicine or treatment, but the process of sharing information about patients with substance abuse disorders can be fraught with privacy and care delivery issues.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

For a patient in an emergency room, doctors could lose precious time trying to get consent for records. Meanwhile, patients themselves can lose control of information related to their drug or alcohol problems.

One of the problems nagging healthcare providers is that federal privacy rules are not consistent, which is why the Department of Health and Human Services is proposing rule changes to make it easier for doctors to share records, while still protecting the confidentiality of substance abuse records.

HHS' notice of proposed rule-making on Monday was issued jointly through two of its agencies, the Office for Civil Rights, which enforces HIPAA, and the Substance Abuse and Mental Health Services Administration, which oversees the Confidentiality of Substance Use Disorder Patient Records regulations, commonly called 42 CFR Part 2.

Compared with HIPAA, substance abuse regulations currently impose different privacy requirements for the handling of records for patients receiving substance disorder treatments from federally assisted programs. That includes requiring more stringent written consents by patients for the use and disclosure of their records, compared with HIPAA.

Among the proposed changes are a single consent form that will cover current and future substance abuse disclosures, as well as more transparency for the patient on who is reviewing the records. The goal of the proposed changes is to improve care coordination among healthcare providers and protect patient privacy.

“Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” said HHS Secretary Xavier Becerra in a statement. "This proposed rule would improve coordination of care for patients receiving treatment while strengthening critical privacy protections to help ensure individuals do not forego lifesaving care due to concerns about records disclosure."

The disparity between the regulations often creates barriers in care coordination and the sharing of critical patient information, requiring providers to segregate records and obtain additional consent for sharing with other providers, HHS says.

HHS says its proposals would implement certain provisions of the Coronavirus Aid, Relief and Economic Security, or CARES, Act that also call for HHS to align the rules (see: HHS Modified Some Substance Use Disorder Privacy Provisions).

Proposed Changes

HHS proposes a long list of changes, including:

  • Patients providing a single consent for use and disclosure of Part 2 records, including for all future uses and disclosures for treatment, payment and healthcare operations;
  • Permitted redisclosure of Part 2 records in any manner allowed by the HIPAA Privacy Rule, with certain exceptions;
  • Patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as allowed under the HIPAA Privacy Rule;
  • Expanded prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative and legislative proceedings;
  • New HHS enforcement authority, including the imposition of civil money penalties for violations of Part 2;
  • Updated breach notification requirements to HHS and affected patients;
  • Updated HIPAA Privacy Rule Notice of Privacy Practices requirements to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The 260-page proposed rule will be open to public comment for 60 days after its publication in the Federal Register, slated for Friday.

Complex Issues

While the proposed changes aim to better align substance abuse records confidentiality requirements with HIPAA, they also present potential new challenges for a wide range of organizations, some experts say.

"This proposal arguably creates significant new burdens on substance use disorder providers, as well as all types of healthcare providers who may receive information protected by Part 2," says privacy attorney Iliana Peters of the law firm Polsinelli. "Healthcare entities of all types should review these proposed changes closely to better understand the potential impact to their organizations," she says.

Peters, a former senior adviser at OCR, also says she'll be seeking additional information about how OCR and SAMHSA intend to coordinate on both requirements and enforcement.

"I will be reviewing very closely for a better idea of how HHS intends to expand the jurisdiction and authority of the OCR, particularly with regard to breach notification and enforcement requirements, to the revised Part 2 regulations and what specific statutory provisions they invoke to do so."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.