CARES Act Updates
Summary
On February 8, 2024, the U.S. Department of Health & Human Services (HHS) through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights announced a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”). With this final rule, HHS is implementing the confidentiality provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act - PDF (enacted March 27, 2020), which require the Department to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Major Changes in the New Part 2 Rule
The final rule includes the following modifications to Part 2:
- Patient Consent
- Allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.
- Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.1
- Other Uses and Disclosures
- Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
- Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
- Penalties: Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.2
- Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule3 to breaches of records under Part 2.
- Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
- Safe Harbor: Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
- Safe Harbor: Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
- Segregation of Part 2 Data: Adds an express statement that segregating or segmenting Part 2 records is not required.
- Complaints: Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
- SUD Counseling Notes: Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.4
- Patient Consent:
- Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
- Requires a separate patient consent for the use and disclosure of SUD counseling notes.
- Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.
- Fundraising: Create a new right for patients to opt out of receiving fundraising communications.
42 CFR Part 2 2020 Final Rule Brief
Summary
42 CFR Part 2 Final Rule
On July 15, 2020, a final rule revising the federal regulations governing the Confidentiality of Substance Use Disorder Patient Records, 42 CFR Part 2 (Part 2), was released by the Substance Abuse and Mental Health Services Administration (SAMHSA), U.S. Department of Health and Human Services. The rule went into effect on August 14, 2020. Source
In the interim of the Part 2 proposed rule release and the final rule being promulgated, Congress incorporated legislation to align 42 CFR Part 2 with HIPAA for the purpose of treatment, payment and operations in section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).
The CARES Act became law on March 27, 2020. SAMHSA will need to release new regulations to implement the law, which was anticipated no earlier than March 27, 2021. However, the last statement issued from SAMHSA regarding addressing the changes required by the CURES Act was issued on April 9, 2021 indicating the intent to seek comments from the public before any further changes would be adopted. The comment period has yet to be opened and SAMSHA indicated that the current 42 CFR Part 2 regulations remain in effect.
42 CFR Part 2 Versus HIPAA
42 CFR Part 2 Defined
42 CFR Part 2 for HIEs/HIOs
QSOA Agreements
The use of a Qualified Service Organization Agreement (QSOA) is similar to a business associate agreement. It provides a mechanism for disclosure of Part 2 data between a Part 2 program and an organization that provides services to the program, such as an HIO. Examples of services an HIO might provide include holding and storing patient data, receiving and reviewing requests for disclosures to third parties, and facilitating electronic exchange of patient information via the HIO network. The QSOA covers the transmission and storage of part 2 data to the HIO and facilitates any sharing data from the part 2 program back to the part 2 program (for instance if the data set has been enhanced in some way). A consent is not required for this communication but would not cover further transmission to HIO affiliated members without patient consent.
Part 2 Compliant Consent
Patient information protected by 42 CFR Part 2 may only be made available to an HIO for exchange if a patient signs a Part-2 compliant consent form authorizing the Part 2 program to disclose the information to HIO affiliated members.
Elements of a Part 2 Compliant Consent:
- Name of the Patient
- Specific Name or general designation of Part 2 entities or providers making the disclosure
- How much and what kind of information is to be disclosed including specific reference to SUD
- “To Whom” is the disclosure being made?
- The name of the individuals; or
- The name of the entity or entities; or
- General designation such as “HIO Affiliated Members that have a treatment relationship”
- If a patient used a general designation, the consent form would also have to include a notice stating that the patient understands that upon written request, he/she must be provided with a list of entities to which his/her information has been disclosed within the past two years. The HIE would be responsible for responding to the request within 30 days.
- The purpose of the disclosure
- Right to revocation at any time going forward
- The date, event or condition upon which the consent will expire (for example, upon death).
Re-disclosure
Each disclosure made with the patient’s written consent must be accompanied by a written statement with the specific language contained in 42 CFR Part Section § 2.32. The federal rules prohibit individuals or entities from making any further disclosure of information that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2.
The updated rule shortens this language to “Disclosures permitted with written consent.” Source
This information must be tied to the Part 2 information being disclosed on the specific page within the HIO portal system where the patient information is revealed. SAMHSA has indicated that placing this statement on a login or splash page is not sufficient.
Medical Emergencies
Patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained.
It is important to note that immediately following disclosure, the part 2 program shall document, in writing, the disclosure in the patient’s records, including:
- The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;
- The name of the individual making the disclosure;
- The date and time of the disclosure; and
- The nature of the emergency
For the purposes of an HIE, the HIE would need to provide a disclosure notice any time there was a “break the glass” or “break the seal” activity and 42 CFR Part 2 protected data was disclosed to any and all organizations whose data was disclosed. This disclosure notice should be kept as part of the patient’s chart. It is not necessary to notify the patient of the disclosure unless requested.
Payment and Health Care Operations by Consent
Patients can now consent to sharing Part 2 information for purposes of “payment and health care operations.” Examples of permissible payment or health care operations activities under this section include:
- Billing, claims management, collections activities, …related health care data processing;
- Clinical professional support services;
- Patient safety activities;
- Activities pertaining to: (i) The training of student trainees and health care professionals; (ii) The assessment of practitioner competencies; (iii) The assessment of provider or health plan performance; and/or (iv) Training of nonhealth care professionals;
- Accreditation, certification, licensing, or credentialing activities;
- Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits…;
- Third-party liability coverage;
- Activities related to addressing fraud, waste and/or abuse;
- Conducting or arranging for medical review, legal services, and/or auditing functions;
- Business planning and development;
- Business management and general administrative activities;
- Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
- Resolution of internal grievances;
- The sale, transfer, merger, consolidation, or dissolution of an organization;
- Determinations of eligibility or coverage and adjudication or subrogation of health benefit claims;
- Risk adjusting amounts due based on enrollee health status and demographic characteristics;
- Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
- Care coordination and/or case management services in support of payment or health care operations; and/or
- Other payment/health care operations activities not expressly prohibited in this provision
Summary of Final Rule Changes Effective August 14, 2020
Definitions - Excludes certain oral communications and non-part 2 treatment records from the definition of “records.” To facilitate coordination of care activities between Part 2 programs and non-Part 2 providers.
Applicability - Information about an SUD recorded by a non-part 2 is not automatically rendered a medical record subject to Part 2
Segregated or Segmented records - Non-Part 2 providers may record and segment or segregate information from paper or electronic Part 2 records received from Part 2 providers without its record becoming subject to Part 2. The segregated or segmented records remain subject to Part 2.
Prohibition on redisclosure - Non-Part 2 providers do not need to redact information in non-Part 2 records and may redisclose with express consent
Disclosures Permitted with Written Consent - Disclosures for “payment and health care operations” are permitted with written consent; lists 18 qualifying activities, including care coordination and case management
Consent Requirements - A patient may consent to the disclosure of their information for operations purposes to certain entities without naming a specific individual .
Disclosures to Prevent Multiple Enrollments - Revises disclosure requirements to allow non-opioid treatment providers with a treating provider relationship to access central registries
Disclosures to Central Registries and PDMPs - Opioid treatment programs may disclose dispensing and prescribing data to prescription drug monitoring programs (PDMPs), subject to patient consent and State law.
Medical Emergencies - Authorizes disclosure of information to another Part 2 program or SUD treatment provider during State or Federally-declared natural and major disasters
Research - Disclosures for research under Part-2 are permitted by a HIPAA-covered entity of business associated to those who are neither HIPAA covered entities, nor subject to the Common Rule
Audit and Evaluation - Clarifies what activities are covered by the broad audit and evaluation exceptions Undercover Agents and Informants - Extends court-ordered placement of undercover agents to 12-months
Disposition of Records - When an SUD patient sends an incidental message to the personal device of an employee of a Part 2 program, the employee may “sanitize” the device by deleting the message
42 CFR Part 2 2017 Final Rule Brief
Summary
42 CFR Part 2 Final Rule
In January 2017, SAMHSA issued the final rule for 42 CFR Part 2, Confidentiality of Substance Use Disorder Patient Records (January 18, 2017; 82 FR 6052). In a Federal Register (FR) notice issued on February 16, 2017, SAMHSA delayed the effective date of the final regulations for 60 days in accordance with instructions received in a January 20, 2017, memo from the Assistant to the President and Chief of Staff (82 FR 10863). The revised 42 CFR Part 2 regulations became effective on March 21, 2017. (Source)
42 CFR Part 2 Covered Entity or Individual
Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, or referral for treatment. However, the regulations would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of substance use disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services. Federal assistance to program required. If a patient’s substance use disorder diagnosis, treatment, or referral for treatment is not provided by a part 2 program, that patient’s record is not covered by the regulations. Thus, it is possible for an individual patient to benefit from federal support and not be covered by the confidentiality regulations because the program in which the patient is enrolled is not federally assisted (42 CFR § 2.11)
Most drug and alcohol treatment programs are federally assisted. For-profit programs and private practitioners that do not receive federal assistance of any kind would not be subject to the requirements of 42 CFR Part 2 unless the State licensing or certification agency requires them to comply. However, any clinician who uses a controlled substance for detoxification or maintenance treatment of a substance use disorder requires a federal DEA registration and becomes subject to the regulations through the DEA license.
Updates that impact consent requirements
To Whom Section
The final rule now allows for a general designation and also disclosure to entities without a treating provider relationship.
For example: XYZ HIE who in turn may disclose the information to any of my treating providers involved in my care.
This designation would allow for the disclosure to past, present and future providers that have a treatment relationship with the patient without specifically identifying each.
However, When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed.
From Whom Section
SAMHSA decided not to finalize its proposed changes to the “From Whom” section, but did make minor updates to the terminology in the text. Therefore, a general designation is still allowed.
For example: “XYZ Treatment Facility” or “XYZ ACO” or “XYZ HIE”
This is important because using the general designation allowed under the To Whom provision, coupled with a multi-party, bidirectional consent, the general designation permitted by the From Whom provision under the final rule, will allow for disclosure to and among the participants in an integrated care environment such as an HIE.
Amount and Kind
The Consent must include how much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed.
For example: (Acceptable) “medications and dosages, including substance use disorder-related medications,” or “all of my substance use disorder-related claims/encounter data.”
(Not Acceptable) “all of my records” or “only my substance use disorder records my family knows about”
Revocation and Expiration
The consent must include a statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it.
For Example: “I can revoke this Consent and Authorization at any time by giving written notice to the person or organization named above in the “To Whom” or “From Whom” sections except to the extent that those persons or organizations have acted in reliance upon my authorization.”
The consent must include a statement regarding the date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is provided.
For example, it is permissible for a consent form to specify the event or condition that will result in revocation, such as having its expiration date be “upon my death.”
Re-disclosure
Each disclosure made with the patient’s written consent must be accompanied by a written statement with the specific language contained in 42 CFR Part Section § 2.32. The federal rules prohibit individuals or entities from making any further disclosure of information that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2.
Thus, the context and not necessarily the data itself is the determining factor of whether data could be re-disclosed. This may be difficult for electronic systems to flag or segment.
The preamble to the final rule confirms that the disclosure from one treating provider to another treating provider in an HIE would be considered a re-disclosure. Thus, the consent process described above using the From Whom provision is necessary to avoid the prohibition.
Medical Emergencies
Patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained.
It is important to note that immediately following disclosure, the part 2 program shall document, in writing, the disclosure in the patient’s records, including:
- The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;
- The name of the individual making the disclosure;
- The date and time of the disclosure; and
- The nature of the emergency
For the purposes of an HIE, the HIE would need to provide a disclosure notice any time there was a “break the glass” or “break the seal” activity and 42 CFR Part 2 protected data was disclosed to any and all organizations whose data was disclosed. This disclosure notice should be kept as part of the patient’s chart. It is not necessary to notify the patient of the disclosure unless requested.
Research
Part 2 Programs may also disclose SUD information for the purpose of conducting scientific research if person with responsibility for disclosure determines that (i) the recipient is a covered entity or business associate under HIPAA and has obtained appropriate authorization or waiver from the patient; (ii) the recipient is subject to the human subjects protection Common Rule (45 CFR Part 46) and has obtained the patient’s informed consent or an appropriate waiver or exemption; or (iii) both HIPAA and Common Rule compliance is met, when applicable. Researchers must not re-disclose patient information, but may include part 2 data in research reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be reidentified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder. Researchers must follow Part 2 storage requirements including destruction of SUD-data, and must retain the patient records in accordance with all applicable laws.
QSO
SAMHSA has revised the definition of QSO to include population health management in the list of examples of services a QSO may provide. SAMHSA also revised the term “medical services” as listed in the examples of permissible services offered by a QSO to clarify that it is limited to “medical staffing services.” SAMHSA made this revision to emphasize that QSOAs should not be used to avoid obtaining patient consent.
Specifically, population health management refers to increasing desired health outcomes and conditions through monitoring and identifying individual patients within a group. To achieve the best outcomes, providers must supply proactive, preventive, and chronic care to all of their patients, both during and between encounters with the health care system. For patients with substance use disorders, who often have comorbid conditions, proactive, preventive, and chronic care is important to achieving desired outcomes.
Because a QSOA is a two-way agreement between a part 2 program and the entity providing the part 2 program and an individual or entity providing a service to a part 2 program, agreements between more than those two parties (e.g. multi-party agreements) are prohibited. A QSOA cannot be used to avoid obtaining patient consent in the treatment context.