Summary

42 CFR Part 2 Final Rule

On July 15, 2020, a final rule revising the federal regulations governing the Confidentiality of Substance Use Disorder Patient Records, 42 CFR Part 2 (Part 2), was released by the Substance Abuse and Mental Health Services Administration (SAMHSA), U.S. Department of Health and Human Services. The rule went into effect on August 14, 2020. Source

In the interim of the Part 2 proposed rule release and the final rule being promulgated, Congress incorporated legislation to align 42 CFR Part 2 with HIPAA for the purpose of treatment, payment and operations in section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

The CARES Act became law on March 27, 2020. SAMHSA will need to release new regulations to implement the law, which was anticipated no earlier than March 27, 2021. However, the last statement issued from SAMHSA regarding addressing the changes required by the CURES Act was issued on April 9, 2021 indicating the intent to seek comments from the public before any further changes would be adopted.  The comment period has yet to be opened and SAMSHA indicated that the current 42 CFR Part 2 regulations remain in effect.

42 CFR Part 2 Versus HIPAA

42 CFR Part 2 Defined

42 CFR Part 2 for HIEs/HIOs

QSOA Agreements

The use of a Qualified Service Organization Agreement (QSOA) is similar to a business associate agreement.  It provides a mechanism for disclosure of Part 2 data between a Part 2 program and an organization that provides services to the program, such as an HIO. Examples of services an HIO might provide include holding and storing patient data, receiving and reviewing requests for disclosures to third parties, and facilitating electronic exchange of patient information via the HIO network.  The QSOA covers the transmission and storage of part 2 data to the HIO and facilitates any sharing data from the part 2 program back to the part 2 program (for instance if the data set has been enhanced in some way). A consent is not required for this communication but would not cover further transmission to HIO affiliated members without patient consent.

Part 2 Compliant Consent

Patient information protected by 42 CFR Part 2 may only be made available to an HIO for exchange if a patient signs a Part-2 compliant consent form authorizing the Part 2 program to disclose the information to HIO affiliated members.

Elements of a Part 2 Compliant Consent:

  • Name of the Patient
  • Specific Name or general designation of Part 2 entities or providers making the disclosure
  • How much and what kind of information is to be disclosed including specific reference to SUD
  • “To Whom” is the disclosure being made?
    • The name of the individuals; or
    • The name of the entity or entities; or
    • General designation such as “HIO Affiliated Members that have a treatment relationship”
      • If a patient used a general designation, the consent form would also have to include a notice stating that the patient understands that upon written request, he/she must be provided with a list of entities to which his/her information has been disclosed within the past two years. The HIE would be responsible for responding to the request within 30 days.
  • The purpose of the disclosure
  • Right to revocation at any time going forward
  • The date, event or condition upon which the consent will expire (for example, upon death).

Re-disclosure

Each disclosure made with the patient’s written consent must be accompanied by a written statement with the specific language contained in 42 CFR Part Section § 2.32.  The federal rules prohibit individuals or entities from making any further disclosure of information that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2.

The updated rule shortens this language to “Disclosures permitted with written consent.” Source

This information must be tied to the Part 2 information being disclosed on the specific page within the HIO portal system where the patient information is revealed. SAMHSA has indicated that placing this statement on a login or splash page is not sufficient.

Medical Emergencies

Patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained.

It is important to note that immediately following disclosure, the part 2 program shall document, in writing, the disclosure in the patient’s records, including:

  1. The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;
  2. The name of the individual making the disclosure;
  3. The date and time of the disclosure; and
  4. The nature of the emergency

For the purposes of an HIE, the HIE would need to provide a disclosure notice any time there was a “break the glass” or “break the seal” activity and 42 CFR Part 2 protected data was disclosed to any and all organizations whose data was disclosed. This disclosure notice should be kept as part of the patient’s chart.  It is not necessary to notify the patient of the disclosure unless requested.

Payment and Health Care Operations by Consent

Patients can now consent to sharing Part 2 information for purposes of “payment and health care operations.”   Examples of permissible payment or health care operations activities under this section include:

  • Billing, claims management, collections activities, …related health care data processing;
  • Clinical professional support services;
  • Patient safety activities;
  • Activities pertaining to: (i) The training of student trainees and health care professionals; (ii) The assessment of practitioner competencies; (iii) The assessment of provider or health plan performance; and/or (iv) Training of nonhealth care professionals;
  • Accreditation, certification, licensing, or credentialing activities;
  • Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits…;
  • Third-party liability coverage;
  • Activities related to addressing fraud, waste and/or abuse;
  • Conducting or arranging for medical review, legal services, and/or auditing functions;
  • Business planning and development;
  • Business management and general administrative activities;
  • Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
  • Resolution of internal grievances;
  • The sale, transfer, merger, consolidation, or dissolution of an organization;
  • Determinations of eligibility or coverage and adjudication or subrogation of health benefit claims;
  • Risk adjusting amounts due based on enrollee health status and demographic characteristics;
  • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
  • Care coordination and/or case management services in support of payment or health care operations; and/or
  • Other payment/health care operations activities not expressly prohibited in this provision

Summary of Final Rule Changes Effective August 14, 2020

Definitions - Excludes certain oral communications and non-part 2 treatment records from the definition of “records.” To facilitate coordination of care activities between Part 2 programs and non-Part 2 providers.

Applicability - Information about an SUD recorded by a non-part 2 is not automatically rendered a medical record subject to Part 2

Segregated or Segmented records - Non-Part 2 providers may record and segment or segregate information from paper or electronic Part 2 records received from Part 2 providers without its record becoming subject to Part 2. The segregated or segmented records remain subject to Part 2.

Prohibition on redisclosure - Non-Part 2 providers do not need to redact information in non-Part 2 records and may redisclose with express consent

Disclosures Permitted with Written Consent - Disclosures for “payment and health care operations” are permitted with written consent; lists 18 qualifying activities, including care coordination and case management

Consent Requirements - A patient may consent to the disclosure of their information for operations purposes to certain entities without naming a specific individual . 

Disclosures to Prevent Multiple Enrollments - Revises disclosure requirements to allow non-opioid treatment providers with a treating provider relationship to access central registries

Disclosures to Central Registries and PDMPs - Opioid treatment programs may disclose dispensing and prescribing data to prescription drug monitoring programs (PDMPs), subject to patient consent and State law.

Medical Emergencies - Authorizes disclosure of information to another Part 2 program or SUD treatment provider during State or Federally-declared natural and major disasters

Research - Disclosures for research under Part-2 are permitted by a HIPAA-covered entity of business associated to those who are neither HIPAA covered entities, nor subject to the Common Rule

Audit and Evaluation - Clarifies what activities are covered by the broad audit and evaluation exceptions Undercover Agents and Informants - Extends court-ordered placement of undercover agents to 12-months

Disposition of Records - When an SUD patient sends an incidental message to the personal device of an employee of a Part 2 program, the employee may “sanitize” the device by deleting the message