ATTENTION ALCOHOLISM AND SUBSTANCE ABUSE SERVICES PROVIDERS: SAMHSA’s Proposed Changes to 42 CFR Part 2 Address Key Integration Issues, Raise Other Questions About Compliance Responsibilities

In an earlier post, we highlighted that the federal Substance Abuse and Mental Health Services Administration (“SAMHSA”) submitted a proposed rule for public comment in the February 9, 2016 edition of the Federal Register, see 81 FR 6988, proposing a number of changes to 42 CFR Part 2 (“Part 2”), the federal regulations governing the confidentiality of the identity and treatment records of patients receiving treatment for alcoholism and chemical abuse or dependency, which would be collectively referred to as “substance use disorders” under the proposed regulations.  SAMHSA’s goal is to update the regulations to “facilitat[e] the electronic exchange of substance use disorder information for treatment and other legitimate health care purposes,” in order to better integrate the patient’s behavioral health care with their physical health care and create better overall health outcomes.  See 81 FR 6989. There are several provisions in SAMHSA’s proposal that we believe will generate substantial questions and negative feedback from providers, as they create additional burdens on providers and non-providers alike that may be impractical or raise questions of liability for the actions of third parties.  We discuss some of those issues here.

For readers who are not familiar with Part 2, those regulations, originally promulgated in 1975, protect the identity and records of substance use disorder patients from the stigma and negative consequences of improper disclosures—such as loss of employment, housing discrimination, criminal prosecution, insurance discrimination, or loss of child custody—that would potentially discourage a person from seeking treatment services in the first place.  Programs and individuals who hold themselves out to the public as offering substance use disorder treatment services are governed by Part 2.

As such, Part 2 is especially stringent: the disclosure of treatment records or other information that would identify the patient, directly or indirectly, as having a substance use disorder is not permitted without proper written consent of the patient, which itself must contain specific elements under Part 2.  See 42 CFR §§ 2.11, 2.12 (a)(1). There are limited exceptions to the consent requirement, such as court orders issued pursuant to Part 2’s specific procedure, or to other providers in medical emergencies.  See 42 CFR §§ 2.51, 2.61. Even when records are disclosed, the recipients of those records also become subject to Part 2, even if they are not originally within the scope of the law, and may not redisclose the records in a manner not permitted under Part 2.  See 42 CFR § 2.32. Violations of confidentiality can result in criminal penalties and fines.  See 42 CFR § 2.4.

In the current healthcare reform models, Part 2’s strict provisions create issues for the electronic sharing of substance use disorder treatment information and records within a health information exchange (“HIE”), an accountable care organization (“ACO”), or other healthcare network.  Of course, population health management and the integration and coordination of patient care are key facets of current reform models seeking to provide proactive and preventative care, reduce costs, and improve outcomes.  This coordination is particularly important for those with behavioral health diagnoses because those individuals often have comorbid conditions requiring regular treatment, or because certain treatments for physical or mental health conditions may be inappropriate, or even dangerous, for substance use disorder patients (e.g. contra-indicated pharmaceuticals).

However, Part 2’s current provisions erect obstacles to this sharing because they require the patient to provide written consent for disclosure of their substance use disorder treatment records to specific providers or lead organizations outside of the immediate treatment program.  Critically, when the designation is made to a lead organization, Part 2 prevents the participating providers in that organization from receiving the information unless their names also appear on the consent form.  Furthermore, separate consents would have to be executed to disclose to providers who join the organization at a later date.  Despite SAMHSA’s efforts to encourage substance use disorder treatment providers to use electronic health records and engage with HIEs through its support of various pilot programs, SAMHSA reported that providers did not have the capability to manage Part 2’s consent requirements and also that Part 2 deterred participation in HIEs, frustrating the integration of behavioral health and physical health treatment.  See 81 FR 6992.

Accordingly, the proposed rule contains a number of changes to adjust the consent requirements of Part 2 to encourage participation in these integrated delivery models.  For example, SAMHSA proposes to add population health management organizations to the definition of “qualified service organizations,” to which Part 2 programs are allowed to disclose information to for the provision of services to its patients.  See 81 FR 6996. The population health management entity would still have to enter into a qualified service organization agreement and would not be able to make further disclosures to other individuals or entities unless such disclosure complies with Part 2.

In the same vein, SAMHSA is also proposed to adjust the written consent requirements to permit the patient to give a general designation of consent to a healthcare organization if certain conditions are met, which would permit enhanced sharing of information with HIEs and other integrated models.  If the organization employs or grants privileges to one or more participants who have “treating provider relationships” with the patient, or is a third party payer, the patient may simply designate the entity on the consent to permit the information to be shared with other providers in the organization.  A “treating provider relationship” under the proposed rule occurs when a patient agrees to be diagnosed, evaluated and/or treated for any condition by the individual or entity, and the individual or entity agrees to undertake the diagnosis, evaluation, and treatment.  See 81 FR 7014.

If the organization does not have a treating provider relationship, or is not a third party payer—as is the case with HIEs—the patient may designate the name of that organization but must also designate either: (1) the name of an individual participant of the organization; (2) the name of a participating entity that has a treating provider relationship with the patient; or (3) a general designation of an individual entity, individual participant(s), or a class of participants that must be limited to those which have a treating provider relationship with the patient (e.g. “my treating providers”).  See 81 FR 6997, 7019. The proposed rule would also permit general designations to clinical researchers.  See 81 FR 6997.

However, SAMHSA’s proposal attempts to balance this flexibility with additional compliance burdens in an effort to ensure that patient privacy is still treated with the utmost care and respect.  First, the provider that receives a general designation “must have a mechanism in place to determine whether a treating provider relationship exists with the patient whose information is being disclosed.”  81 FR 7000.  This requirement is only discussed in the preamble and is not part of the proposed regulations, but SAMHSA clearly expects organizations to address this issue:

We encourage innovative solutions to implement this provision. For example, the HIE in the aforementioned example could have a policy in place requiring their participating providers to attest to having a treating provider relationship with the patient. Likewise, the HIE could provide a patient portal that permits patients to designate treating providers as members of “my health care team’’ or ‘‘my treating providers.’’

81 FR 7001.

More significantly, SAMHSA proposes that providers conduct due diligence into whether entities such as HIEs can comply with the requirements of Part 2.  In a discussion of changes to the medical emergency exception, SAMHSA addressed the responsibility of a provider to investigate this issue:

Before a part 2 program enters into an affiliation with an HIE, it should consider whether the HIE has the capability to comply with all part 2 requirements, including the capacity to immediately notify the part 2 program when its records have been disclosed pursuant to a medical emergency . . . . Similarly, SAMHSA recommends that the part 2 program consider whether the HIE has the technology, rules, and procedures to appropriately protect patient identifying information.

81 FR 7003. We expect this aspect of the final rule to generate a significant number of comments, especially around whether a provider would be liable for failing to conduct this type of due diligence if the HIE or other organization improperly disclosed patient information.

Other confidentiality safeguards in the new rule include the patient’s right to an accounting of redisclosures of information pursuant to a general designation.  81 FR 7016.  A statement regarding the patient’s right to request this information would be required on the consent form.  81 FR 7019.

Interestingly, SAMHSA is also asking for comments on an alternative approach to the general designation issue, not included in the proposed regulations, which would allow the patient to consent to disclosure to an organization that does not qualify as a treating provider, but instead serves as an intermediary in implementing patient consent, and then permitting that organization to further disclose to the patient’s treating providers.  Patients would then be allowed to specify instructions for further disclosures.  See 81 FR 7001, 7002. SAMHSA is specifically seeking comments on necessary elements to the consent form if this approach was to be used, and how its new general designation disclosure requirement would be applied.  See 81 FR 7002.

SAMHSA is also proposing other amendments to the consent forms.  First, the proposed rule would require the consent form to contain an explicit description of the types of substance use disorder treatment records to be disclosed.  81 FR 7019.  In other words, the authorization is not valid if it simply says “all my records”; the authorization must describe the substance use disorder records with particularity, although it appears that a statement authorizing “all substance use disorder records” may be permissible.  See 81 FR 7002. Second, the forms must also contain a statement that the patient understands the terms of his or her consent.  81 FR 7019.  These are important provisions to note if they become final because many widely used consent forms, including the consent forms developed by the New York State Office of Alcoholism and Substance Abuse Services, and the New York State Office of Court Administration (in conjunction with the New York State Department of Health), will no longer be appropriate under Part 2.

The proposed rule also clarifies an aspect of Part 2’s prohibition on redisclosure.  Even though Part 2 generally does not govern information that would not identify the patient as having a substance use disorder, such as information about physical illnesses (governed by HIPAA and/or state law), the proposed rule notes that disclosure by a Part 2 program of medical conditions that are brought about by drug or alcohol abuse (e.g. cirrhosis) or prescriptions used to treat substance use disorders (e.g. methadone), can inadvertently reveal that a patient has a substance use disorder, thereby violating Part 2.  81 FR 7003.  These types of inadvertent disclosures clearly highlight why providers must closely review any records prior to disclosure to avoid these violations.

Another aspect of the proposed rule that will undoubtedly generate significant comment are the heightened security obligations that would be placed upon “other lawful holders” of Part 2 information, who are often not even healthcare providers or facilities, let alone the types of providers that are subject to Part 2.  As described above, any person who receives information disclosed pursuant to Part 2 automatically becomes bound by the provisions of that law, and may not further disclose the information unless such disclosure complies with Part 2.  However, the proposed rule would now require these other lawful holders “of patient identifying information [to] have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information.”  81 FR 7017.  The proposed regulation also enumerates areas that the policies must address for both paper and electronic records, including security measures, access, maintenance, and destruction of the record.

This fresh requirement, while well-intentioned, will undoubtedly be viewed as problematic.  The category of “other lawful holders” encompass a broad, if not limitless, spectrum of individuals and entities—a court of law that receives substance use disorder records for an in camera inspection; a law firm that obtains records for a medical malpractice investigation; a family member of a patient; or other private citizens who receive information pursuant to a written disclosure. The breadth of this definition was even recognized by SAMHSA in the proposed regulation, as it noted “this group could encompass a wide range of organizations” in a number SAMHSA would not be able to estimate.  See 81 FR 7008. It may well be sound practice in this digital age for courts and law firms to enhance their information security protections, but this requirement may be seen as overreaching, especially if it is interpreted to apply to private citizens who could not be expected to implement policies to deal with Part 2 records.

In sum, many providers will welcome this attempt to revise Part 2 to partner with new healthcare delivery models, but it is clear that some aspects will generate questions and comments about the fresh compliance responsibilities that have been proposed.  Comments to the rule are due on April 11, 2016, and we will keep you informed regarding any developments.

For further information about this proposed rule and provider obligations under 42 CFR Part 2 please contact David R. Ross or David E. Nardolillo.

David R. Ross is a Shareholder of the firm. Prior to joining the firm, and under former Governors Pataki and Spitzer, Mr. Ross served as the Acting Medicaid Inspector General for New York State. Prior to his service at the OMIG, Mr. Ross held several positions at the New York State Office of Alcoholism and Substance Abuse Services (OASAS), including Acting General Counsel, Deputy Counsel, and Associate Counsel.  Mr. Ross regularly advises OASAS-licensed providers regarding their compliance obligations, including patient privacy matters, and represents these providers in the full spectrum of regulatory enforcement actions.

David E. Nardolillo is an Associate with the firm.  His primary practice involves representing healthcare providers in a broad spectrum of litigation, including criminal, civil and administrative fraud and abuse investigations; professional discipline and regulatory enforcement matters; and Medicare, Medicaid and private insurer audits.  Mr. Nardolillo regularly advises behavioral health providers regarding their patient privacy obligations under HIPAA, the New York Mental Hygiene Law, and 42 CFR Part 2.