SAMHSA ’s Final Rule on the Confidentiality of Substance Use Disorder Patient Records

Share Tweet Email

On March 21, 2017, the Substance Abuse and Mental Health Services Administration (“SAMHSA”)’s Final Rule on the Confidentiality of Substance Use Disorder Patient Records (“42 CFR Part 2” or “Part 2”) took effect.  The new final rule revises requirements for consent forms and medical record security policies and procedures for Part 2 Substance Use Disorder Programs and other recipients of Part 2 information.   Part 2 consent forms currently being used may continue to be used until the forms expire.  Despite hopes that this revision of Part 2 (the first in thirty years) would bring Part 2 privacy regulations more in line with HIPAA privacy and security regulations, there are still significant differences between the confidentiality requirements of HIPAA and those pertaining to Part 2 patient identifying information. Programs and recipients should be aware of the new regulations and revise consent forms and policies accordingly. Our bulletin below describes the required elements of the new consent forms and policies, as well as some of the continued challenges posed by the Part 2 regulations.

Consent Forms

The new regulations revise the requirements for disclosure consent forms.  Previously, a patient could designate an individual or an entity to receive Part 2 information (i.e. information held by a Part 2 program, including the name, address, social security number, fingerprints, photograph or similar information, that could be used to identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person).  The recipient of the Part 2 information would then be prohibited from redisclosing  the Part 2 information without an additional consent from the patient. This consent requirement made it practically impossible to include Part 2 patient information in health information exchanges and placed an obstacle in the way of fully integrating patient care.  The new final rule attempts to address this challenge by permitting recipients of Part 2 information to redisclose said information to a patient’s treating providers pursuant to a “general designation” on a consent form.

Under the new final rule, patient consent forms for disclosure of Part 2 information are required to be in writing (electronic or paper) and to include the following information:

  1. The name of the patient;
  2. The date on which the consent is signed;
  3. The specific name(s) or general designation(s) of the Part 2 program(s), entity(ies), or individual(s) permitted to make the disclosure;
  4. How much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that is to be disclosed to each individual or entity;
  5. The purpose of the disclosure (the amount of Part 2 information disclosed must be limited to that information which is necessary to carry out this purpose);
  6. The name of the individual or entity that is to receive the information (multiple authorizations can be included on one form);
  7. A statement that a patient, when authorizing disclosure of his or her Part 2 information to a “general” recipient (e.g., “all future treating providers”), has a right to obtain, upon request, a list of the disclosures made of his or her Part 2 information;
  8. A statement that the consent is revocable at any time, except to the extent that the Part 2 program or other lawful holder of the Part 2 information has acted in reliance on the consent;
  9. The date, event or condition on which the consent will expire (if not revoked before this), ensuring that the consent form will last no longer than is necessary to serve the purpose for which the consent is provided; and
  10. The patient’s signature or, if the patient is a minor or lacks legal capacity, the patient’s guardian (electronic signatures are permissible).

Under element 6, a patient can designate the following individuals and entities (an expansion from the previous rule) to receive his or her Part 2 information:

  1. An entity that has a “treating provider relationship” with the patient;A “treating provider relationship” is defined in the final rule as when a patient is being, agrees to, or is legally required to be diagnosed, evaluated and/or treated, or agrees to accept consultation for any condition by an individual or entity, and the individual or entity undertakes the same or agrees to do so.  A treatment provider relationship can exist regardless of whether there has been an actual in-person encounter.  The determination of whether a “treating provider relationship” exists if fact specific.
  2. Specifically named individuals; and/or
  3. (New under this Final Rule) A third-party entity with whom the patient does not have a treating provider relationship (e.g., a health information exchange) and, on the same consent form, the patient can permit this third-party entity to redisclose his or her Part 2 information to other named individuals or entities with whom the patient does have a treating provider relationship (e.g., “I consent to disclosure of my Part 2 information to the Vermont Health Information Exchange, and agree to permit the VHIE to redisclose my information to my current provider and all future providers with whom I have a treating provider relationship.”).

Additional provisions in the new rule, however, continue to make the exchange of Part 2 information difficult and, in some cases, impossible.  For example, a patient is entitled to receive a list of all entities to which his or her information has been disclosed pursuant to a general designation, including disclosures for treatment and health care operations purposes.  Third-party entities without a treating provider relationship with the patient that have redisclosed Part 2 information pursuant to a “general designation” on a consent form, including health information exchanges, will need to be able to provide this list of disclosures to the patient before the entity can begin accepting and acting based on a “general designation” consent form. 

Another challenge posed by the new final rule is that providers must give a patient the option on the consent form to choose specific subsets of his or her Part 2 information to be disclosed.  The level of granularity that providers must offer to a patient in selecting what information is to be disclosed could be prohibitive since many electronic health records do not have the capacity to parse Part 2 patient information into specific subsets.   Providers are still permitted to include an option for the patient to consent to “all my substance use disorder-related information”, as long as the more granular options with “explicit descriptions” are also included on the form.

Security Policies and Protocols

The new rule also requires Part 2 programs or other lawful holders of Part 2 information (e.g., payers, health information exchanges) to have in place formal policies and procedures to protect against unauthorized uses and disclosures of Part 2 information, and to protect against threats or hazards to the security of Part 2 information.   These formal policies and procedures must address the following elements:

Paper records

  • Transferring and removing such records;
  • Destroying such records (including sanitizing the hard copy media associated with the paper printouts);
  • Maintaining such records in a secure room, locked file cabinet, safe or other similar container, or storage facility when not in use;
  • Using and accessing workstations, secure rooms, locked file cabinets, safes or other similar containers and storage facilities; and
  • Rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification.

Electronic records

  • Creating, receiving, maintaining, and transmitting such records;
  • Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;
  • Using and accessing electronic media containing patient identifying information; and
  • Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification.

If you have questions on the Part 2 Final Rule or other health law issues, please contact the Primmer Health Law Team.