HHS’s Substance Abuse and Mental Health Services Administration (“SAMHSA”) proposed updated rules to clarify the scope of perceived barriers to sharing information regarding treatment for substance use disorders (SUDs) among providers, with research entities, and for law enforcement purposes. The proposed changes to the 42 C.F.R. Part 2 (“Part 2”) regulations appear in two Notices of Proposed Rulemaking (“NPRMs”), which are also summarized in a Fact Sheet. These proposals are part of HHS’s Regulatory Sprint to Coordinated Care, an agency-wide effort to remove regulatory obstacles to care coordination and information-sharing. HHS is anticipated to release proposed rules on HIPAA, the Physician Self-Referral Law and Anti-Kickback Statute by the end of 2019 as part of this effort as well.

The proposed Part 2 updates could have significant impacts on how health care providers, researchers, and health technology companies protect and share SUD information with each other, so interested parties should submit comments on the NPRMs before the deadlines, and prepare to submit comments in response to HHS’s other Regulatory Sprint to Coordinated Care efforts in the coming months.

Background

The Part 2 regulations were initially intended to protect access to patient records for the treatment of SUDs by “federally assisted alcohol or drug abuse programs” (“Part 2 programs”). These regulations were initially promulgated decades before the passage of HIPAA and before electronic health records were available.

Part 2 programs can be entities, identified units within a larger medical facility, or even specific medical personnel or other staff within a medical facility whose primary function is the provision of SUD diagnosis, treatment, or referral for treatment. These regulations impact both Part 2 programs and non-Part 2 entities that need to coordinate care and share information with Part 2 programs.

Highlights from the Proposed Rules

First, SAMHSA’s longer NPRM (“Records NPRM”) proposes numerous changes to Part 2’s regulations that are intended to better facilitate care coordination for individuals with SUD conditions, especially for practitioners and provider entities that are not Part 2 programs. These proposed changes are meant to address outstanding concerns regarding issues such as:

  • How providers and entities not subject to Part 2’s requirements can generate, maintain, and re-disclose their own records about a patient’s SUD without being subject to Part 2’s restrictions regarding patient consent.
  • How patients may consent to disclosures of information subject to Part 2 to organizations without a treating provider relationship (e.g., for Social Security benefits or halfway house programs).
  • The scope of permissible activities encompassing payment and health care operations for which Part 2 information may be re-disclosed.
  • The ability of providers, pharmacies, and opioid treatment programs to access prescription drug monitoring program databases and central registries.
  • How Part 2 data that has not been de-identified may be disclosed and used for research purposes and for audit and evaluation purposes.

Non-Part 2 entities still must consider how HIPAA and the Common Rule may restrict uses and disclosures of SUD information from patients. However, the Records NPRM provides some relief from the additional burden that the Part 2 regulations often impose with respect to SUD records. Of note, SAMHSA considered, then declined to adopt a formal definition of segmentation that could apply to maintaining information subject to Part 2 apart from those generated by non-Part 2 entities, because that “might have unforeseen technical ramifications for [electronic health records] and [health information exchange] systems implementation in the future.” These provisions may be important for any technology vendor that supports Part 2 programs or non-Part 2 entities that frequently coordinate care with Part 2 programs.

SAMHSA’s shorter NPRM (“Communications NPRM”) focuses on clarifying that a court may authorize disclosure of confidential communications made by a patient to a Part 2 program when the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, even if the extremely serious crime was not allegedly committed by the patient.” This clarification, achieved by reverting the language in 42 C.F.R. § 2.63(a)(2) back to what was in the 1987 regulation, is directly in response to the current opioid-related public health emergency. SAMSHA believes that this change allows “the prompt investigation and prosecution, if warranted, of opioid-related crimes allegedly committed by individuals other than patients.”

Both NPRMs are anticipated to be published in the Federal Register on Monday, August 26th. Parties that handle information subject to Part 2 and seek additional clarification on the regulations’ restrictions on the sharing of SUD information should prepare to submit comments to SAMHSA on the Communications NPRM by September 25th, and to submit comments to the Records NPRM by October 25th.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She…

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal, and policy advice to all types of health care and technology clients navigating the dynamic regulatory environment related to technology in the health care sector to help them achieve their business goals. Jodi is a contributor to the Uniform Law Commission Telehealth Committee, which drafts and proposes uniform state laws related to telehealth services, including the definition of telehealth, formation of the doctor-patient relationship via telehealth, creation of a registry for out-of-state physicians, insurance coverage and payment parity, and administrative barriers to entity formation.

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.