HHS’s Substance Abuse and Mental Health Services Administration (“SAMHSA”) proposed updated rules to clarify the scope of perceived barriers to sharing information regarding treatment for substance use disorders (SUDs) among providers, with research entities, and for law enforcement purposes. The proposed changes to the 42 C.F.R. Part 2 (“Part 2”) regulations appear in two Notices of Proposed Rulemaking (“NPRMs”), which are also summarized in a Fact Sheet. These proposals are part of HHS’s Regulatory Sprint to Coordinated Care, an agency-wide effort to remove regulatory obstacles to care coordination and information-sharing. HHS is anticipated to release proposed rules on HIPAA, the Physician Self-Referral Law and Anti-Kickback Statute by the end of 2019 as part of this effort as well.

The proposed Part 2 updates could have significant impacts on how health care providers, researchers, and health technology companies protect and share SUD information with each other, so interested parties should submit comments on the NPRMs before the deadlines, and prepare to submit comments in response to HHS’s other Regulatory Sprint to Coordinated Care efforts in the coming months.

Background

The Part 2 regulations were initially intended to protect access to patient records for the treatment of SUDs by “federally assisted alcohol or drug abuse programs” (“Part 2 programs”). These regulations were initially promulgated decades before the passage of HIPAA and before electronic health records were available.

Part 2 programs can be entities, identified units within a larger medical facility, or even specific medical personnel or other staff within a medical facility whose primary function is the provision of SUD diagnosis, treatment, or referral for treatment. These regulations impact both Part 2 programs and non-Part 2 entities that need to coordinate care and share information with Part 2 programs.

Highlights from the Proposed Rules

First, SAMHSA’s longer NPRM (“Records NPRM”) proposes numerous changes to Part 2’s regulations that are intended to better facilitate care coordination for individuals with SUD conditions, especially for practitioners and provider entities that are not Part 2 programs. These proposed changes are meant to address outstanding concerns regarding issues such as:

  • How providers and entities not subject to Part 2’s requirements can generate, maintain, and re-disclose their own records about a patient’s SUD without being subject to Part 2’s restrictions regarding patient consent.
  • How patients may consent to disclosures of information subject to Part 2 to organizations without a treating provider relationship (e.g., for Social Security benefits or halfway house programs).
  • The scope of permissible activities encompassing payment and health care operations for which Part 2 information may be re-disclosed.
  • The ability of providers, pharmacies, and opioid treatment programs to access prescription drug monitoring program databases and central registries.
  • How Part 2 data that has not been de-identified may be disclosed and used for research purposes and for audit and evaluation purposes.

Non-Part 2 entities still must consider how HIPAA and the Common Rule may restrict uses and disclosures of SUD information from patients. However, the Records NPRM provides some relief from the additional burden that the Part 2 regulations often impose with respect to SUD records. Of note, SAMHSA considered, then declined to adopt a formal definition of segmentation that could apply to maintaining information subject to Part 2 apart from those generated by non-Part 2 entities, because that “might have unforeseen technical ramifications for [electronic health records] and [health information exchange] systems implementation in the future.” These provisions may be important for any technology vendor that supports Part 2 programs or non-Part 2 entities that frequently coordinate care with Part 2 programs.

SAMHSA’s shorter NPRM (“Communications NPRM”) focuses on clarifying that a court may authorize disclosure of confidential communications made by a patient to a Part 2 program when the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, even if the extremely serious crime was not allegedly committed by the patient.” This clarification, achieved by reverting the language in 42 C.F.R. § 2.63(a)(2) back to what was in the 1987 regulation, is directly in response to the current opioid-related public health emergency. SAMSHA believes that this change allows “the prompt investigation and prosecution, if warranted, of opioid-related crimes allegedly committed by individuals other than patients.”

Both NPRMs are anticipated to be published in the Federal Register on Monday, August 26th. Parties that handle information subject to Part 2 and seek additional clarification on the regulations’ restrictions on the sharing of SUD information should prepare to submit comments to SAMHSA on the Communications NPRM by September 25th, and to submit comments to the Records NPRM by October 25th.

Print:
EmailTweetLikeLinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal…

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal, and policy advice to all types of health care and technology clients navigating the dynamic regulatory environment related to technology in the health care sector to help them achieve their business goals.

Photo of Stephanie Willis Stephanie Willis

 

Stephanie Willis is a member of the firm’s Health Care Group in Crowell & Moring’s Washington, D.C. office. She counsels health care clients in matters involving regulatory issues, including fraud and abuse compliance, participation in new health care reform initiatives under the Affordable…

 

Stephanie Willis is a member of the firm’s Health Care Group in Crowell & Moring’s Washington, D.C. office. She counsels health care clients in matters involving regulatory issues, including fraud and abuse compliance, participation in new health care reform initiatives under the Affordable Care Act (ACA), as well as Certificate of Need (CON) and licensure matters. She has also advised clients on compliance with laws and regulations governing health IT initiatives and health care privacy and security, including the Health Insurance Portability & Accountability Act (HIPAA).

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is an associate in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy & Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.

Photo of Maya Uppaluru Maya Uppaluru

Maya Uppaluru is an associate in Crowell & Moring’s Washington, D.C. office with the Digital Health Practice and Health Care Group and provides strategic, legal, and regulatory advice to a range of organizations at the forefront of health innovation, including providers, plans, large…

Maya Uppaluru is an associate in Crowell & Moring’s Washington, D.C. office with the Digital Health Practice and Health Care Group and provides strategic, legal, and regulatory advice to a range of organizations at the forefront of health innovation, including providers, plans, large tech companies, startups, and venture capital.