Revised Confidentiality Rules Under HIPAA Part 2 For Substance Use Disorder Patient Records

by John Zen Jackson and John W. Kaveney

On January 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) within the Department of Health and Human Services published its final rule revising confidentiality rules for substance use disorder treatment programs.   A review of the Part 2 regulations for such programs and their overlap with pertinent provisions of HIPAA was the subject of a recent post on this blog.

The effective date of the revised regulations is February 2, 2018 with the exception of one provision which has a compliance date of within two years of the effective date.  The agency indicated that “[t]hese changes are intended to better align the regulations with advances in the U.S. health care delivery system while retaining important privacy protections for individuals seeking treatment for substance use disorders.”  An important aspect of this effort was aligning the substance use regulations with HIPAA and HITECH while recognizing the Part 2 regulations provide “more stringent federal protections” to safeguard individuals from discrimination and the legal consequences of improper disclosure.

The prior Part 2 regulations included a strict prohibition on redisclosure of information that is disclosed in the first instance with a patient’s consent.   SAMSHA’s new regulation approved the use of an abbreviated notice of prohibition of redisclosure which was intended to help the notice fit within space limitations of free-text fields in electronic health record systems.

The new regulation also permits disclosures with written consent for payment and health care operations activities.  The germane language in this regard is in the preamble to the regulation to indicate that the catalog of such activities is illustrative rather than an exhaustive list.  SAMSHA sought to balance the protection of confidentiality with the legitimate need to disclose information to obtain the benefits of emerging health care models promoting integrated care and patient safety.  It pointed to the existing provision in 42 CFR § 2.13(a) that was intended to ensure that information is not shared more broadly than the purpose(s) for which the patient consents.

SAMSHA also addressed the applicability of the Part 2 regulations to business associates and subcontractors in a fashion similar to the HITECH regulations.  It stated that the agency did not intend at this time to have Part 2 regulations apply to business associates and subcontractors. However, the agency left the door open to further alignment with HIPAA indicating that additional changes were under consideration.

With these latest changes and the promise of more to possibly come in the future, providers subject to these regulations must be sensitive to their applicability and complexity given the significant repercussions that can come from violations of HIPAA Part 2.