Skip to content

Menu

ChannelsPublishersSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
ProductsSub-MenuBlogsPortalsTwentySyndicationMicrositesResource Center
Join
Search
Close
Join the Movement. Blog 4 Good

HHS Eases Federal Substance Use Disorder Confidentiality Rules

By Elliot Golding & Kristin Bryan on August 27, 2020
EmailTweetLikeLinkedIn

Last month the Substance Abuse and Mental Health Services Administration (“SAMHSA”) finalized amendments to the federal Confidentiality of Substance Use Disorder Patient Records regulation, 42 C.F.R. Part 2 (“Part 2”). The changes purport to better facilitate substance use disorder (“SUD”) care coordination and treatment by loosening technical consent requirements, clarifying permissible disclosures, and providing other guidance. Notably, these changes do not address changes required under the COVID-19-related CARES Act, which will require aligning Part 2’s consent requirements more closely to HIPAA. More information about these changes are summarized below:

  • Modification of Authorization Requirements: Part 2 previously required naming specific individuals to receive SUD records in authorization forms (except in very limited circumstances). This functioned as a major barrier to effective data sharing because patients often did not know a specific person’s name at a recipient organization. The modified authorization rules now more closely align with HIPAA by permitting organizations (instead of specific persons) to be named in authorization forms.
  • Permissible Disclosures for Payment and Health Care Operations Permitted with Written Consent: Part 2 previously left some ambiguity about the types of purposes for which SUD information could be disclosed with patient consent. The modifications now permit disclosures with consent that align to the HIPAA definitions of “Payment” and “Health Care Operations” and include “care coordination and case management.”
  • Disclosures for Research: The modifications also align the Part 2 “research” disclosure rules much more closely with HIPAA and the federal “Common Rule” regarding human subject research.
  • Permissible Disclosures for Audit and Program Evaluation: The regulation also clarifies specific situations that fall within the scope of permissible disclosures for audits and/or program evaluation purposes. Federal, state and local governmental agencies and third-party payers may conduct audits and evaluations to identify needed actions at the agency or payer level to improve care. Additionally, audits and evaluations may include reviews of appropriateness of medical care, medical necessity, and utilization of services.
  • Regulation Scope and Re-Disclosure: Treatment records created by non-Part 2 providers based on their own patient encounter(s) are explicitly not covered by Part 2, unless the provider incorporates SUD records received from a Program into the provider’s records. Otherwise, providers (and the EHRs they use) can avoid Part 2 applicability by segmenting data obtained from Part 2 records from the rest of the provider’s records.

Critical features of Part 2 remain unchanged, however, including:

  • Most data uses and disclosures still require patient authorization. However, Part 2 changes are coming up under the CARES Act that will make it substantially easier for entities subject to HIPAA to share information after obtaining an initial authorization.
  • Part 2 continues to prohibit law enforcement’s use of SUD patient records in criminal prosecutions against patients in the absence of a court order.

This development will have wide-ranging implications for Part 2 programs, which will benefit from the additional flexibility. The area of healthcare data privacy is constantly evolving and it can be difficult to navigate changes in the law. Please contact the authors of this post or your regular SPB contact if you have any questions.

Photo of Elliot Golding Elliot Golding

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other

…

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things and complying with the California Consumer Privacy Act. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed hundreds of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

View full website bio.

Read more about Elliot GoldingEmail
Show more Show less
Photo of Kristin Bryan Kristin Bryan

Kristin Bryan is a litigator experienced in the efficient resolution of privacy matters, including class action and multidistrict litigation, in courts nationwide.  As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to…

Kristin Bryan is a litigator experienced in the efficient resolution of privacy matters, including class action and multidistrict litigation, in courts nationwide.  As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling consumers’ personal data. Kristin is admitted to practice in both New York and Ohio and currently the co-chair of the International Association of Privacy Professional’s KnowledgeNet for Cleveland.

View full website bio.

Read more about Kristin BryanEmail
Show more Show less
  • Posted in:
    Health Care
  • Blog:
    Triage Health Law
  • Organization:
    Squire Patton Boggs
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Products

  • Products
  • Blogs
  • Portals
  • Twenty
  • Syndication
  • Microsites

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The Capital Commitment
  • Delaware Intellectual Property Litigation
  • Restrictive Covenant Report
  • PFAS and Emerging Contaminants
  • Privacy Law Blog
Copyright © 2021, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog