SAMHSA Finalizes Second Round of Changes to Federal Substance Use Disorder Privacy Rule

New federal regulations published on January 3, 2018, clarify when lawful holders of substance-use disorder records may use and disclose patient identifying information for payment, health care operations, and audits and evaluations. The 2018 regulations address issues that were discussed, but not resolved, in last year’s final rule published on January 18, 2017.

The 2017 final rule made the first major revisions to the federal regulations governing the confidentiality of substance-use disorder patient records (Part 2) since 1987. On the same day that the Substance Abuse and Mental Health Services Administration (SAMHSA) finalized the 2017 regulations, it issued a supplemental notice of proposed rulemaking to clarify requirements related to the disclosure of Part 2 covered data by contractors and legal representatives.

New Flexibility to Use Contractors and Agents for Payment and Operations Purposes

The most significant revisions that have now been finalized are relevant when a Part 2 program has disclosed records to another individual, with patient consent, for payment or health care operations. New regulatory language provides that the recipient of such records—described as a “lawful holder”—may further disclose the records to its contractors, subcontractors, or legal representatives to carry out the payment or health care operations activities authorized by the patient’s consent. Lawful holders who make such a disclosure must have in place a written agreement which provides that the recipient is bound by the Part 2 rules.

The scope of “payment and health care operations” is relatively broad. SAMHSA does not define either term, but offers a list of examples in the final rule, including activities such as billing, claims management, clinical professional support services, patient safety activities, trainings and assessments, accreditation and licensing, underwriting, legal services, business planning and development, general administrative activities, customer services, resolution of internal grievances, sale or transfer of an organization, eligibility or coverage determinations, risk adjusting, and medical necessity review.

There is not, however, any new authority related to disclosures for diagnosis, treatment, or referral. SAMHSA justifies stricter limitations on treatment disclosures on the basis that “it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact.” Of particular note, SAMHSA considers care coordination or case management to be a diagnosis, treatment, or referral activity, rather than a payment or health care operations activity—an intentional departure from the health care operations definition in the HIPAA Privacy Rule.

Additional Changes

The new regulations also make a few additional clarifications. They authorize an abbreviated notice to accompany disclosure that simply reads: “42 CFR Part 2 prohibits unauthorized disclosure of these records.” This change is intended to accommodate electronic systems that have character limitations on free text fields.

The regulations also provide that entities performing audits or evaluations of a lawful holder of protected records may receive patient identifying information directly from the lawful holder under the Part 2 audits and evaluation exception.

The new regulations go into effect on February 2, 2018.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.