Proposed Privacy Rule Changes Aim to Improve Care Coordination, Still Protect Patient Confidentiality

On August 22, the Substance Abuse and Mental Health Services Administration, or SAMHSA, released a proposed rule that would change regulations to facilitate better care coordination while protecting the confidentiality of patients in substance use disorder (SUD) treatment programs.

The rule would make changes to 42 CFR (Code of Federal Regulations) Part 2, commonly referred to as “Part 2.” Part 2 protects the confidentiality of SUD patient records by restricting the circumstances under which treatment programs can disclose information.

Part 2 regulations were established in the 1970s to address concerns about the use of SUD information in non-treatment-based settings, such as criminal proceedings, and encourage individuals to seek treatment. Since then, there have been significant changes in the healthcare system and technology. The added protections have created silos of care and, as a consequence, ineffective care coordination among different providers.

The emergence of the opioid crisis has highlighted the need to update Part 2 requirements. The proposed rule is the first of four regulations that have been identified in the U.S. Department of Health and Human Services initiative known as the Regulatory Sprint to Coordinated Care, which seeks to reduce regulatory burdens and incentivize coordinated care.

The proposed rule would not alter the basic framework of Part 2 and would continue to prohibit law enforcement use of SUD patient records in criminal proceedings. Patient consent would still be required to disclose SUD treatment records, with exceptions. Changes in the proposal include:

• Patient records created by a non-Part 2 provider would be exempt from the Part 2 requirements as long as they are kept segregated from any records created by a Part 2 program ― an individual or entity that is federally assisted and provides alcohol or drug abuse diagnosis or treatment.
• A personal device of a Part 2 program employee would be “sanitized” by deleting incidental patient messages.
• A patient could consent to the disclosure of treatment records to an entity without naming a specific person as the intended recipient, as is currently required.
• Non-opioid treatment program (OTP) providers would be eligible to query a central registry in order to determine whether their patients are already receiving opioid treatment. OTP providers would be allowed to enroll in a state prescription drug monitoring program (PDMP) and permitted to report data into the PDMP when prescribing or dispensing medications on Schedules II to V, consistent with applicable state law.
• Natural disasters that disrupt treatment facilities and services would meet the definition of a medical emergency for the purpose of disclosing SUD records without patient consent.
• Disclosures for research under Part 2 would be permitted by a Health Insurance Portability and Accountability Act (HIPAA)-covered entity or business associate to individuals and organizations that are neither HIPAA-covered entities nor subject to the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule.”