Part 2 of Title 42 of the Code of Federal Regulations imposes limits on “the disclosure and use of substance use disorder patient records which are maintained in connection” with a federally assisted program that “holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment.” The Substance Abuse and Mental Health Services Administration (SAMHSA) recently proposed a new rule to amend regulations governing the privacy protections afforded to patients seeking treatment for substance use disorders (SUDs). SAMHSA states that the purpose of the proposed rule is to combat the opioid crisis by facilitating better care coordination and access for SUD patients while adjusting the privacy protections afforded to SUD patients. This advisory summarizes the key provisions of the proposed changes.
SAMHSA proposes to amend the definition of “records” in § 2.11. The new definition states that information conveyed orally by a part 2 program to a non-part 2 provider is not considered a medical record subject to part 2 regulation if that information is reduced to writing. Records otherwise transmitted by a part 2 program would retain their characteristic as a record.
SAMHSA proposes clarifying the definition of “applicability” in § 2.12 to state that a non-part 2 provider recording information about a SUD and its treatment does not make that record subject to part 2. If records from a part 2 program are incorporated into these records, then the consolidated record would be subject to part 2. Any records received from a part 2 program, or that records from a part 2 program are incorporated into, are subject to part 2 redisclosure rules. Segregation of these records precludes the record generated by a non-part 2 provider from part 2 applicability.
SAMHSA proposes to clarify that patients can disclose information to entities without a treating provider relationship with the patient without naming a specific recipient individual; instead, patients only need to name the receiving entity. If the entity receiving information facilitates the exchange of health information or is a research institution, then the consent must include the name of an individual or a general designation of an individual or entity participant who will receive the information. SAMHSA designed this provision to ensure that confidential patient information is only shared with the people, or class of persons, who need the information or to whom the information is intended.
The proposed rule states that, with written consent, a part 2 program can disclose information to certain entities for payment and operational activities. The list of activities enumerated in the proposed rule is illustrative rather than exhaustive and the regulation includes “other payment/health care operations activities not expressly prohibited.”
SAMHSA proposes allowing non-opioid treatment providers that have a provider relationship with a patient to query central registries to see if a patient is receiving member program opioid treatment. The new rule proposes adding § 2.36 to permit Opioid Treatment Programs to disclose dispensing and prescribing data to Prescription Drug Monitoring Programs with patient consent. As a whole, SAMHSA intends these provisions to prevent duplicative treatment and potential overdosing or harmful side effects caused by volatile drug interactions.
SAMHSA proposes adding major and natural disasters to the definition of “bona fide medical emergenc[ies]” in § 2.51. This would allow part 2 programs to disclose patient information during a declared natural or major disaster without patient consent. The proposed rule states that consent should still be obtained if feasible but that the priority is on appropriate care. This exception would only apply when a state of emergency is declared and the part 2 program is closed and unable to provide services or obtain informed consent because of the disaster.
SAMHSA proposes allowing disclosures of part 2 data to non-HIPAA or Common Rule entities, from a HIPAA covered entity or business associate, for the purpose of research. Such disclosures must be made in accordance with the HIPAA Privacy Rule at 45 CFR 164.512(i). These disclosures can be made to workforce members of HIPAA covered entities for research when the entity requires all research by the members of the workforce to meet the requirements of the HIPAA Privacy Rule or the Common Rule. The new rule proposes permitting disclosures to recipients covered by FDA regulations for the protection of human subjects in clinical trials, but such disclosures would be subject to documentation of compliance with FDA regulatory requirements.
SAMHSA proposes allowing entities to disclose patient identifying information during audits and evaluations if necessary. The purpose of audits and evaluations where disclosure could be necessary include: agency or third party payer entity policy or procedure change action aimed at improving care and outcomes for part 2 patients, targeting limited resources more effectively, determining need for adjustment to payment policies, evaluating if patients are receiving appropriate services in an appropriate setting, and reviewing compliance. This information cannot be used to directly provide or support care coordination. Auditors could include a non-part 2 entity with direct administrative control over the part 2 program (such as when a part 2 program is part of a larger health care system), entities such as accreditation or similar organizations focused on quality assurance, and/or government agencies and their contractors performing audits mandated by statute or regulation that cannot be done without de-identified information.
SAMHSA proposes to extend the period for court ordered placement of an undercover agent or informant to 12 months, subject to further extension with a new court order. The 12-month period would start on the date the agent is placed or informant identified.
Under the current rule, the interaction of §§ 2.11, 2.16, and 2.19 led to the conclusion that if a part 2 program ended and patient contact was made to a part 2 program employee's personal device, then that personal device would need to be destroyed. SAMHSA clarifies that, instead, this correspondence should be deleted immediately and the patient contacted via an authorized channel. An employee of a part 2 program can respond from their personal device if a direct response is required to protect the best interests of the patient. If the correspondence includes patient identifying information, it should be forwarded to an authorized channel prior to deletion.
Additional Proposed Rule
SAMHSA published a second proposed rule to correct an error in the final rule published in 2017. SAMHSA proposes to remove the phrase “allegedly committed by the patient” from §2.63(a)(2) as SAMHSA states this phrase was not originally intended to be included in the final rule. Removal of this phrase will allow law enforcement officials greater access to SUD patient information by allowing the disclosure of confidential communications that relate to the investigation and prosecution of certain enumerated serious crimes.
SAMHSA should remain mindful of the fact that stigma is still a large barrier to SUD treatment, and fear of disclosure of health records is still a large deterrent to many patients’ receipt of SUD treatment. Both of these proposed rules were published on August 26th. Comments on the expansive proposed rule are due before 5 p.m. on October 25. Should you have any questions concerning these proposed rules or if you wish to consider filing a comment, please contact Peter Mellette, Nathan Mortier, Harrison Gibbs, Elizabeth Dahl, or Scott Daisley at Mellette PC.
This client advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice.
 42 C.F.R. §§ 2.2, 2.11.
 A copy of the proposed rule is available at: https://s3.amazonaws.com/public-inspection.federalregister.gov/2019-17817.pdf.
 Id. at 33.
 The Common Rule is a set of ethics regarding human subject research. Any government funded research is held to the standards of the Common Rule.
 A copy of the proposed rule is available at: https://s3.amazonaws.com/public-inspection.federalregister.gov/2019-17816.pdf.