Patient privacy and empowerment were at the heart of recent efforts to modernize substance abuse treatment regulations last updated in 1987. The rules commonly referred to as “Part 2” were created even earlier, in 1975, out of concern that people receiving treatment for substance abuse may suffer adverse consequences, such as criminal prosecution or other social consequences, if their identities were exposed. While the purposes for the rules remains the same, their efficacy has become outdated. Advances in healthcare and records technology have also increased the risk for patients’ identities to be revealed, further underscoring the need for revision.
The U.S. Department of Health and Human Services (HHS) recently sought to modernize regulations given the technological advancements since their original inception in the 20th century. The current healthcare delivery system is heavily networked using electronic records and data sharing. The protection of this data on behalf of the patient, as well as the desire to empower them in how this data is stored and shared, were the aims of their efforts. The results of their efforts were significant changes to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 CFR Part 2).
HHS Deputy Assistant Secretary Kane Enomoto shared her hope that the changes will “further enhance health services research, integrated treatment, quality assurance and health information exchange activities while at the same time safeguarding the essential privacy rights of people seeking treatment for substance abuse disorders.” All who work with patients that suffer from substance abuse want to help where we can, and we recognize that patients are more likely to seek help when they feel secure and empowered. 42 CFR Part 2 seeks to ensure that patients who seek treatment are not made more vulnerable than those who don’t.
Perhaps most evident from the patient perspective is the greater control they now have over the sharing of their information. The Substance Abuse and Mental Health Services Administration (SAMHSA) now empowers patients to consent to the disclosure of their information to third parties. Patients can authorize the disclosure of their information to intermediate entities and their “current and future treating providers.” Patients can request a list of possible entities for the sharing of their information where it is necessary to carry out the patient’s lawful payment and healthcare operations activities.
SAMHSA does authorize the sharing of patient identifying information without patient consent to qualified personnel conducting relevant scientific research if certain regulations are met. These exceptions are limited, and can also include medical emergencies, child abuse reporting, or court order. Recognizing potential concern from patients at knowing this information, SAMHSA now allows patients to request a list of entities with whom their information has been shared during the last two years.
In situations where information is shared, the recipient cannot disclose the information to their own subcontractors without patient consent. The recipient also becomes subject to Part 2 of the rule and required to comply with its provisions. Additional provisions in the Final Rule include:
- Audit and evaluation procedures for CMS-regulated organizations have been improved to ensure efficiency in audit and evaluation activities and to meet the requirements of CMS-regulated Accountable Care Organizations (ACOs).
- Revised medical emergency exceptions to make them consistent with the statutory language and provide greater discretion in determining when a medical emergency exists.
- The definition of ‘records’ was updated to include electronic records.
- Terminology has been updated for consistency and clarity. For example, “alcohol and drug abuse” is now “substance use disorder.”
SAMHSA is monitoring these modifications to determine if and where additional sub-regulatory guidance. It is their desire to continue to make improvements where needed, and solicit any useful feedback from care providers. Many of the modifications were the direct result of feedback they received during an open comment period in 2016 and early 2017.
All who work with patients seeking treatment for substance abuse can help their patients feel more secure and empowered by helping them understand the benefits that these revised provisions provide. Patients’ identities are important, as is the information connected to their treatment. While patients have greater power in how their information is shared and stored, they may not have control in every situation. In those circumstances, they nonetheless can be assured that there are limits to that sharing, and the information that is shared is protected by these updated regulations. They can also request a list of entities with whom their information has been shared.
Providing a safe and secure care environment for individuals with substance use disorder has been the driving force in these revisions to 42 CFR Part 2. Integrated health technology plays a key role in establishing this secure care environment with hardware, software, application, and security protocols that meet or exceed HIPAA, HITECH, and 42 CFR Part 2 regulations.