Industry News

SAMHSA Proposes Changes to the Confidentiality of SUD Patient Records Regulations

The Department of Health and Human Services (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) recently issued a proposed rule on the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2.  These regulations address the confidentiality of patient records related to SUD treatment that are created by federally assisted substance abuse treatment providers.  The proposed rule seeks to better facilitate coordination of care for SUD treatment, particularly for opioid use disorder (OUD).  SAMHSA is accepting comments on the proposed rule until October 25, 2019.

Key policy proposals and changes include:

Applicability and Re-Disclosure—The proposed rule clarifies that if a non-part 2 treating provider records information about a SUD and SUD treatment, that record is not subject to part 2 regulations.  Records created by non-part 2 providers based on their own patient encounters would not be subject to part 2 unless the records received from the part 2 program are incorporated into such records.  Part 2 records previously received from a part 2 program may be segregated to ensure that new records created by non-part 2 providers during their own patient encounters would not become subject to the part 2 rules.

Disposition of Records—The proposal states that part 2 program employees would be able to “sanitize” their personal devices by deleting incidental messages sent from a SUD patient without needing to confiscate or destroy the employee’s device.

Consent Requirements—The proposed rule seeks to amend part 2 regulations by eliminating the requirement that written consent to disclose part 2 treatment records may be directed to an entity, rather than requiring the name of a specific person as recipient.

Disclosures Permitted with Written Consent—The proposed rule permits disclosures for the purpose of “payment and health care operations” with written consent, listing 17 example lists in the regulatory text (previously in the preamble).

Disclosures to Central Registries and PDMPs—The proposed rule would allow non-opioid treatment program (OTP) providers to access a central registry to determine whether patients are already receiving opioid treatment through a member program.  OTP providers would also be permitted to enroll in a state prescription drug monitoring program (PDMP) and to report data into the PDMP when prescribing or dispensing Schedules II to V medications, consistent with applicable state law.

Medical Emergencies—The proposed rule seeks to modify the regulation for disclosures of SUD treatment records without patient consent to allow declared emergencies resulting from natural disasters (e.g., hurricanes) that disrupt treatment to meet the definition of a “bona fide medical emergency” for which a patient’s written consent is not required.

Research—In order to more closely align part 2 with the HIPAA Privacy Rule, the proposed rule seeks to allow research disclosures of part 2 data from HIPAA covered entities or business associates to individuals or organizations that are neither HIPAA covered entities, nor subject to the Common Rule.  Additionally, the proposed rule seeks to clarify that research disclosures may be made to HIPAA covered entity workforce members for purposes of employer-sponsored research.  The proposed rule also seeks to permit research disclosures to recipients who are covered by FDA regulations for the protection of human subjects in clinical investigations.

Audit and Evaluation—The proposed rule seeks to allow disclosures for audits and evaluations performed by a government agency or third-party payer designed to improve delivery of care, to target the effective use of limited resources, and/or to determine the need for changes to payment policies for SUD patients.  SAMHSA also proposes to permit patient identifying information to be disclosed to government agencies, their contractors, subcontractors, and legal representatives for statutory or regulatory mandated audits or evaluations if the audits or evaluations cannot be conducted with de-identified information.  Finally, SAMHSA proposes that:

  1. Audits and evaluations may include medical necessity reviews, reviews to assess medical care appropriateness, and utilization of services:
  2. Part 2 programs may disclose information to non-part 2 entities with direct administrative control over the part 2 program without consent; and
  3. Entities conducting audits or evaluations may include accreditation or similar types of quality-assurance focused organizations.

Confidential Communications—The proposed rule will correct a technical error from the 2017 rule making by dropping the phrase, “allegedly committed by the patient” from the standard for court ordered disclosures of SUD for investigations of “an extremely serious crime.”

Undercover Agents and Informants—The proposed rule seeks to extend the court-ordered period for placement of an undercover agent or informant from 6 months to 12 months.  Courts may also extend a period of placement through a new court order.  Additionally, the proposal clarifies that the proposed 12-month time period would start when an undercover agent is placed, or an informant is identified, in the part 2 program.

The proposed rule is available at: