As part of its comprehensive COVID-19 response, Congress quietly passed through changes to the federal drug and alcohol confidentiality framework known as “Part 2” under the CARES Act, enacted on March 27. One of the more underreported components of the CARES Act, the changes do not completely overhaul the Part 2 regulations, however, they relax several restrictions that health care providers have struggled with, particularly in the electronic exchange and electronic health records (“EHR”) context (the “CARES Act Changes”).
Part 2 applies to substance use records created and maintained by certain federally supported drug and alcohol programs (“Part 2 Programs”) which identify an individual as having received, or as receiving, substance use treatment and related services from the Part 2 Program. Part 2 requires written consent for most disclosures of Part 2 records, including for treatment purposes, to obtain payment for services provided, and for health care operation purposes. Part 2 also continues to apply to the records themselves after a disclosure has been made by a Part 2 Program and the records are no longer within its possession or control. Therefore, a person or entity that receives Part 2 records from a Part 2 Program becomes subject to Part 2 through receipt of that information.
Although Part 2 was previously amended through a series of regulatory changes between 2017 and early 2019, SAMHSA heavily resisted provider efforts to better align Part 2 with HIPAA’s framework, particularly in the context of written authorization requirements and disclosures for treatment, payment and health care operations purposes. Although SAMHSA proposed new draft regulations in 2019 with additional changes, its proposals again stopped short of fully aligning exchange of Part 2 records with HIPAA, with SAMHSA repeatedly emphasizing that it did not have the authority to make these changes.
Because Part 2 is more stringent than HIPAA, in terms of its limitations on use and disclosure without written consent, requirements for obtaining the required form of consent, and implications for downstream disclosures, it creates difficulty in an era where electronic exchange is not only the predominant method for making health information available, but also even required under certain circumstances, as evidenced by the 21st Century Cures Act. For example, a healthcare provider which receives records from a Part 2 Program cannot use and disclose those records in the same manner that it can use and disclose other medical records that it maintains about an individual as permitted by HIPAA. As a result, the health care provider typically must find a way to sequester those Part 2 records from disclosure unless or until the required form of consent can be obtained.
When it comes to electronic exchange of information, this can be particularly challenging. Providers increasingly participate in health information exchange organizations (“HIOs”), including state-operated HIOs. In New Jersey, hospitals are required to participate in the state owned and operated HIO, the New Jersey Health Information Network (NJHIN), as a condition of their charity dollars. Many hospitals also participate in vendor driven HIOs operated by entities such as EPIC, Commonwell or Carequality. These HIOs generally support information
exchange between health care providers for treatment purposes, as well as in several cases payment and health care operations purposes.
Under HIPAA, written consent is not required in order to disclose information for these treatment, payment and health care operations purposes. However, because Part 2 does not allow these types of disclosures without written consent in the same manner as HIPAA, Part 2 records have historically been kept out of HIOs and otherwise sequestered and not routinely disclosed by providers, often times with great difficult and burden on the provider and its vendor. This creates the potential for continuity of care and care coordination issues, results in providers not having all of the available information about an individual to inform treatment decisions, and may also result in providers having to keep non-Part 2 records from being exchanged as well, among other issues.
Although the solution may seem simple – obtain consent from the individual who is the subject of the Part 2 record – it is a far more complicated process. For decades, the required form of Part 2 consent required naming the specific recipient who would be receiving the Part 2 records from the individual or entity making the disclosure. In a state-wide HIO, this could be hundreds of health care providers and others who could potentially access the records at some point after it becomes available in the HIO for a permitted purpose (i.e., treatment). In a nation-wide HIO, this could be tens of thousands of potential recipients.
SAMHSA’s prior guidance interpreted the Part 2 consent requirement in the HIO context to mean that each and every participant in an HIO would need to be specifically named on a written consent and a new consent obtained from the individual each and every time a new participant joined the HIO who could have access to the individual’s Part 2 records.[1]
Although SAMHSA relaxed this requirement to some extent in its recent rounds of rulemaking, the relaxed consent requirements were limited to only entities or individuals which have a treatment relationship with the individual.[2] If an HIO allows participation by health payors, accountable care organizations (ACOs) or public health entities, this relaxed consent mechanism is not available. Additionally, Part 2 would continue to attach to the records downstream after disclosure, requiring consent for subsequent disclosures of the records by the recipient, although SAMHSA’s recent rulemaking and proposed rulemaking strive to create some additional flexibility there.
Providers are also now required under the 21st Century Cures Act and regulations recently promulgated thereunder to make health information available or be held liable for information-blocking. As discussed more in depth in Helen’s recent article, Will ONC’s Information-Blocking Rules put HIEs between a Rock and a Hard Place?, health care providers and HIOs are prohibited from “interfering with” the access, exchange, or use of electronic health information. Although certain enumerated exceptions to this have been created, it will be particularly difficult for health care providers to manage and segregate, as needed, Part 2 information while allowing other types of electronic health information to be more freely accessed, exchanged, or used as required by the 21st Century Cures Act Final Rule.
The CARES Act Changes address some of these Part 2 challenges and it seems Congress listened to SAMHSA’s prior assertions that it had no authority to align Part 2 with HIPAA. The CARES Act amends Part 2 to:
- Allow for Part 2 records, once written consent has been obtained from the individual, to be used and disclosed by a Part 2 Program, a covered entity or business associate for treatment, payment and health care operations purposes as permitted by HIPAA. Once disclosed for such purposes, the information may be re-disclosed as permitted by HIPAA. This presumably would allow, for example, a health care provider that receives Part 2 records for treatment purposes to re-disclose such information in any manner permitted by HIPAA instead of being subject to the more stringent Part 2 consent requirements.
- Allow for a written consent from the individual to authorize future disclosures for treatment, payment and health care operations, until the individual revokes the consent.
- Extend the right to request restrictions, accounting of disclosure requirements, and electronic access rights granted by HITECH to disclosures which are subject to the above consent requirement.[3]
- Allow disclosures of de-identified Part 2 records to public health authorities, provided the information is de-identified as required by HIPAA.
- Strengthen Part 2 anti-discrimination provisions.
- Require breach notification in the event of a breach of Part 2 records in the same manner that HIPAA requires of covered entities and business associates.
- Require provision of a Notice of Privacy Practices.
The CARES Act requires HHS to engage in rulemaking to address these changes within 12 months of enactment. Unlike other COVID-19 measures, the changes are not limited to the duration of the public health emergency. As of now, the CARES Act Changes appear promising for health care providers in allowing for written consent to authorize future disclosures for treatment, payment and health care operations purposes, as well as re-disclosures of such information as permitted by HIPAA. However, it remains to be seen how HHS and SAMHSA will address this in future rulemaking and interpret any ambiguities in the CARES Act Changes, as well as how SAMHSA’s current 2019 draft rulemaking will be affected by these changes.
[1] SAMHSA Frequently Asked Questions, Applying the Substance Abuse Confidentiality Regulations to HIE, available at https://www.samhsa.gov/sites/default/files/faqs-applying-confidentiality-regulations-to-hie.pdf.
[2] 42 C.F.R. 2.31(a)(4).
[3] 42 U.S.C. 17935(a)
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies, documents & tools for compliance with the Info Blocking Rule.