Deadline is Approaching for Group Health Plan Service Agreement Updates

Seyfarth Shaw LLP
Contact

Seyfarth Synopsis: Recent changes to the federal rules governing confidentiality of substance use disorder (SUD) patient records may require updates to agreements between group health plans and their third-party vendors. Group health plans may be caught up in the changes if they wind up in possession of certain SUD patient records and disclose those records to their vendors for the plan’s payment and health care operations. Plans should speak with their vendors to confirm whether they receive such records and, if so, whether their contracts already include the required language or need to be updated going forward.

Patient records held by certain SUD treatment programs that receive federal financial assistance, such as from Medicare or Medicaid, are subject to confidentiality requirements under 42 C.F.R. Part 2 (“Part 2”). Part 2 generally provides more stringent federal protections for such records than other health privacy laws, including HIPAA. For example, programs subject to Part 2 may only disclose patient records pursuant to a Part 2-compliant patient consent or in accordance with one of the other, limited exceptions under the Part 2 rules. Part 2 also applies to “lawful holders” of Part 2 information. This extension to lawful holders could bring in group health plans who receive Part 2 information from a Part 2 program, such as in connection with administering benefit claims.

In 2018, the Substance Abuse and Mental Health Services Administration (“SAMHSA”), a branch of the U.S. Department of Health and Human Services, issued a final rule implementing changes to Part 2. The final rule provides that lawful holders of Part 2 information (e.g., group health plans) are permitted to further disclose that information to their third-party vendors, without an additional patient consent, as needed to carry out the plan’s payment activities or health care operations.

According to SAMHSA’s final rule, plans that intend to rely on this provision to disclose Part 2 information to vendors must have in place a written contract with the vendor which references the vendor’s obligation to comply with Part 2 upon receipt of such information. SAMHSA declined to specify the exact contract language to be used, but made clear that existing contractual language regarding general compliance with “applicable federal laws” would not be sufficient. Based on the text of the regulation, it appears that the contract should, at a minimum, require the vendor to implement appropriate safeguards to prevent unauthorized uses and disclosures and report any unauthorized uses, disclosures, or breaches of Part 2 information to the plan.

To the extent group health plan service providers are currently receiving Part 2 information for the plan’s payment or health care operations, SAMHSA’s final rule provides applicable contracts should be in compliance with Part 2 by February 2, 2020. Group health plans should speak with their service providers, such as the third-party administrators for the plan’s medical and prescription drug programs, regarding whether those vendors currently receive records subject to Part 2 on behalf of the plan and, if so, whether the Part 2 requirements are already included in the applicable service agreement. If not, plans may want to amend their HIPAA business associate agreements with covered vendors to incorporate the necessary Part 2 language. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Seyfarth Shaw LLP | Attorney Advertising

Written by:

Seyfarth Shaw LLP
Contact
more
less

Seyfarth Shaw LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.