Seyfarth Synopsis: Recent changes to the federal rules governing confidentiality of substance use disorder (SUD) patient records may require updates to agreements between group health plans and their third-party vendors. Group health plans may be caught up in the changes if they wind up in possession of certain SUD patient records and disclose those records to their vendors for the plan’s payment and health care operations. Plans should speak with their vendors to confirm whether they receive such records and, if so, whether their contracts already include the required language or need to be updated going forward.
Patient records held by certain SUD treatment programs that receive federal financial assistance, such as from Medicare or Medicaid, are subject to confidentiality requirements under 42 C.F.R. Part 2 (“Part 2”). Part 2 generally provides more stringent federal protections for such records than other health privacy laws, including HIPAA. For example, programs subject to Part 2 may only disclose patient records pursuant to a Part 2-compliant patient consent or in accordance with one of the other, limited exceptions under the Part 2 rules. Part 2 also applies to “lawful holders” of Part 2 information. This extension to lawful holders could bring in group health plans who receive Part 2 information from a Part 2 program, such as in connection with administering benefit claims.
In 2018, the Substance Abuse and Mental Health Services Administration (“SAMHSA”), a branch of the U.S. Department of Health and Human Services, issued a final rule implementing changes to Part 2. The final rule provides that lawful holders of Part 2 information (e.g., group health plans) are permitted to further disclose that information to their third-party vendors, without an additional patient consent, as needed to carry out the plan’s payment activities or health care operations.
According to SAMHSA’s final rule, plans that intend to rely on this provision to disclose Part 2 information to vendors must have in place a written contract with the vendor which references the vendor’s obligation to comply with Part 2 upon receipt of such information. SAMHSA declined to specify the exact contract language to be used, but made clear that existing contractual language regarding general compliance with “applicable federal laws” would not be sufficient. Based on the text of the regulation, it appears that the contract should, at a minimum, require the vendor to implement appropriate safeguards to prevent unauthorized uses and disclosures and report any unauthorized uses, disclosures, or breaches of Part 2 information to the plan.
To the extent group health plan service providers are currently receiving Part 2 information for the plan’s payment or health care operations, SAMHSA’s final rule provides applicable contracts should be in compliance with Part 2 by February 2, 2020. Group health plans should speak with their service providers, such as the third-party administrators for the plan’s medical and prescription drug programs, regarding whether those vendors currently receive records subject to Part 2 on behalf of the plan and, if so, whether the Part 2 requirements are already included in the applicable service agreement. If not, plans may want to amend their HIPAA business associate agreements with covered vendors to incorporate the necessary Part 2 language.