One Step Forward and Two Steps Back: Proposed Changes to the Alcohol and Drug Abuse Treatment Confidentiality Rule

Kathleen Drummy, Adam Greene, Rebecca Williams
Davis Wright Tremaine LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On Feb. 9, 2016, the U.S. Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published in the Federal Register a proposed rule putting forth amendments to the Alcohol and Drug Abuse Treatment Confidentiality Rule at 42 C.F.R. Part 2 (the “Part 2 Rule”). A redline of the proposed changes to the Part 2 Rule is available here.

For some time, the Part 2 Rule’s rigid consent requirement has represented an often insurmountable hurdle to including alcohol and drug abuse treatment information (“Part 2 information”) in electronic health information exchange (HIE) and care coordination efforts. The long-anticipated proposed rule takes one step forward – allowing a consent to specify a class of treating providers, but also manages to take (at least) two steps back: (1) potentially making it more difficult to disclose Part 2 information to an organization without a treatment relationship; and (2) providing patients with the right to an accounting of disclosures that HIPAA has shown to be of dubious value in comparison to its burden. Anyone operating or seeking to coordinate with a Part 2 program should consider submitting comments on the proposed rule.

The Current Challenge of the Part 2 Rule

Currently, one of the biggest challenges with the Part 2 Rule is that almost all disclosures of Part 2 information require a consent, and the consent must include “[t]he name or title of the individual or the name of the organization to which disclosure is to be made.” SAMHSA guidance indicates that identifying a class of organizations, such as “health care providers,” is inadequate. This has made it nearly impossible to exchange Part 2 information within a dynamic network of health care providers, such as within an ever-changing HIE or accountable care organization (ACO) network. If a new health care provider joins the network, then the guidance states that an entity may not share Part 2 information with the new health care provider unless the patient completes a new consent that names the newly added health care provider. The guidance does not allow for a consent to incorporate an online listing of participating health care providers. Because it is not feasible to collect new patient consents each time a new provider joins an HIE or ACO network, a frequent solution is to exclude Part 2 information from that which is shared during HIE or care coordination activities.

One Step Forward…

The proposed rule takes one step forward, as it would allow a consent to specify a recipient (such as the name of an HIE organization) along with a general designation of a class of participants who have a treating provider relationship with the patient whose information is being disclosed. For example, the consent could permit disclosure to “my treating providers.” This language could significantly improve the ability of health care providers to make Part 2 information available to those who need it in an HIE or ACO network.

Two Steps Back…

The proposed rule appears to make it more difficult to make certain disclosures of Part 2 information that currently would be permissible, and adds the unwelcome burden of maintaining a “list of disclosures.”

First, the proposed rule seems to make it more difficult to disclose Part 2 information to an entity that does not have a treatment relationship with the patient. Under the current rule, a consent can include “[t]he name or title of the individual or the name of the organization to which disclosure is to be made.” Under the proposed rule, if the recipient organization does not have a treating provider relationship with the patient, then the recipient either must be a third party payer or the consent must include the name of the receiving entity and the name of an individual participant.

Accordingly, under the current rule, a consent could provide for disclosure to “XYZ Personal Health Record Vendor.” But, because XYZ Personal Health Record Vendor does not have a treating provider relationship and is not a third party payer, the proposed rule would require the consent to not only name “XYZ Personal Health Record Vendor” but to also name an “individual participant,” which would seem to require the name of a specific employee of XYZ Personal Health Record Vendor. This would seemingly curtail or severely limit the ability of patients to authorize Part 2 programs to send their information to entities that do not have a treatment relationship.

Further, the proposed rule would tighten up the “from whom” requirements. The current rule permits the consent to contain the specific name or general description of the disclosing entity. The proposed rule would require the consent form to specifically name the disclosing entity. According to SAMHSA, this would avoid the unintended consequence of a general “to whom” and “from whom.” This unnecessarily limits the use of a consent. There may be situations, for example, when the patient wants all the patient’s health care providers to disclose information to a particular recipient (such as a personal health record vendor).

Second, as a tradeoff for permitting a consent to specify a class of treating health care providers, SAMHSA proposes a new accounting of disclosures requirement. In cases in which a consent permits disclosure to an entity without a treatment relationship (e.g., an HIE organization) and further disclosure to a class of health care providers with treatment relationships, the patient is entitled to receive from the organization without the treatment relationship (e.g., the HIE organization) a list of entities who have received the patient’s Part 2 information over the prior two years, including the name of the receiving entity, the date of the disclosure, and a brief description of the disclosed information. The organization must provide the patient this listing within 30 days.

This is similar to the “accounting of disclosures” requirement under the HIPAA Privacy Rule. It certainly seems like a reasonable idea – providing patients the ability to see where there information has gone. Unfortunately, what we have seen under HIPAA is that the burden of maintaining an accounting of disclosures often far outweighs the benefit. The proposed rule itself states that SAMHSA “anticipates that there will be few requests based on the relatively small number of accounting requests that most covered entities have received to date under the HIPAA Accounting for Disclosures rule, according to some anecdotal reports.” In other words, few patients have historically expressed an interest in exercising their right to an accounting of disclosures, but SAMHSA is expanding this right nonetheless. There may be systems where it will be easy to track disclosures in the manner anticipated by this rule. But there may be other scenarios, such as the research setting, where disclosures may occur manually and the burden of tracking the disclosures may far outweigh the benefit (as we have seen minimal interest in this privacy right in the past).

Entities who are subject to the Part 2 Rule, who wish to improve coordination with Part 2 programs, or who potentially may need to receive Part 2 information at the patient’s request may wish to comment on these and other aspects of the proposed rule.

But Wait, There’s More…

Some of the other proposed changes include:

  • Revise the current Part 2 research exception to permit disclosure by Part 2 programs to qualified researchers for the purpose of conducting scientific research as long as the researcher demonstrates compliance with various human research requirements.
  • Clarify and ensure that Part 2 programs and other lawful holders of patient identifying information have formal policies and procedures related to the security of electronic and paper records in place, including sanitization of associated media.
  • Clarify that the written summary of federal law and regulations may be provided to patients in either paper or electronic format.
  • Require that a statement regarding the reporting of violations include contact information for the appropriate authorities.
  • Clarify that Part 2 records expressly include electronic records.
  • Clarify that the prohibition on re-disclosure only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, and allows other health-related information shared by the Part 2 program to be redisclosed, if permissible under other applicable laws.
  • Revise the medical emergency exception to make it consistent with the statutory language and to give providers more discretion to determine when a “bona fide medical emergency” exists. Although helpful, the proposed rule does not permit disclosures to avert other risks of harm, such as when a patient makes a credible threat against a third person or the public.

The proposed rule is open for comment through April 11, 2016; any changes will take effect 180 days following publication of the final rule.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide