After nearly thirty years since the last substantive change to the law, on January 18, 2017, the Substance Abuse and Mental Health Services Administration (SAMHSA) published its final rule (the “Final Rule”) implementing substantive amendments to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations at 42 C.F.R. part 2 (the “Part 2 Regulations”), which restrict the disclosure and use of substance use disorder patient records.
Please note that the Final Rule was set to take effect on February 17, 2017; however, due to the Executive Branch’s 60-day “regulatory freeze,” the effective date has been delayed until no sooner than March 21, 2017. 
Under the existing Part 2 Regulations, a “federally assisted program” (“Program”) may not disclose any information about a patient’s diagnosis, treatment, or referral for treatment for a substance use disorder (“Patient Identifying Information”), unless the patient has consented in writing on a form that satisfies the requirements set forth in the Part 2 Regulations, there is a valid court order authorizing the disclosure, or another limited exception applies. The purpose of the Part 2 Regulations is to ensure that fear of disclosure of Patient Identifying Information is not a deterrent to treatment for substance use.
- SAMHSA’s Final Rule
The following sections summarize the key revisions to the Part 2 Regulations set forth in the Final Rule. For additional information regarding selected changes to the existing Part 2 Regulations, please see the Summary Chart we have prepared.
Notably, the Final Rule did not substantively change what entities are considered Programs under the Part 2 Regulations. However, SAMHSA does clarify that both “Programs” and “other lawful holders” of Patient Identifying Information (e.g., a patient’s treating provider, a hospital emergency room, an insurance company, or an individual/entity performing an audit or conducting scientific research) are subject to the Part 2 Regulations, including the restrictions on use and disclosure and the requirement to have formal security policies and procedures in place. Thus, any party that receives the Patient Identifying Information may not redisclose the information unless it receives the proper patient authorization or an exception applies (e.g., disclosure to “qualified service organizations”).
- Consent Requirements
Some of the most significant revisions to the Part 2 Regulations in the Final Rule pertain to the requirements for a valid patient consent for disclosure of Patient Identifying Information. Under the existing Part 2 Regulations, the Program must obtain written consent from the patient on a form that includes: the specific name or general designation of the Part 2 Program or person permitted to make the disclosure; the recipient’s name; the patient’s name; the purpose of the disclosure; how much and what kind of information is to be disclosed; the patient’s signature; the date on which the consent is signed; a statement that the consent is subject to revocation at any time except to the extent that the Program or person making the disclosure has already acted in reliance on it; and the date, event, or condition upon which the consent will expire if not revoked before.
The Final Rule amends two of the aforementioned elements in the patient consent form. Specifically, the Final Rule requires that the patient consent form include an “explicit description” of the types of Patient Identifying Information that may be disclosed. SAMHSA explains that the entity creating the consent form may provide options for the patient with respect to the type of Patient Identifying Information that that is authorized to be disclosed. “All my substance use disorder information” may be an option provided to the patient, as long as more granular options are also included on the consent form.
In addition, in order to encourage patients to participate in organizations that coordinate care, the Final Rule provides patients with the option of providing a general designation in the “To Whom” section of the consent form, so long as the recipients within the intermediary have a treatment relationship with the patient (i.e., “past,” “current,” and/or “future” treating providers). SAMHSA clarifies that a consent form can include multiple authorizations in the “To Whom” section. For example, patients may designate by name one or more individuals with whom they do not have a treating provider relationship, along with a general designation for their treating providers, as being authorized to receive or access their information (i.e., Dr. Smith at Blue Hospital, and all past, current, or future treating providers under Red ACO).
Lastly, the Final Rule provides patients with the right to receive, upon request, from the entity that serves as the intermediary (e.g., HIE, ACO, CCO) a list of entities to which their information has been disclosed pursuant to the general designation. SAMHSA clarifies that intermediaries may not disclose Patient Identifying Information pursuant to a general designation on a consent form until they have the ability to comply with the list of disclosures requirement.
SAMHSA revises the existing research exception so that researchers are subject to specific regulatory requirements. The Final Rule permits Patient Identifying Information to be disclosed to qualified personnel for the purpose of conducting scientific research by a Program or any other “lawful holder” of Patient Identifying Information if the individual designated as the director determines that the researcher satisfies the following requirements, as applicable: (i) has obtained and documented patient authorization or a waiver of authorization consistent with HIPAA; and (ii) has complied with the Department of Health and Human Services (“HHS”) regulations regarding the protection of human subjects.
- Electronic Records
SAMHSA revises the definition of “records” to clarify that the confidentiality protections under the Part 2 Regulations are not limited to paper records, but also extend to electronic records containing Patient Identifying Information. SAMHSA further revises the definition of “records” to include verbal communications created, received, or acquired by a Part 2 Program relating to a patient. Additionally, revisions in the Final Rule address: (i) the security and disposition of electronic records, including a requirement for sanitizing associated media; (ii) the permitted distribution of the required notice setting forth the federal confidentiality requirements to patients in electronic format; (iii) the permitted use of electronic signatures on consent forms to the extent they are not prohibited by any applicable law; and (iv) the inclusion of both paper and electronic records in the audit and evaluation requirements.
- Additional Guidance from SAMHSA
SAMHSA simultaneously issued a Supplemental Notice of Proposed Rulemaking (“SNPRM”) to seek further comments and information regarding the use and disclosure of Patient Identifying Information by “lawful holders” and their contractors, subcontractors, and legal representatives for purposes of carrying out payment, health care operations, and other health care related activities. Comments are due by 5:00 p.m. on February 17, 2017.
- Next Steps for Providers
Although the “regulatory freeze” has delayed the effective date of the Final Rule, providers should be aware of these pending changes and should consider developing an action plan to achieve full compliance with the Part 2 Regulations. Providers subject to the Part 2 Regulations should consider taking the following actions:
- Monitor for future changes and effective dates
- Revise consent forms
- Review and revise existing privacy and security policies
If you have any questions about this alert or the SAMHSA Part 2 regulations, please contact Joan Feldman (firstname.lastname@example.org or 860.251.5104), Vincenzo Carannante (email@example.com or 860.251.5096), William Roberts (firstname.lastname@example.org or 860.251.5051), or Stephanie Gomes-Ganhão (email@example.com or 860.251.5239).