Hannah E. Grantham (hgrantham@strategicm.com)and Tenny Soleymani (tsoleymani@strategicm.com) are Associate Consultants with Strategic Management Services in Alexandria, VA.
As the national opioid epidemic continues to spread, there is a renewed focus on safeguarding the confidentiality of medical records for patients with mental health and substance abuse issues. Nearly 30 years ago, Congress recognized the stigma associated with substance abuse patients and their reluctance to seek treatment due to fears of prosecution.[1] To combat growing concerns about the potential use of substance use disorder (SUD) information against individuals, the Department of Health & Human Services (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) issued the Confidentiality of Substance Use Disorder Patient Records regulations (45 CFR Part 2 or Part 2) in 1987.[2] The purpose of the regulation was to ensure that a patient receiving SUD treatment in a federally assisted program (Part 2 program) would not be more vulnerable because of the existence of their patient record than an individual who chose not to seek such treatment. In 2017, SAMHSA published the first substantive update to those regulations since 1987.
Shortly thereafter, SAMHSA built upon that rule and its associated comments and issued another final rule in 2018 to further update and modernize the Part 2 regulations.[3] The final rule attempts to better align the Part 2 regulations with the advances in the US healthcare delivery system, such as the use of integrated healthcare models and the exchange of electronic health information, while also maintaining core privacy protections for individuals seeking SUD treatments.
The Part 2 regulations protect any information that could be used to identify an individual who has been diagnosed or has received SUD treatment at a Part 2 program. Part 2 regulations apply to programs that hold themselves out as providing, and actually provide, SUD diagnosis, treatment, or referral for treatment.[4] These regulations also apply to other “lawful holders” of patient identifying information under Part 2. A lawful holder of Part 2 patient identifying information is an individual or entity who has received such information as the result of a Part 2-compliant patient consent (with a prohibition on re-disclosure notice) or as permitted under the Part 2 statute, regulations, or guidance, and therefore, is bound by 42 CFR Part 2.
SAMHSA previously received numerous public comments that emphasized the need for improved information flow between providers and greater uniformity regarding confidentiality restrictions and regulations. In an attempt to address some of these comments, the final rule provided clarifications and some technical corrections to the Part 2 regulations. Additionally, the 21st Century Cures Act[5] required the Secretary of HHS to convene a stakeholder meeting to determine the effects of the Part 2 regulations and provide another opportunity for SAMHSA to receive input on the Part 2 implementation.