SAMHSA publishes final rule revising 42 CFR Part 2

by Michael D. Bossenbroek, Esq.

Michael Bossenbroek (mbossenbroek@wachler.com) is a Partner at Wachler & Associates, PC in Royal Oak, MI.

When people think of patient privacy laws, they usually think of the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although HIPAA is ubiquitous in the healthcare industry, there is an equally important patient privacy law for providers who treat substance abuse disorders. The Confidentiality of Alcohol and Drug Abuse Patient Records regulations found at 42 CFR Part 2, colloquially known as Part 2 or the Part 2 regulations, protect the confidentiality of substance use disorder patient records for federally assisted substance use disorder programs.

On January 18, 2017, for the first time in almost 30 years, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued its final rule attempting to update and modernize Part 2.[1] The final rule took effect on March 21, 2017, and aside from technical, non-substantive, and nomenclature changes to Part 2, the rule finalized approximately a dozen amendments published in the proposed rule the year before. This article will discuss some of more significant amendments and how they may impact compliance for providers who are subject to Part 2.

Background of Part 2

Part 2 regulations originate from two federal statutes passed in the 1970s — the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 and the Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972. The purpose of Part 2 was to ensure that individuals who receive treatment for a substance use disorder in a Part 2 program were not made more vulnerable by reason of the availability of their records than individuals who do not seek treatment for a substance use disorder. Underlying this purpose was the concern that the availability of information related to an individual’s substance use disorder carries the risks of job loss, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration. By protecting the confidentiality of this information, Part 2 exists to encourage these individuals seek, rather than avoid, treatment.

Part 2 applies only to a federally-assisted program. Both “program” and “federally-assisted” are carefully defined terms in Part 2. Not all providers or entities that treat substance abuse disorders are subject to Part 2, because they may not meet either or both of these definitions. In contrast to the broader use and disclosure provisions of HIPAA, Part 2 strictly prohibits the disclosure of patient records unless the patient executes a written consent or the disclosure falls within one of the narrow circumstances where Part 2 permits a disclosure without patient consent. These narrow circumstances include disclosures made:

  • to medical personnel in a medical emergency;

  • to qualified personnel for research, audit, or program evaluation purposes; or

  • pursuant to a Part 2-compliant court order.

Other recognized exceptions include communications:

  • within the Part 2 program among personnel who need the information relating to the patient’s diagnosis, treatment, or referral for treatment;

  • between a program and a qualified service organization (QSO);

  • to law enforcement regarding crimes on the care program’s premises or against program personnel; and

  • reporting suspected child abuse and neglect.

Part 2 has gone largely unchanged in the last 30 years, but the healthcare system and the world of healthcare information technology has not.[2] For example, new models of integrated care have emerged that rely on information sharing to facilitate the coordination of patient care, and this information is now in large part managed and exchanged electronically. As noted earlier, the privacy and security regulations enacted under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) impose an additional layer of compliance requirements for Part 2 programs that are required to comply with both Part 2 and HIPAA/HITECH. In June 2004, SAMHSA published a white paper discussing the interplay and overlap of Part 2 and HIPAA’s Privacy Rule.[3]

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings