Federal Agency Issues New Guidance on Substance Use Disorder Confidentiality Requirements
April 21, 2021
SAMHSA’s Recent Statement on 42 C.F.R. Part 2
The Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a statement on April 9, 2021 regarding 42 C.F.R. Part 2 (commonly referred to as “Part 2”). In its statement, SAMSHA asserted that it intends to publish amendments to the Part 2 regulations later this year, and affirmed that the current Part 2 regulations (including the July 15, 2020 Final Rule discussed below) remain in effect.1
Background on Part 2
Part 2 is a federal privacy law, distinct from the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), which provides stringent protections against the disclosure of records containing substance use disorder (“SUD”) data. SUD is a “cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal.”2 Part 2 privacy protections extend to SUD data created, received, or acquired by certain federally-assisted entities that hold themselves out as providing SUD treatment.3 As such, these entities generally cannot disclose SUD data without receiving patient consent, unless certain exceptions are met.
On March 27, 2020, the Coronavirus Aid, Relief and Economic Security Act (“CARES Act”) was signed into law. The CARES Act contained a section amending Part 2. Below is a list of some of the CARES Act changes which relate to Part 2:
- A provider may disclose SUD data for “treatment,” “payment,” or “health care operations” (commonly collectively referred to as “TPO”) purposes upon receiving written patient consent.4 Any information so disclosed may then be redisclosed in accordance with HIPAA.
- Once a patient gives prior written consent, a provider may redisclose the data for all future uses or disclosures for TPO purposes, until such time as the patient revokes such consent in writing.5
- A provider may disclose de-identified SUD data to a public health authority.6
- Part 2’s breach notification requirements are now aligned with HIPAA.7
- An entity cannot discriminate against an individual “on the basis” of certain SUD data that the entity received whether the disclosure to the entity was intentional or accidental.8
- Similar to HIPAA, violations of Part 2 are now subject to criminal penalties based on a tiered approach dependent on the violator’s level of culpability.9
SAMSHA’s July 15, 2020 Final Rule
As noted above, SAMHSA published a Final Rule on July 15, 2020, providing (among other things) clarification on Part 2’s consent requirements for the disclosure and redisclosure of SUD data.10 Importantly, this Final Rule was originally proposed before the CARES Act was signed into law, and therefore the Final Rule is not intended to implement or enforce the new CARES Act provisions.
What to Expect Going Forward
Later this year SAMHSA (as directed by the CARES Act) will issue proposed regulations to modify and add to the July 15, 2020 Final Rule to further align Part 2 with HIPAA. In the meantime, Part 2 entities or entities receiving and segregating Part 2 data will need to review and evaluate how to address the current inconsistencies between the SAMSHA Final Rule and the CARES Act changes amending Part 2. As always, your Jackson Kelly health care team will keep you updated on further developments from SAMSHA and is here to assist with your Part 2 compliance needs.
1 Statement on 42 CFR Part 2 Amendment Process, SAMHSA, https://www.samhsa.gov/newsroom/statements/2021/42-cfr-part-2-amendments-process (last visited April 14, 2021).
2 42 C.F.R. § 2.11.
3 42 C.F.R. § 2.11.
4 42 U.S.C. § 290dd-2(b)(1)(B).
5 42 U.S.C. § 290dd-2(b)(1)(C).
6 42 U.S.C. § 290dd-2(b)(2)(D).
7 Compare 42 U.S.C. § 290dd-2(j); with 45 C.F.R. § 164.404.
8 42 U.S.C. § 290dd-2(i)(1).
9 See 42 U.S.C. § 290dd-2(f).
10 45 C.F.R. § 2.31