Richard Chapman (richard.chapman@uky.edu) is Chief Privacy Officer and Litany Webster (litany.webster@uky.edu) is Corporate Compliance Manager at UK HealthCare in Lexington, KY.
42 CFR Part 2 (Part 2) was enacted in 1975 to protect the confidentiality of patient records related to substance use disorder treatment from applicable Part 2 programs. The purpose of Part 2’s additional confidentiality safeguards is to reduce the risk of harmful consequences for individuals who seek treatment, such as loss of employment, prosecutions and incarceration, health treatment discrimination, and child custody issues if the patient’s treatment record is not protected.[1] From 1987 to 2017, the regulation remained substantially unchanged. However, amidst criticism that the regulation was no longer in tune with the current state of modern healthcare, the regulation was updated in 2017 and 2018 with the goal to better align it with the Health Insurance Portability and Accountability Act (HIPAA), the modern integrated healthcare model, and electronic health information exchanges (HIE).
These revisions left intact the overarching purpose of Part 2. Providing a complete overview of Part 2 and the 2017–2018 revisions would take several articles. Accordingly, the purpose of this article is to provide a foundational understanding of the fundamentals of 42 CFR Part 2. This article will discuss Part 2’s use and disclosure restrictions, how to determine Part 2 program applicability, disclosure consent form requirements, notice prohibiting re-disclosure, and security policy and procedure requirements for electronic health records.
Part 2’s restrictions on use and disclosure of patient information
To maintain the confidentiality of patient information pertaining to substance use disorder treatment, Part 2 imposes restrictions on the use and disclosure of patient records obtained by and from Part 2 programs. The term “substance use disorder treatment” in this article encompasses the treating of a substance use disorder, diagnosing the disorder, and/or the referral for substance use disorder treatment. Accordingly, the disclosure of any information identifying a patient as having received substance use disorder treatment from a Part 2 program is restricted, barring any codified exceptions or exclusions in the regulation, unless express written consent is obtained from the patient or legal guardian.[2] Further, the regulation prohibits using this information to initiate or substantiate criminal charges or to conduct a criminal investigation against the patient.[3] These restrictions do not apply to a diagnosis made solely for the purpose of obtaining evidence for law enforcement or a diagnosis for an overdose or alcohol intoxication that evidences the patient is not suffering from a substance use disorder.[4]
Determining the applicability of Part 2 to your entity
How can an organization determine if it qualifies as a “Part 2 program” and is thus subject to the use and disclosure requirements? In order to make this determination, the program must undertake a two-part analysis by first determining whether it receives federal assistance and then determining whether the Part 2 regulation’s “program” definition applies.[5]
For the first part of the analysis, the regulation provides four instances where a program qualifies as receiving federal assistance.[6] A program receives federal assistance if it:
-
Is conducted in some degree by a division of the United States;
-
Is carried out pursuant to a license, certification, registration, or other authorization from a United States’ department or agency (e.g., participating in the Medicare program, holding a DEA registration for dispensing controlled substances used to treat substance use disorder, being federally authorized to conduct a withdrawal management program);
-
Is supported by funds from a division of the United States, or is conducted by a local government unit that receives federal funds that may be spent on substance use disorder programs (even if the funds are not used for the program/substance use disorder treatment); or
-
Receives assistance from the IRS in the form of income tax deductions for contributions or the granting of tax-exempt status.[7]
The second part of the applicability determination, pertaining to the “program” definition in the regulation, is the slightly more difficult part of the analysis. When evaluating an individual or entity not in a general medical facility or an identified unit in a general medical facility, the program definition applies if the individual/entity/unit holds itself out as providing substance use disorder treatment and actually does provide such services.[8] Similarly, if medical personnel or staff in a general medical facility has the primary function of providing substance use disorder treatment and is identified as providing such services, the program definition is applicable.[9]
The complexity of determining Part 2 program applicability becomes apparent when you consider the multiple scenarios where substance use disorder treatment may occur, especially when considering large medical facilities with emergency room (ER), inpatient, and outpatient services. The Part 2 regulation, as well as Substance Abuse and Mental Health Services Administration (SAMHSA), has provided several scenarios to help facilitate organizations in making their own applicability determinations.[10] For example, if an ER provider in a general medical facility makes a referral for substance use disorder treatment, the referral is not subject to Part 2 restrictions unless the ER provider’s primary function is substance use disorder treatment/referrals and is identified as such in the community or the ER, as a unit, has advertised itself as providing such services.[11]
The analysis is the same if an ER provider provides a prescription for a medication to assist in treating substance use disorder. Alternatively, a similar referral or prescription from a private practitioner, rehabilitation program, or medical facility unit that participates in the Medicare program and advertises itself as providing substance use disorder treatment will be subject to Part 2 restrictions and the private practice, program, or unit is considered a qualifying Part 2 program.
Finally, if upon completing the applicability analysis, the determination is that the individual or program does not qualify as a Part 2 program, it is important to recognize that there are still scenarios where the use and disclosure restrictions are applicable. The same use and disclosure restrictions are applicable to any individual or entity that receives patient-identifying records from a Part 2 program.[12] To this end, the regulation requires Part 2 programs to provide a notice of prohibition on re-disclosing substance use disorder treatment information when disclosing such information pursuant to a valid patient consent. (A more detailed discussion on Part 2’s prohibition on re-disclosing applicable records is included below.)
Changes to patient release of information consent forms
The 2017–2018 Part 2 updates make significant changes to the patient consent form requirements. Part 2 included the need for a consent form to permit patients significant control over their substance use disorder treatment record and designation rights regarding how a Part 2 program can use or share the patient’s data. The requirement was originally included as a means to provide patients a high level of confidentiality and control of their information held by the substance use disorder treatment program. In general, a Part 2 release of information consent form should include:
-
Patient name,
-
Disclosing Part 2 entity/individual (“From Whom”),
-
Amount and kind of information to disclose,
-
A designation to whom the disclosure should be made (“To Whom”),
-
Purpose of the disclosure,
-
Statement of revocation,
-
Date/event of expiration,
-
Patient signature, and
-
Date of signature.[13]
More information will be provided below regarding general designations for the From Whom and To Whom section, amount and kind of information, and notice of prohibition of re-disclosure.
General designations
Prior to the 2017–2018 revision, the regulation required that each patient consent designate the specific recipients to whom a Part 2 program could release the patient information prior to the disclosure. However, the patient could provide a general designation for the Part 2 entity/individual from whom the disclosure may be made. The 2017 revisions modified the strict To Whom identification requirement to allow for more flexibility and generality in the designation. This revision was in response to feedback SAMSHA received from multiple Part 2 programs identifying the need for the strict designation requirements to be adjusted for the more integrated healthcare environment that currently exists, compared to when the regulations were first implemented.
The 2017–2018 changes now allow a Part 2 program to permit patients to include a general designation in the To Whom section of the consent form, while also retaining the general designation allowance in the From Whom section of the form. The purpose of the general designation in the To Whom section is a recognition that a patient’s information may freely flow at a future point in time to treating providers unknown to the patient at the time of the designation. SAMHSA has provided guidance that indicates a general designation can be done with wording such as “my treating providers” or “my current and future treating providers.”[14]
The general designation opens the possibility for patient information to be disclosed as part of an HIE or similar types of intermediary patient care information exchanges. In order to disclose the patient information to an exchange, the program must either enter into a qualified service organization agreement with the exchange or have the patient include the exchange on the consent form.[15] The patient information exchange may then further disclose the information to any provider with whom the patient has a treatment relationship without seeking an additional consent from the patient. These updated confidentiality rules allow for greater information flow at the patient’s direction and also align to allow for easier flow of patient information in the modern integrated healthcare environment. However, this new requirement places additional responsibilities on intermediary information entities as well. An intermediary exchange entity, such as an HIE, inherit the same Part 2 requirements to protect the substance use disorder information. This means the exchange may only disclose the patient information, under a general designation, to providers when it can verify a treating relationship with the patient. Unfortunately, guidance does not provide for an acceptable manner in which the relationship should be verified.
Importantly, the use of a general designation in the To Whom section mandates a couple of extra provisions on the Part 2 program; therefore, a Part 2 program is not required to offer patients this general designation option if they are not able to meet the additional requirements. Specifically, if a patient generally designates to whom disclosure may be made, then the patient has a right to a list of disclosures upon request.[16] In fact, a statement regarding the right to a list of disclosures must be included on a consent form if the To Whom general designation is offered.[17] Thus, if a Part 2 program permits a general disclosure, the Part 2 program or intermediary exchange must still identify the recipient of the confidential information and be able to report to whom the disclosure was made to the patient if requested.
The List of Disclosures requirement[18] is different from the HIPAA Accounting of Disclosures under 42 CFR 164.526. The HIPAA Accounting of Disclosure requirement includes exceptions for typical healthcare activity such as treatment, payment, and operations. The List of Disclosures requirement does not include those same exceptions. The Part 2 requirement does not exempt treatment, payment, and operations from the list of disclosures as is done in the HIPAA model. The Part 2 List of Disclosures requirement is applicable to all disclosures of patient information from a Part 2 program made under a general designation. The regulation requires that the list of entities/individuals receiving the information must be maintained for two years and be available to patients at the patient’s request.[19]
To receive a list of disclosures, patients must make the request in writing. The response from the Part 2 program or intermediary exchange is required to include the name of the receiving entity, the date of the disclosure, and a brief description of the information disclosed.[20] Entities electing to use a To Whom general designation under the updated rules should be aware of the additional requirements that come with these new rules, because an entity has only 30 days to respond to the request once the request is received. Accordingly, entities should not disclose information pursuant to a general designation until they have the ability to comply with the List of Disclosures provision.
Amount and kind of information
Patient information release consent forms must also include an explicit description of the substance use disorder information that may be disclosed.[21] If the patient is permitting the substance use disorder treatment information to be shared by the Part 2 entity, the amount and kind of information must be specified on the form. Part 2 entities may now provide a check box option for “all” substance use disorder treatment information to be shared.[22] For entities providing this option, the entity must also provide a place where the patient can specify information in more granular detail, if the patient does not want all treatment information to be shared.[23] If the patient chooses to specify a certain amount of information, the description should include the amount and kind of information to be disclosed, such as diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary elements of a medical record, employment information, living situation and social supports, and claims or encounter data.
Prohibition on re-disclosure notice
Although separate from the consent form itself, a Part 2 program must also accompany disclosures of Part 2 information with a notice prohibiting re-disclosure.[24] The original notice is rather lengthy[25] and, in response to comments from the Part 2 community indicating that certain electronic patient information systems could not accommodate the size of the required re-disclosure notice, SAMHSA now permits an abbreviated notice in the 2018 updates.[26] SAMHSA provided an abbreviated notice option that is less than 80 characters long to fit in standard free-text space within electronic health record (EHR) systems. The abbreviated notice in the Final Rule is significantly shorter than the prior required notice and simply reads “42 CFR Part 2 prohibits unauthorized disclosure of these records.”[27]
Security policies are required for paper and electronic records
Pursuant to the 2017–2018 revisions, Part 2’s security requirement for records now explicitly applies to electronic records. Previously, Part 2 had been silent on the issue of security for electronic records. Whereas HIPAA requires the implementation of administrative, technical, and operational controls to provide for the security of HIPAA protected records, Part 2 previously offered no mandates for electronic records. Thus, it was previously assumed the security of electronic records was implicit in the privacy protection requirements. The changes to Part 2 now explicitly require that Part 2 electronic records be protected through the promulgation of security policies and procedures for each Part 2 program.[28]
Although the requirements for security policies and procedures now directly apply to electronic records covered under Part 2, SAMHSA still did not specify a certain set of security guidelines to follow. It is left to the Part 2 facility to decide which security standards to follow. Healthcare entities already covered under HIPAA are versed in the HIPAA Security Rule and can extend the Security Rule policies and procedures to the Part 2 program. Other types of security frameworks exist that could also be used as long as the general Part 2 security measures are met. NIST 800-53[29] and the Health Information Technology for Economic and Clinical Health (HITECH) Act[30] are comprehensive framework structures that provide a robust set of guidance and standards. Part 2 entities can choose from any of these security frameworks that meet the individual needs of the facility.
In addition to the standard requirement for security policy and procedure, the updated Part 2 security measures specify the need for destruction of records. Both paper and electronic records are required to be destroyed with adequate security protocols to ensure the records’ destruction.[31] For electronic records, procedures should necessitate sanitizing electronic media when discontinuing use of the electronic storage media. Although a specific standard is not required, the implication is that Part 2 facilities are using technical tools and methods to ensure that the Part 2 data is overwritten to prevent the recovery of data from the discarded storage media. Simple deletion of data is not sufficient to protect against recovery of data. Part 2 facilities should look to industry data destruction standards to protect against unintended data recovery.
Conclusion
Despite the attempt to modernize the regulation through the 2017 and 2018 revisions, there are still calls for the regulation to more fully align with HIPAA to allow for easier flow of patient health information for treatment, payment, and healthcare operations purposes. To this end, several bills have been introduced in the House of Representatives and Senate since 2017 to further amend 42 CFR Part 2. On June 21, 2018, the Overdose Prevention and Patient Safety Act, H.R. 6082, was passed by the House of Representatives. As currently drafted, this bill permits disclosure of substance use disorder patient information without written consent for treatment, payment, and healthcare operations pursuant to HIPAA and to a public health authority if de-identified.[32] It also proposes changes to the criminal penalty structure, and expands certain safeguards such as the prohibition on use of these patient records for legal proceedings and prohibition on discrimination due to the release of the records. Therefore, we may have additional changes to 42 CFR Part 2 in the near future.
Takeaways
-
42 CFR Part 2’s purpose is to protect those who seek substance abuse treatment.
-
Part 2 programs are subject to use and disclosure restrictions.
-
Applicability of Part 2 can be determined through a two-factor test.
-
The recent revisions modified Part 2 consent form requirements.
-
Part 2 programs and other lawful holders must implement security policies.