SAMHSA’s Balancing Act in Its 2019 Proposed Rulemaking: Weighing the Benefits of Enhanced Technology Against the Risks of Breach - Can 42 C.F.R. Part 2 Really Be Modernized?

For the third time in as many years, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) [1] has proposed revisions to the Confidentiality of Substance Use Disorder Patient Records regulations at 42 C.F.R. Part 2 (“Part 2”). [2] Specifically, SAMHSA issued a Notice of Proposed Rulemaking (“2019 NPRM”) on August 26, 2019, in an effort to continue aligning Part 2 with advances in the delivery of health care and the complexities of health information technology and to reduce regulatory burden, while retaining important privacy protections for patients. Comments on the 2019 NPRM are due by October 25, 2019.

Overview of Proposed Changes
Part 2 governs the use and disclosure of certain substance use disorder (“SUD”) records and has been the subject of significant scrutiny in the wake of a national opioid epidemic that has caused “catastrophic impact on individuals, families, and caregivers, and corresponding clinical and safety challenges for providers.” [3] As with almost all of SAMHSA’s recent commentary related to Part 2, SAMHSA emphasizes in the 2019 NPRM the “constraints of the [Part 2] statute,” which requires patient authorization for all disclosures—with very limited exceptions—and, according to SAMHSA, prohibits fully aligning Part 2 with the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule at 45 C.F.R. 164.512(i) (“Privacy Rule”).

Despite these constraints, the 2019 NPRM, SAMHSA believes, better aligns the needs of individuals receiving SUD treatment with the health care providers who treat them, helps facilitate coordinated care, and ensures “appropriate confidentiality protection” for SUD patients receiving treatment at Part 2 programs. [4] SAMHSA accomplishes this through the following proposed revisions:

• Clarifying that a non-Part 2 health care provider’s records are not subject to Part 2, even when related to a SUD and a patient’s treatment at a Part 2 facility, provided the non-Part 2 facility segregates SUD records that it receives from a Part 2 program.
• Allowing non-Part 2 providers with a treating provider relationship with a SUD patient to access Part 2 central registries for the purpose of preventing multiple enrollments and duplicative prescriptions and informing decision-making regarding prescribing opioids and other substances. Part 2 central registries contain information about where patients have applied for SUD withdrawal management or maintenance treatment, and currently, non-Part 2 health care providers cannot access this information.
• Permitting Part 2 programs and other lawful holders to disclose dispensing and prescribing data to prescription drug monitoring programs (“PDMPs”) if required by law, with patient consent.
• Proposing to amend Part 2’s consent requirements, for the second time in three years, this time to allow SUD patients to consent to disclosure of their Part 2 information to “a wide range of entities” that do not have a treating provider relationship, without naming a specific individual receiving the information on behalf of the entity.
• Making explicit that the general designation option for future consent to treating providers is limited to disclosures made to health information exchanges (“HIEs”) and research institutions.
• Revising the exception for disclosures for a “bona fide medical emergency” to include disclosures made in connection with natural or major disasters, as declared by state or federal authorities, when a Part 2 program is closed and unable to provide services, until such time as the Part 2 program resumes operations.
• Relocating from the Preamble to the regulatory text the non-exhaustive illustrative list of types of activities where a lawful holder who receives records pursuant to the terms of a written consent for health care operations and payment is permitted to re-disclose such records to its contractors, subcontractors, or legal representatives.
• Amending the “Research” and “Audit and Evaluation” exceptions for obtaining written consent, including providing a non-exhaustive list of activities that constitute audit and evaluation activities.
• Revising SAMHSA policies regarding “Orders Authorizing Use of Undercover Agents” and informants, to clarify the permitted timeframe for placement of undercover agents and informants pursuant to a court order.
• Providing new guidance regarding Part 2 employees’ personal devices (e.g., cell phones), clarifying that as long as personal devices are not used in the regular course of Part 2 program business, they are not subject to Part 2 sanitization requirements.

We provide a more detailed description of the changes proposed by the 2019 NPRM, along with our analysis where applicable, below.

Detail About the 2019 NPRM Proposed Changes

Clarification of Part 2’s Applicability
SAMHSA proposes to amend the applicability provision at 42 C.F.R. § 2.12 to make clear that a non-Part 2 health care provider’s recording of information about a SUD and a patient’s treatment at a Part 2 facility does not, by itself, cause the non-Part 2 recording to be subject to Part 2, provided the non-Part 2 facility segregates SUD records that it receives from a Part 2 program. SAMHSA makes corresponding revisions to the definition of “Records” at § 2.11 and to the “Prohibition on Re-disclosure” language at § 2.32. This additional language appears to be a clarification only, as the purpose and intent of Part 2 was never to govern non-Part 2 communications between patients and their non-Part 2 health care providers, notwithstanding that those communications referenced or otherwise touched upon Part 2 treatment. In any event, this clarification furthers the ability for health care providers to coordinate care for patients receiving SUD treatment.

New Flexibilities and New Constraints in Written Consent Requirements
A patient’s written consent to a disclosure of Part 2 records must include a number of elements contained at 42 C.F.R. § 2.31. Some of these requirements vary based on “to whom” the disclosure is to be made. In particular, for disclosures to an entity that does not have a treating provider relationship with the patient whose information is being disclosed and is not a third-party payor, § 2.31(a)(4)(i) currently requires the patient’s authorization to include the name of the “individual(s) to whom a disclosure is to be made.”

In the proposed rule, SAMHSA acknowledges that there are a number of government and non-governmental entities that are not treating providers, yet request identifiable Part 2 program data to establish eligibility for non-medical services or benefits. In these situations, SAMHSA notes that many of these programs may not be able to identify a specific individual employee who will receive the identifiable information. Accordingly, SAMHSA proposes to amend the structure of § 2.31(a)(4) to allow the “to whom” section to include either the name of an individual or the name of an entity that will obtain the information, even in non-treating provider situations. [5] This can also help facilitate data sharing among health care organizations.

However, SAMHSA also proposes a change to the “to whom” section that appears to add a new potential regulatory hurdle to care coordination. SAMHSA proposes to revise the current rules regarding when a consent form can use a “general designation” of a class of entities in the “to whom” section, explicitly permitted pursuant to earlier Part 2 rule changes finalized in 2017 (the “2017 Final Rule”). [6] Currently, a consent form can name a non-treating provider in the “to whom” section and then also include a general designation of a class of entities, which is limited to entities that have a treating provider relationship with the patient, to whom the named non-treating provider entity can further disclose the Part 2 records. As currently written, the rules provide two examples of non-treating entities that can use the general designation option: research institutions and entities that facilitate the exchange of health information. Under the proposed rule, however, the general designation option would be explicitly limited to these two types of entities. [7] While these two types of entities likely cover much of the waterfront of organizations that would wish to use the general designation option, it may create some data sharing complexities among affiliated providers where there is not a formal HIE process in place.

Keeping Non-Part 2 Program Records From Being Subject to Re-disclosure Requirements
Part 2 prohibits the re-disclosure of Part 2 records by individuals or entities that receive such records from a Part 2 program or other lawful holder, except as otherwise permitted by the Part 2 rules. As the re-disclosure prohibition is currently drafted, there has been some confusion and concern by non-Part 2 providers about how this rule applies to records generated by the non-Part 2 program provider, when that provider may also have records about that individual it obtained from a Part 2 program. Accordingly, SAMHSA is proposing to modify the rule at 42 C.F.R. § 2.32 to clarify that, as long as a non-Part 2 program provider segregates any specific SUD records it receives from a Part 2 program, any further records the provider generates related to SUD and its treatment for that individual are not subject to the Part 2 re-disclosure restrictions. [8]

Flexibility to Disclose Part 2 Records in Response to the Opioid Crisis
SAMHSA proposed two changes specifically aimed at the opioid crisis and the reality that a greater number of entities need access to Part 2 records to ensure patient safety.

• First, SAMHSA proposes to allow all providers that have a treating relationship with a patient to access Part 2 central registry databases to determine whether that patient is enrolled in a SUD withdrawal management or treatment program, even if a provider is not an opioid treatment program (“OTP”). The reasoning behind this change is SAMHSA’s acknowledgement that central registry information is valuable to non-OTPs in making determinations about what prescription drugs are appropriate for their patients. As described by SAMHSA in the proposed rule, this access by non-OTPs can “prevent duplicative enrollments and prescriptions for excessive opioids, as well as … prevent any adverse effects that may occur as a result of drug interactions with other needed medications.” [9]
• Second, the proposed rule would allow disclosures of Part 2 records to state PDMPs that are set up to collect, analyze, and make available prescription data on controlled substances prescribed by practitioners and non-hospital pharmacies. [10] Current SAMHSA policy is that OTPs cannot disclose patient identifying information to a PDMP unless an exception under the Part 2 rules applies. SAMHSA decided to change this policy in light of the opioid crisis and proposes to add a new § 2.36 to permit OTPs and other lawful holders of Part 2 data to report to state PDMPs when dispensing medications, provided that patient written consent is obtained. [11]

Expanding “Medical Emergencies” to Include Major or Natural Disasters
Currently, Part 2 allows disclosure of SUD records without patient consent in a “bona fide medical emergency,” which, although not defined, generally refers to an immediately life-threatening condition, such as heart attack, stroke, or overdose, in which it is infeasible to seek the individual’s consent to the release of relevant SUD records. The 2019 NPRM proposes to include as a “bona fide medical emergency” major and natural disasters declared by state or federal authorities, when access to or operation of SUD treatment facilities may be disrupted. SAMHSA noted that “the disclosure requirements of 42 C.F.R. Part 2 may be too burdensome in these instances,” in part because normal operating policies and procedures for obtaining consent may not be operational and, further, the inability of SUD patients’ providers to access Part 2 records could constitute or lead to a medical emergency. [12] Accordingly, SAMHSA proposes to include natural and major disasters within the definition of medical emergencies, for which there would be an exception to the requirement for consent to disclosure of Part 2 records. SAMHSA reiterated, however, that consent should be obtained where feasible, but expedient, appropriate care should be the priority. The exception would apply when a state or federal authority declares a state of emergency because of a disaster and the Part 2 Program is closed and unable to provide services or obtain the informed consent of the patient; the exception would immediately be lifted once the Part 2 program resumes operations.

Disclosures With Consent: Clarification Regarding Lawful Holders’ Disclosures for “Payment” and “Health Care Operations”
Earlier Part 2 changes published on January 3, 3018 (the “2018 Final Rule”), in recognition of the complexities of health care operations, clarified the scope and requirements for permitted disclosures by a lawful holder (as defined by the rule) to its contractors, subcontractors, and legal representatives for payment and health care operations purposes. [13] Acknowledging that “changes occurring in the health care payment and delivery system could rapidly render any list of activities included in the regulatory text outdated,” SAMHSA did not include its list of examples of health care payment and operations activities in the regulatory text; instead, it included the list in the preamble to the 2018 Final Rule, stating they were illustrative of the types of disclosures that would fit the exception. [14] SAMHSA intended that other “appropriate payment and health care operations activities” would be permitted as the health care system continues to evolve. [15] However, since publishing the 2018 Final Rule, SAMHSA learned that including a list of illustrative examples in the preamble “did not fully clarify the circumstances under which Part 2 information could be further disclosed.” Thus, to clear up any confusion, SAMHSA proposes to amend Part 2 to include in the regulatory text the illustrative list of permissible activities that previously was contained in the preamble. Because SAMHSA wishes to make clear that it does not intend for the list to be exhaustive, it is also proposing to add to the end of the list “other payment/health care operations activities not expressly prohibited.” SAMHSA also reemphasizes that it does not intend activities related to the patient’s diagnosis, treatment, or referral for treatment to be included within the meaning of “payment” and “health care operations,” and disclosures to contractors, subcontractors, and legal representatives for such purposes, including care coordination and case management, are not permitted. SAMHSA reiterates that the purpose of Part 2 is to give patients a choice in disclosing Part 2 information to health care providers and can do so pursuant to the consent requirement. Moreover, SAMHSA states that “several of the proposals to revise other sections of part 2 in this rule-making will help to facilitate coordination of care.” [16]

Disclosures Without Consent: Changes and Clarification to Disclosures for Research, Audit, and Evaluation Purposes
SAMHSA proposes a few small changes to § 2.52 that will expand the scope of permissible disclosures for research. First, research disclosures of Part 2 data would be permitted from a HIPAA-covered entity or business associate to an individual or organization that is not a HIPAA-covered entity or subject to the Federal Policy for the Protection of Human Subjects (the “Common Rule”), as long as any disclosure otherwise satisfies and is subject to the Privacy Rule. [17] SAMHSA also proposes to expand the scope of permissible research disclosures to entities covered by FDA regulations for the protection of human subjects in clinical investigation, as well as to members of the workforce of a HIPAA-covered entity for the purpose of employer-sponsored research, when all such research is subject to either Privacy Rule or Common Rule requirements. [18]

SAMHSA also proposes to add additional clarity regarding the scope of permissible disclosures under § 2.53 for audit and evaluation purposes. Specifically, SAMHSA proposes to add a non-exhaustive list of the following activities that are deemed to constitute audit and evaluation activities:

(A) Periodic activities to identify actions that a government agency or third-party payor entity can take to:

(i) update policies or procedures to improve patient care and outcomes across part 2 programs;

(ii) target limited resources more effectively; or

(iii) determine the need for adjustment to payment policies for the care of patients with SUDs.

(B) Reviews of appropriateness of medical care, medical necessity, or utilization of services. [19]

The proposed revisions would also explicitly provide that auditors can include any entities with direct administrative control over the Part 2 program or lawful holder. [20]

Use of Undercover Agents and Informants
Pursuant to § 2.67, a law enforcement or prosecutorial agency that has reason to believe that employees or agents of the Part 2 program are engaged in criminal misconduct can obtain a court order to authorize the use of an undercover agent or informant in a Part 2 program. Under the current rules, the total period of the placement authorized can be no longer than six months. Under the proposed rule, SAMHSA proposes to extend the period for court-ordered placements of undercover agents or informants to 12 months, authorize a court to extend the period of placement through the issuance of a subsequent order, and clarify that the “period of placement” starts at the time the undercover agent is placed, or an informant is identified, in the Part 2 program. [21]

Guidance on Applicability of Part 2 Requirements to Personal Devices
The 2019 NPRM preamble also separately contains guidance from SAMHSA on how employees, volunteers, and trainees of Part 2 facilities should address communications that involve personal devices and accounts, such as a text from a patient to an employee’s personal phone. Although the Part 2 regulations at § 2.19 require a discontinued Part 2 program to sanitize and dispose all electronic patient records within one year of discontinuation, SAMHSA clarified that this requirement is not intended to reach a Part 2 employee’s personal device. Instead, SAMHSA states that these devices not used in the ordinary course of the Part 2 business would not be part of the Part 2 program and not subject to sanitizing requirements. However, SAMHSA emphasizes that an employee should immediately delete Part 2 information sent to a personal account and only respond using a personal device if required to protect the best interest of the patient. [22]

Conclusion
Although SAMHSA reiterates its belief that it remains constrained by statute to align Part 2 regulations with the HIPAA Privacy Rule, these proposed changes would bring several meaningful changes aimed to help smooth some of the more problematic edges of the Part 2 regulations that create barriers to care coordination. At the same time, Part 2 remains an area of interest for future legislative changes that could allow SAMHSA greater statutory authority to make changes that are more sweeping. At the center of that debate is mixed opinion from stakeholders on striking a balance between protecting the privacy of a vulnerable patient population and the importance of prescription monitoring and care coordination to address the current crisis and provide high quality care to patients.

K&L Gates will continue to monitor the development of this proposed rule, any legislative developments, and industry reaction and comment, and will provide updates as SAMHSA moves to finalize these changes.

NOTES:

[1] SAMHSA is the federal agency that implements and enforces Part 2; see https://www.samhsa.gov/.
[2] SAMHSA, Confidentiality of Substance Use Disorder Patient Records, Notice of Proposed Rulemaking, 84 Fed. Reg. 44,568 (Aug. 26, 2019).
[3] Id.
[4] Id.
[5] Id. at 44,574.
[6] 82 Fed. Reg. 6052 (Jan. 18, 2017).
[7] 84 Fed. Reg. at 44,574.
[8] Id.
[9] Id. at 44,575–76.
[10] Id. at 44,576–77.
[11] Id.
[12] Id. at 44,577.
[13] 83 Fed. Reg. 239 (Jan. 3, 2018).
[14] Id. at 243.
[15] Id. at 241.
[16] 84 Fed. Reg at 44,575.
[17] Id. at 44,578
[18] Id.
[19] Id. at 44,578–80.
[20] Id.
[21] Id. at 44,580–81.
[22] Id. at 44,570–71.