March 8, 2016
Health Privacy: Updating Federal Protections for Patient
Records at Substance Abuse Treatment Programs
Protecting Privacy in an Evolving Health System
On February 5, 2016, the Secretary for Health and Human
Services (HHS) announced proposed changes to the federal
regulations that protect the privacy of patient records
maintained by substance abuse treatment programs across
the country. These regulations, known as Part 2 after their
location in the Code of Federal Regulations (i.e., 42 C.F.R.
Part 2), were first promulgated in 1975 and have not been
revised substantively since 1987.
According to the HHS Substance Abuse and Mental Health
Services Administration (SAMHSA), which administers
Part 2, the proposed changes are intended to modernize the
regulations in the face of significant changes that are taking
place in the U.S. health care system.
The Part 2 law and implementing regulations were written
at a time when substance abuse treatment was offered
primarily by specialty providers. The purpose of the
regulations was to encourage individuals with substance
abuse disorders to seek treatment by addressing their
concerns about privacy. Substance abusers were reluctant to
get treatment without strong privacy protections. They
feared that disclosure of information about their substance
abuse might lead to prosecution, discrimination by health
insurers, or loss of employment, housing, or child custody.
Under Part 2, substance abuse treatment records may be
disclosed only with the patient’s written consent, pursuant
to a court order, or if the disclosure falls within one of the
few statutory exceptions. Part 2 also places strict limitations
on the redisclosure of such records.
Today, the health care system is embracing new models of
integrated care—including accountable care organizations
(ACOs) and patient-centered health homes—that rely on
sharing patient information to coordinate care. There is also
a focus on measuring performance and patient outcomes.
These efforts, in turn, depend on electronic health records
(EHRs) and the development of a health information
technology infrastructure to support the exchange and use
of digital health information.
Stakeholders have become increasingly frustrated with the
restrictions that Part 2 places on their ability to share
substance abuse patient records.
Researchers, too, have expressed concern about access to
patient information protected under Part 2. They were
especially critical of a decision by the HHS Centers for
Medicare & Medicaid Services (CMS) in late 2013 to begin
withholding from research data sets any Medicare or
Medicaid claim with a substance abuse diagnosis or
CMS took this action to comply with Part 2. While the
regulations permit the disclosure of Part 2 information for
research purposes, subject to certain conditions, only
substance abuse program directors may authorize such
disclosures. Third-party payers that receive Part 2 data—
including CMS—must abide by the prohibition on
redisclosure. Researchers complain that they have lost
access to an important source of data at a particularly
challenging time, just as the federal government and states
are expanding efforts to combat the abuse of prescription
opioids and heroin.
According to SAMHSA, the proposed changes to Part 2 are
an attempt to update the regulations to facilitate the
electronic exchange of substance abuse treatment records
while at the same time continuing to safeguard sensitive
patient information. Lawmakers in the 114th Congress are
considering legislation in pursuit of similar goals.
More Protective than HIPAA
The Part 2 regulations provide more protections for
substance abuse patient records than do most other federal
and state health privacy laws, including the Health
Insurance Portability and Accountability Act (HIPAA).
The HIPAA Privacy Rule applies broadly to identifiable
health information that is created or received by payers and
providers of health care. It also applies to the business
associates of these covered entities, with whom information
is shared. Business associates provide specific services
(e.g., claims processing, data management) for covered
entities to help them operate and meet their responsibilities
to patients and beneficiaries.
The Privacy Rule describes various circumstances under
which covered entities may use or disclose health
information. For example, health information may be used
or disclosed for the purposes of treatment, payment, and
other health care operations—including case management,
care coordination, and outcomes evaluation—with few
restrictions. Covered entities must obtain a patient’s written
authorization for any use or disclosure that is not expressly
permitted or required under the privacy rule.
Compared to the HIPAA Privacy Rule, Part 2 is narrower in
scope and permits fewer uses and disclosures of patient
information without consent. Part 2 applies only to
federally assisted substance abuse treatment programs.
Most of the nation’s alcohol and drug treatment programs
are covered—more than 12,000 hospitals, outpatient
Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs
treatment centers, and residential treatment facilities—are
federally assisted. Part 2 does not apply to general medical
facilities or practices.
Part 2 restricts the use or disclosure of any patient
information that directly identifies the patient as an alcohol
or drug abuser, or that links the patient to the alcohol or
drug treatment program. Importantly, medical information
that does not link the patient to current or past drug abuse,
or identify the patient as a participant of a Part 2 program,
is not subject to the Part 2 requirements. While such
information is not afforded Part 2 protection, it remains
covered under the HIPAA Privacy Rule.
Such information may not be disclosed without the patient’s
written consent—including for the purposes of treatment,
payment, or other health care operations—except in a
handful of specified circumstances (e.g., medical
emergencies, research, audits and evaluations, and pursuant
to a court order). Furthermore, any information disclosed
with the patient’s consent must include a statement that
prohibits further disclosure unless the consent expressly
permits such disclosure.
Substance abuse programs typically are subject to both sets
of rules—Part 2 and the HIPAA Privacy Rule—unless there
is a conflict, in which case the program must comply with
the rule that is more protective of patient privacy. That
generally means following the requirements under Part 2.
Closer Look at the Proposed Changes
SAMHSA is seeking public comment on a series of
proposed revisions to Part 2. They include changes to the
consent form. Currently, the “To Whom” section of the
form must include the name of the specific individual or
entity that the information will be disclosed to. This
requirement has been criticized by ACOs, health
information exchanges (HIEs), and other organizations that
have networks of providers who wish to share medical data.
Because of the challenge of managing and updating the Part
2 consent forms whenever new participants join the
network, substance abuse treatment information is often
excluded from the health information systems of these
In response to these concerns, SAMHSA proposes allowing
the “To Whom” section of the consent form to include not
just specific names of individuals or entities that have a
treatment relationship with the consenting patient, but also
a general designation of other individuals or entities with
whom Part 2 data may be shared; for example, an ACO or
SAMHSA also proposes revising the research exception to
permit the disclosure of information to qualified researchers
by a Part 2 program or any other individual or entity that is
in lawful possession of Part 2 information. That would
include third-party payers (e.g., CMS), as well as other
entities (e.g., ACOs, HIEs) that store patient information,
including Part 2 data, which may be used for research
purposes. To receive the data, researchers would have to
document that they are in compliance with federal
regulations for protecting human research subjects (i.e.,
Common Rule, HIPAA Privacy Rule), among other things.
Researchers holding Part 2 data would be able to link to
identifiable data sets in federal data repositories, provided
the project has been subject to Common Rule review to
ensure that patient privacy is protected. SAMHSA is
seeking public comment on whether to expand this
provision to nonfederal data repositories.
In addition, the proposal would require all Part 2 programs
and other lawful holders of Part 2 data to have in place
formal security policies and procedures to safeguard the
data against unauthorized access, use, or disclosure.
SAMHSA decided not to address e-prescribing and state
Prescription Drug Monitoring Programs (PDMPs) in its
proposal. This is a notable omission given the potential
importance of PDMPs in combatting the abuse and
diversion of prescription opioids and other controlled
substances. PDMPs collect, monitor, and analyze
prescribing and dispensing data that are submitted
electronically by pharmacies and other drug dispensers.
Because of the prohibition on redisclosure, a pharmacy that
receives an e-prescription from a Part 2 program must
obtain patient consent to transmit the information to a
PDMP. Patient consent is also required for the PDMP to
redisclose that information to others with access to the
PDMP. Pharmacy data systems currently do not have the
ability to manage patient consent or segregate Part 2 from
other prescription data. Consequently, SAMHSA concluded
that these issues are not yet ripe for rulemaking.
The proposed rule was published in the Federal Register on
February 9, 2016. Public comments are due by April 11,
Other Administrative and Legislative Actions
HHS in recent years has helped develop and test the Data
Segmentation for Privacy (DS4P) standard for use by EHR
systems. DS4P allows providers to tag certain data as
sensitive and express redisclosure limitations and other
obligations in electronic form. This enables providers to
protect certain pieces of information that are part of a larger
health record. EHR technology will soon be able to be
certified under the national certification program as having
the capability to send and receive patient records formatted
in accordance with the DS4P standard.
Lawmakers have introduced legislation to ease some of the
limitations on sharing Part 2 data. For example, H.R. 2646
would permit the exchange of information within integrated
care organizations, including ACOs and HIEs. It also would
consider the HHS Secretary a program director under Part
2, rather than a third-party payer, for the purpose of
disclosing Part 2 data to qualified researchers.
C. Stephen Redhead, Specialist in Health Policy
Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10374 · VERSION 2 · NEW