Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs

March 8, 2016 Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs Protecting Privacy in an Evolving Health System On February 5, 2016, the Secretary for Health and Human Services (HHS) announced proposed changes to the federal regulations that protect the privacy of patient records maintained by substance abuse treatment programs across the country. These regulations, known as Part 2 after their location in the Code of Federal Regulations (i.e., 42 C.F.R. Part 2), were first promulgated in 1975 and have not been revised substantively since 1987. According to the HHS Substance Abuse and Mental Health Services Administration (SAMHSA), which administers Part 2, the proposed changes are intended to modernize the regulations in the face of significant changes that are taking place in the U.S. health care system. The Part 2 law and implementing regulations were written at a time when substance abuse treatment was offered primarily by specialty providers. The purpose of the regulations was to encourage individuals with substance abuse disorders to seek treatment by addressing their concerns about privacy. Substance abusers were reluctant to get treatment without strong privacy protections. They feared that disclosure of information about their substance abuse might lead to prosecution, discrimination by health insurers, or loss of employment, housing, or child custody. Under Part 2, substance abuse treatment records may be disclosed only with the patient’s written consent, pursuant to a court order, or if the disclosure falls within one of the few statutory exceptions. Part 2 also places strict limitations on the redisclosure of such records. Today, the health care system is embracing new models of integrated care—including accountable care organizations (ACOs) and patient-centered health homes—that rely on sharing patient information to coordinate care. There is also a focus on measuring performance and patient outcomes. These efforts, in turn, depend on electronic health records (EHRs) and the development of a health information technology infrastructure to support the exchange and use of digital health information. Stakeholders have become increasingly frustrated with the restrictions that Part 2 places on their ability to share substance abuse patient records. Researchers, too, have expressed concern about access to patient information protected under Part 2. They were especially critical of a decision by the HHS Centers for Medicare & Medicaid Services (CMS) in late 2013 to begin withholding from research data sets any Medicare or Medicaid claim with a substance abuse diagnosis or procedure code. CMS took this action to comply with Part 2. While the regulations permit the disclosure of Part 2 information for research purposes, subject to certain conditions, only substance abuse program directors may authorize such disclosures. Third-party payers that receive Part 2 data— including CMS—must abide by the prohibition on redisclosure. Researchers complain that they have lost access to an important source of data at a particularly challenging time, just as the federal government and states are expanding efforts to combat the abuse of prescription opioids and heroin. According to SAMHSA, the proposed changes to Part 2 are an attempt to update the regulations to facilitate the electronic exchange of substance abuse treatment records while at the same time continuing to safeguard sensitive patient information. Lawmakers in the 114th Congress are considering legislation in pursuit of similar goals. More Protective than HIPAA The Part 2 regulations provide more protections for substance abuse patient records than do most other federal and state health privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule applies broadly to identifiable health information that is created or received by payers and providers of health care. It also applies to the business associates of these covered entities, with whom information is shared. Business associates provide specific services (e.g., claims processing, data management) for covered entities to help them operate and meet their responsibilities to patients and beneficiaries. The Privacy Rule describes various circumstances under which covered entities may use or disclose health information. For example, health information may be used or disclosed for the purposes of treatment, payment, and other health care operations—including case management, care coordination, and outcomes evaluation—with few restrictions. Covered entities must obtain a patient’s written authorization for any use or disclosure that is not expressly permitted or required under the privacy rule. Compared to the HIPAA Privacy Rule, Part 2 is narrower in scope and permits fewer uses and disclosures of patient information without consent. Part 2 applies only to federally assisted substance abuse treatment programs. Most of the nation’s alcohol and drug treatment programs are covered—more than 12,000 hospitals, outpatient https://crsreports.congress.gov Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs treatment centers, and residential treatment facilities—are federally assisted. Part 2 does not apply to general medical facilities or practices. Part 2 restricts the use or disclosure of any patient information that directly identifies the patient as an alcohol or drug abuser, or that links the patient to the alcohol or drug treatment program. Importantly, medical information that does not link the patient to current or past drug abuse, or identify the patient as a participant of a Part 2 program, is not subject to the Part 2 requirements. While such information is not afforded Part 2 protection, it remains covered under the HIPAA Privacy Rule. Such information may not be disclosed without the patient’s written consent—including for the purposes of treatment, payment, or other health care operations—except in a handful of specified circumstances (e.g., medical emergencies, research, audits and evaluations, and pursuant to a court order). Furthermore, any information disclosed with the patient’s consent must include a statement that prohibits further disclosure unless the consent expressly permits such disclosure. Substance abuse programs typically are subject to both sets of rules—Part 2 and the HIPAA Privacy Rule—unless there is a conflict, in which case the program must comply with the rule that is more protective of patient privacy. That generally means following the requirements under Part 2. Closer Look at the Proposed Changes SAMHSA is seeking public comment on a series of proposed revisions to Part 2. They include changes to the consent form. Currently, the “To Whom” section of the form must include the name of the specific individual or entity that the information will be disclosed to. This requirement has been criticized by ACOs, health information exchanges (HIEs), and other organizations that have networks of providers who wish to share medical data. Because of the challenge of managing and updating the Part 2 consent forms whenever new participants join the network, substance abuse treatment information is often excluded from the health information systems of these organizations. In response to these concerns, SAMHSA proposes allowing the “To Whom” section of the consent form to include not just specific names of individuals or entities that have a treatment relationship with the consenting patient, but also a general designation of other individuals or entities with whom Part 2 data may be shared; for example, an ACO or HIE. SAMHSA also proposes revising the research exception to permit the disclosure of information to qualified researchers by a Part 2 program or any other individual or entity that is in lawful possession of Part 2 information. That would include third-party payers (e.g., CMS), as well as other entities (e.g., ACOs, HIEs) that store patient information, including Part 2 data, which may be used for research purposes. To receive the data, researchers would have to document that they are in compliance with federal regulations for protecting human research subjects (i.e., Common Rule, HIPAA Privacy Rule), among other things. Researchers holding Part 2 data would be able to link to identifiable data sets in federal data repositories, provided the project has been subject to Common Rule review to ensure that patient privacy is protected. SAMHSA is seeking public comment on whether to expand this provision to nonfederal data repositories. In addition, the proposal would require all Part 2 programs and other lawful holders of Part 2 data to have in place formal security policies and procedures to safeguard the data against unauthorized access, use, or disclosure. SAMHSA decided not to address e-prescribing and state Prescription Drug Monitoring Programs (PDMPs) in its proposal. This is a notable omission given the potential importance of PDMPs in combatting the abuse and diversion of prescription opioids and other controlled substances. PDMPs collect, monitor, and analyze prescribing and dispensing data that are submitted electronically by pharmacies and other drug dispensers. Because of the prohibition on redisclosure, a pharmacy that receives an e-prescription from a Part 2 program must obtain patient consent to transmit the information to a PDMP. Patient consent is also required for the PDMP to redisclose that information to others with access to the PDMP. Pharmacy data systems currently do not have the ability to manage patient consent or segregate Part 2 from other prescription data. Consequently, SAMHSA concluded that these issues are not yet ripe for rulemaking. The proposed rule was published in the Federal Register on February 9, 2016. Public comments are due by April 11, 2016. Other Administrative and Legislative Actions HHS in recent years has helped develop and test the Data Segmentation for Privacy (DS4P) standard for use by EHR systems. DS4P allows providers to tag certain data as sensitive and express redisclosure limitations and other obligations in electronic form. This enables providers to protect certain pieces of information that are part of a larger health record. EHR technology will soon be able to be certified under the national certification program as having the capability to send and receive patient records formatted in accordance with the DS4P standard. Lawmakers have introduced legislation to ease some of the limitations on sharing Part 2 data. For example, H.R. 2646 would permit the exchange of information within integrated care organizations, including ACOs and HIEs. It also would consider the HHS Secretary a program director under Part 2, rather than a third-party payer, for the purpose of disclosing Part 2 data to qualified researchers. C. Stephen Redhead, Specialist in Health Policy https://crsreports.congress.gov IF10374 Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material. https://crsreports.congress.gov | IF10374 · VERSION 2 · NEW