Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs



March 8, 2016
Health Privacy: Updating Federal Protections for Patient
Records at Substance Abuse Treatment Programs

Protecting Privacy in an Evolving Health System
Medicaid claim with a substance abuse diagnosis or
On February 5, 2016, the Secretary for Health and Human
procedure code.
Services (HHS) announced proposed changes to the federal
regulations that protect the privacy of patient records
CMS took this action to comply with Part 2. While the
maintained by substance abuse treatment programs across
regulations permit the disclosure of Part 2 information for
the country. These regulations, known as Part 2 after their
research purposes, subject to certain conditions, only
location in the Code of Federal Regulations (i.e., 42 C.F.R.
substance abuse program directors may authorize such
Part 2), were first promulgated in 1975 and have not been
disclosures. Third-party payers that receive Part 2 data—
revised substantively since 1987.
including CMS—must abide by the prohibition on
redisclosure. Researchers complain that they have lost
According to the HHS Substance Abuse and Mental Health
access to an important source of data at a particularly
Services Administration (SAMHSA), which administers
challenging time, just as the federal government and states
Part 2, the proposed changes are intended to modernize the
are expanding efforts to combat the abuse of prescription
regulations in the face of significant changes that are taking
opioids and heroin.
place in the U.S. health care system.
According to SAMHSA, the proposed changes to Part 2 are
The Part 2 law and implementing regulations were written
an attempt to update the regulations to facilitate the
at a time when substance abuse treatment was offered
electronic exchange of substance abuse treatment records
primarily by specialty providers. The purpose of the
while at the same time continuing to safeguard sensitive
regulations was to encourage individuals with substance
patient information. Lawmakers in the 114th Congress are
abuse disorders to seek treatment by addressing their
considering legislation in pursuit of similar goals.
concerns about privacy. Substance abusers were reluctant to
get treatment without strong privacy protections. They
More Protective than HIPAA
feared that disclosure of information about their substance
The Part 2 regulations provide more protections for
abuse might lead to prosecution, discrimination by health
substance abuse patient records than do most other federal
insurers, or loss of employment, housing, or child custody.
and state health privacy laws, including the Health
Insurance Portability and Accountability Act (HIPAA).
Under Part 2, substance abuse treatment records may be
disclosed only with the patient’s written consent, pursuant
The HIPAA Privacy Rule applies broadly to identifiable
to a court order, or if the disclosure falls within one of the
health information that is created or received by payers and
few statutory exceptions. Part 2 also places strict limitations
providers of health care. It also applies to the business
on the redisclosure of such records.
associates of these covered entities, with whom information
is shared. Business associates provide specific services
Today, the health care system is embracing new models of
(e.g., claims processing, data management) for covered
integrated care—including accountable care organizations
entities to help them operate and meet their responsibilities
(ACOs) and patient-centered health homes—that rely on
to patients and beneficiaries.
sharing patient information to coordinate care. There is also
a focus on measuring performance and patient outcomes.
The Privacy Rule describes various circumstances under
These efforts, in turn, depend on electronic health records
which covered entities may use or disclose health
(EHRs) and the development of a health information
information. For example, health information may be used
technology infrastructure to support the exchange and use
or disclosed for the purposes of treatment, payment, and
of digital health information.
other health care operations—including case management,
care coordination, and outcomes evaluation—with few
Stakeholders have become increasingly frustrated with the
restrictions. Covered entities must obtain a patient’s written
restrictions that Part 2 places on their ability to share
authorization for any use or disclosure that is not expressly
substance abuse patient records.
permitted or required under the privacy rule.
Researchers, too, have expressed concern about access to
Compared to the HIPAA Privacy Rule, Part 2 is narrower in
patient information protected under Part 2. They were
scope and permits fewer uses and disclosures of patient
especially critical of a decision by the HHS Centers for
information without consent. Part 2 applies only to
Medicare & Medicaid Services (CMS) in late 2013 to begin
federally assisted substance abuse treatment programs.
withholding from research data sets any Medicare or
Most of the nation’s alcohol and drug treatment programs
are covered—more than 12,000 hospitals, outpatient
https://crsreports.congress.gov

Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs
treatment centers, and residential treatment facilities—are
regulations for protecting human research subjects (i.e.,
federally assisted. Part 2 does not apply to general medical
Common Rule, HIPAA Privacy Rule), among other things.
facilities or practices.
Researchers holding Part 2 data would be able to link to
Part 2 restricts the use or disclosure of any patient
identifiable data sets in federal data repositories, provided
information that directly identifies the patient as an alcohol
the project has been subject to Common Rule review to
or drug abuser, or that links the patient to the alcohol or
ensure that patient privacy is protected. SAMHSA is
drug treatment program. Importantly, medical information
seeking public comment on whether to expand this
that does not link the patient to current or past drug abuse,
provision to nonfederal data repositories.
or identify the patient as a participant of a Part 2 program,
is not subject to the Part 2 requirements. While such
In addition, the proposal would require all Part 2 programs
information is not afforded Part 2 protection, it remains
and other lawful holders of Part 2 data to have in place
covered under the HIPAA Privacy Rule.
formal security policies and procedures to safeguard the
data against unauthorized access, use, or disclosure.
Such information may not be disclosed without the patient’s
written consent—including for the purposes of treatment,
SAMHSA decided not to address e-prescribing and state
payment, or other health care operations—except in a
Prescription Drug Monitoring Programs (PDMPs) in its
handful of specified circumstances (e.g., medical
proposal. This is a notable omission given the potential
emergencies, research, audits and evaluations, and pursuant
importance of PDMPs in combatting the abuse and
to a court order). Furthermore, any information disclosed
diversion of prescription opioids and other controlled
with the patient’s consent must include a statement that
substances. PDMPs collect, monitor, and analyze
prohibits further disclosure unless the consent expressly
prescribing and dispensing data that are submitted
permits such disclosure.
electronically by pharmacies and other drug dispensers.
Substance abuse programs typically are subject to both sets
Because of the prohibition on redisclosure, a pharmacy that
of rules—Part 2 and the HIPAA Privacy Rule—unless there
receives an e-prescription from a Part 2 program must
is a conflict, in which case the program must comply with
obtain patient consent to transmit the information to a
the rule that is more protective of patient privacy. That
PDMP. Patient consent is also required for the PDMP to
generally means following the requirements under Part 2.
redisclose that information to others with access to the
PDMP. Pharmacy data systems currently do not have the
Closer Look at the Proposed Changes
ability to manage patient consent or segregate Part 2 from
SAMHSA is seeking public comment on a series of
other prescription data. Consequently, SAMHSA concluded
proposed revisions to Part 2. They include changes to the
that these issues are not yet ripe for rulemaking.
consent form. Currently, the “To Whom” section of the
form must include the name of the specific individual or
The proposed rule was published in the Federal Register on
entity that the information will be disclosed to. This
February 9, 2016. Public comments are due by April 11,
requirement has been criticized by ACOs, health
2016.
information exchanges (HIEs), and other organizations that
have networks of providers who wish to share medical data.
Other Administrative and Legislative Actions
Because of the challenge of managing and updating the Part
HHS in recent years has helped develop and test the Data
2 consent forms whenever new participants join the
Segmentation for Privacy (DS4P) standard for use by EHR
network, substance abuse treatment information is often
systems. DS4P allows providers to tag certain data as
excluded from the health information systems of these
sensitive and express redisclosure limitations and other
organizations.
obligations in electronic form. This enables providers to
protect certain pieces of information that are part of a larger
In response to these concerns, SAMHSA proposes allowing
health record. EHR technology will soon be able to be
the “To Whom” section of the consent form to include not
certified under the national certification program as having
just specific names of individuals or entities that have a
the capability to send and receive patient records formatted
treatment relationship with the consenting patient, but also
in accordance with the DS4P standard.
a general designation of other individuals or entities with
whom Part 2 data may be shared; for example, an ACO or
Lawmakers have introduced legislation to ease some of the
HIE.
limitations on sharing Part 2 data. For example, H.R. 2646
would permit the exchange of information within integrated
SAMHSA also proposes revising the research exception to
care organizations, including ACOs and HIEs. It also would
permit the disclosure of information to qualified researchers
consider the HHS Secretary a program director under Part
by a Part 2 program or any other individual or entity that is
2, rather than a third-party payer, for the purpose of
in lawful possession of Part 2 information. That would
disclosing Part 2 data to qualified researchers.
include third-party payers (e.g., CMS), as well as other
entities (e.g., ACOs, HIEs) that store patient information,
C. Stephen Redhead, Specialist in Health Policy
including Part 2 data, which may be used for research
purposes. To receive the data, researchers would have to
IF10374
document that they are in compliance with federal

https://crsreports.congress.gov

Health Privacy: Updating Federal Protections for Patient Records at Substance Abuse Treatment Programs



Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF10374 · VERSION 2 · NEW