SAMHSA Issues Final Rule Updating Substance Abuse Confidentiality Regulations

The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), has finalized proposed changes to the Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2, aimed at supporting payment and healthcare operations activities while protecting the confidentiality of patients.

The finalized rule, posted to the Federal Register on Tuesday, January 3, 2018, builds on changes to 42 CFR Part 2 made last year. In a final rule published last January, SAMHSA updated 42 CFR Part 2 rules by allowing patients to provide a general disclosure for substance abuse information, rather than limiting authorization to a specific provider.

The Confidentiality of Substance Use Disorder Patient Records, 42 Code of Federal Regulations Part 2 (Part 2) protects the confidentiality of records relating to the identity, diagnosis, prognosis, or treatment of any patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research. Under Part 2, a federally assisted substance use disorder program may only release patient identifying information with the individual's written consent, pursuant to a court order, or under a few limited exceptions.

The 42 CFR Part 2 regulations previously required the patient to consent every time their data was shared or accessed, which health information exchanges (HIEs) and healthcare organizations found difficult to implement. The final rule will permit healthcare providers, with patients' consent, to more easily conduct such activities as quality improvement, claims management, patient safety, training, and program integrity efforts.

Major provisions of the final rule include:

• Additional disclosures of patient identifying information are permitted, with patient consent, to facilitate payment and healthcare operations such as claims management, quality assessment, and patient safety activities.
• Additional disclosures of patient identifying information are permitted to certain contractors, subcontractors, and legal representatives for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.
• Users of electronic health records (EHRs) are permitted to use of an abbreviated notice of prohibition on re-disclosure that is more easily accommodated in EHR text fields.