Operationalizing the Changes to 42 CFR Part 2, Alcohol and Drug Abuse Patient Records

By Aurae Beidler, MHA, RHIA, CHC, CHPS; Carlyn Doyle, MSHI, RHIA, CHPS, HCISPP; and Elisa R. Gorton, MAHSM, RHIA, CHPS, CHC

After thirty years without a substantive change, the Substance Abuse and Mental Health Service Administration (SAMHSA) has issued two final rules to “update and modernize the Confidentiality of Alcohol and Drug Abuse Patient Records regulations,”¹ commonly referred to as 42 CFR Part 2, within almost one year of each other. The first rule was issued on January 18, 2017, and the second most recently on January 3, 2018.

The January 2017 final rule focused significantly on updating the regulations to address how to disclose substance use disorder (SUD) patient records in the digital age “to better align them with advances in the U.S. health care delivery system while retaining important privacy protections” for individuals seeking treatment for substance use disorders.²

The final rule dated January 3, 2018 was published in response to the numerous public comments that were received with regard to the disclosure of these sensitive records, specifically “varying interpretations about the restrictions placed on lawful holders and their contractors and subcontractors in the use and disclosure of Part 2-covered data to carry out payment, healthcare operations, and other healthcare related activities.”³ The public comments related to the alignment of 42 CFR Part 2 with the Health Insurance Portability and Accountability Act (HIPAA), redisclosure, disclosure permitted with written consent, and other areas of 42 CFR that impact the confidentiality of SUD records. See the charts on page 29 and 30 for a summary of the major 2017 and 2018 SAMHSA Final Rule changes.

What Do These Changes Mean?

Health information professionals ensure that all patient records are maintained and disclosed in the appropriate manner in accordance with all federal and state regulations and laws. SUD records are held to the highest standards of confidentiality. Therefore, covered entities (healthcare providers) must first determine if they meet the requirements of Part 2 programs.

According to SAMHSA, the term “holds itself out” as included in the chart on page 31 is not defined, but can include:

• State licensing procedures
• Advertising, internet statements, or the posting of notices in offices
• Certifications in addiction medicine
• Listings in a registry
• Any information presented to patients or families
• Or “any activity that would lead one to reasonably conclude that the provider is providing or provides alcohol or drug abuse diagnosis, treatment, or referral for treatment”⁴

The January 2017 final rule and the subsequent January 2018 final rule prompted many organizations to examine their structure under the definition of a Part 2 program to ensure compliance with the changes.

In order to ensure that a covered entity adheres to 42 CFR, the following offers some points to consider:

1. Has your organization identified itself as a Part 2 program? A lawful holder? A qualified service organization?
2. Has your authorization process to disclose SUD information not only been revised but has the staff been appropriately educated on the changes that affect how this information can be disclosed?
3. Does your state have more stringent rules than the new final rules?

Even if an organization is not subject to 42 CFR Part 2, but it receives records from a SUD program through a compliant consent, the information is subject to the 42 CFR Part 2 protections. This means that your organization must implement steps to safeguard the information and prevent redisclosure. This must include educating staff on how to identify if the records received are from an SUD program.

Where to Start with Implementation of These Changes

The implementation of regulations can be a challenge for organizations to operationalize. Many organizations struggle with compliance requirements because they don’t know “how” to do so, or don’t have guidance for operationalizing the requirements. Because of their complexity, HIPAA and 42 CFR Part 2 regulations are especially challenging to implement. This challenge is made even more difficult with the use of electronic healthcare records (EHRs) and the evolving digital environment. While there are many implementation best practices, toolkits, and templates available, there is no one way to implement a process that ensures compliance because every organization conducts business differently.

Regardless of the business model, however, all organizations should consider the following when trying to safeguard information subject to HIPAA and 42 CFR Part 2:

1. Identify which regulations your organization and business units may be required to comply with. If it cannot be clearly defined, initiate the process of analyzing the regulations (HIPAA and 42 CFR Part 2) for each department and work units within your organization. This process consists of conducting an analysis of the programs within your organization to determine if they are subject to HIPAA, 42 CFR Part 2, or both. Healthcare organizations are already aware that they are subject to HIPAA, but often forget to review the functions within their organizations to determine if they have SUD programs or have received information as a lawful holder subject to 42 CFR Part 2. Periodic review of this process within your organization should be done especially as new service lines or agreements are initiated, new business functions are developed, and funding structures may change.
2. Identify which systems could contain SUD records, such as an EHR, legacy system with paper records, or a hybrid system. Organizations subject to HIPAA and 42 CFR Part 2 may have more than one patient record—such as one health record and one SUD record. Develop a data classification system that encompasses basic information governance principles that determine:
   1. What information is collected and by whom
   2. What information is being created
   3. How the information is collected
   4. Where the information is stored or maintained
   5. What is the business workflow and process for creating and collecting this information?

   These are the most important steps when implementing the necessary controls to safeguard protected health information (PHI) and SUD data.

3. Implement safeguards for protecting the information. Organizations subject to HIPAA are already familiar with the HIPAA Security Rule requirements for safeguarding PHI. Unlike HIPAA, however, 42 CFR Part 2 has limited security regulations for protecting SUD information within an electronic environment. The 42 CFR Part 2 Final Rule was intended to incorporate the HITECH Act requirements, but there are still gaps in the recent final rule that failed to address controls for SUD information held by a Part 2 program. The public continues to ask SAMSHA for more alignment with HIPAA—including alignment with the HIPAA Security Rule. SAMHSA has stated that sub-regulatory guidance is forthcoming.
4. Unlike HIPAA, 42 CFR Part 2 requires that the SUD records be segregated within the electronic record. This is an area where organizations struggle and often create two patient records in order to meet the segregation requirements. Some organizations do not accept SUD records or scan them into their system because they do not have the capability of restricting access to the information if the information is inadvertently added into the EHR. However, some EHR systems have the ability to segregate this information from the patient record through functions such as “break the glass” and other features that restrict access to only a strict set of users and roles for accessing the information. Organizations should work with their IT department or EHR vendor to review the functions of their system and determine if this is feasible.
5. Also unlike HIPAA, 42 CFR Part 2 requires the “redisclosure” notice. When a paper SUD record is faxed or sent via mail, the information contains a “redisclosure” notice, typically in the form of a cover sheet identifying the information protected under 42 CFR Part 2. However, when information is printed from an EHR, sent via a health information exchange, or transmitted through Direct Messaging, the message may not contain the “redisclosure” notice or the notice may not be recognizable by the receiving party that the information is subject to the protections of 42 CFR Part 2. Understanding how a system’s “redisclosure” or “alert” notice appears to the receiver and how this notice appears when staff receive information is vital for preventing a SUD disclosure violation. Ask “how does this ‘redisclosure notice’ appear when sending or receiving SUD information electronically?”

   This process also applies to the consent workflow within an EHR. When reviewing the process, it’s important to identify how the consent is captured, how it is identified, who is listed on the consent, and who the information can be disclosed to under a valid consent. One key question—do the staff collecting the consent form know how to verify if the consent for 42 CFR Part 2 is valid? Some organizations subject to 42 CFR Part 2 do not have health information management (HIM) professionals or records departments that process consents or release of information. Often, SUD program staff collect consent forms for SUD patients directly and have not been appropriately trained on the process.

6. Implement policies and procedures for 42 CFR Part 2 information. If you are a hybrid organization subject to HIPAA and 42 CFR Part 2 it may be best to keep these polices separate, but organizations should choose the option that best meets the needs of their business. Policies and procedures are vital for making sure that organizations are taking the necessary steps to ensure compliance. This includes training workforce members on the policies and procedures and ensuring accountability for individuals who fail to comply. Policy should also govern how staff are trained and what action they need to take upon receiving SUD information to further protect this sensitive information.

   Many organizations develop policies that address the “why” but fail to develop operating procedures on “how” the policies are to be carried out. Many incidents, breaches, and compliance violations are attributed to the failure to follow a policy or a procedure. In order to avoid this, it is important to include all of the stakeholders at the onset of policy development so that gaps or barriers to following the policies can be identified.

   Although SAMHSA has published two final rules updating 42 CFR Part 2, sub-regulatory guidance is needed to ensure organizations are compliant with the regulations. Until further guidance is provided, HIM professionals can assist their organizations by analyzing processes and procedures and by reading the regulatory comments provided by the final rules.

Notes

1. Department of Health and Human Services. “Confidentiality of Substance Use Disorder Patient Records.” Federal Register 82, no. 11. (January 18, 2017): 6,052. www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records.
2. Department of Health and Human Services. “Confidentiality of Substance Use Disorder Patient Records.” Federal Register 83, no. 2. (January 3, 2018): 239. www.gpo.gov/fdsys/pkg/FR-2018-01-03/pdf/2017-28400.pdf.
3. Bossenbroek, Michael D. “SAMHSA publishes final rule revising 42 CFR Part 2.” Compliance Today. February 2018. www.hcca-info.org/Portals/0/PDFs/Resources/Compliance_Today/0218/ct-2018-02-bossenbroek.pdf.
4. Substance Abuse and Mental Health Services Administration. “Substance Abuse Confidentiality Regulations Frequently Asked Questions.” September 15, 2017. www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs.

Aurae Beidler (aurae.beidler@gmail.com) is compliance and privacy officer at Linn County Health Services, based in Albany, OR. Carlyn Doyle (carlyn.doyle@multco.us) is IT security compliance analyst and data protection coordinator at Multnomah County Department of Assets, based in Portland, OR. Elisa R. Gorton (egorton@sbcglobal.net) is an HIM professional based in Shelton, CT.