The Department of Health and Human Services (HHS) has released a final rule to update and modernize the Confidentiality of Alcohol and Drug Abuse Patient Records regulations effective February 17, 2017.

The new regulations contain special confidentiality restrictions relating to information pertaining to patients receiving treatment for a substance use disorder under a Federal program.  These regulations maintain the core philosophy and confidentiality protections but make changes that are intended to better align the patient privacy protection with advances in the health care delivery system.

The 30-year old regulations of patient records in Federal Alcohol and Drug Abuse programs impeded the ability of patients receiving these services to participate in the benefits from new integrated health care models.  The new regulations are intended to permit these patients to obtain the benefits of integrated delivery systems while, at the same time, protecting the confidentiality traditionally associated with these programs.

Some of the main revisions that were included in the new regulations include:

  • The general restrictions provided by the rule continue to apply to a federally assisted program and holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment.  For example, an identified unit within a general medical facility is subject to the requirements of the regulations if it holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment.
  • For the first time, the restrictions on confidentiality contained in the rule are extended to individuals or entities who receive patient records from other lawful holders of patient identifying information.  Patient records subject to the protection of the regulations now include substance abuse disorder records in the possession of ‘‘other lawful holders of patient identifying information.’’  This is the first time the law has been extended to records held outside of Federal Alcohol and Drug Abuse programs.
  • Upon request, patients who have included a general designation in the ‘‘To Whom’’ section of their consent form must now be provided a list of entities to which their information has been disclosed pursuant to the general designation.
  • Part 2 programs are required to have in place formal policies and procedures addressing security, including sanitization of associated media, for paper and electronic records.  The obligation to maintain such a program is now expanded for the first time to “other lawful holders” of patient identifying information.
  • The required Notice to Patients of Federal Confidentiality Requirements may be provided in either paper or electronic form.  Previous regulations did not clearly permit providing this notice by electronic means.  The new regulations also permit electronic signatures be used when permitted by state law.
  • Technical language changes were made to the consent requirements (§ 2.31).  These language changes should be integrated into policies and procedures.
  • A prohibition on re-disclosure applies to any information that would directly or indirectly identify an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder.  Other health-related information may be shared or re-disclosed if permissible under other applicable laws, for example, HIPAA and applicable state law.
  • The regulations contain an exception that permits disclosure in the case of medical emergencies.  Revisions were made to the medical emergencies exception to make it consistent with the statutory language and to give providers more discretion to determine when a ‘‘bona fide medical emergency’’ exists.
  • The exception that existed in previous regulation relating to certain research activities are revised to permit protected data to be disclosed to qualified personnel for the purpose of conducting scientific research.  In order to take advantage of the exception, the researcher must provide documentation of meeting certain requirements related to other existing protections for human research.
  • Audit and evaluation requirements have been revised in the new regulations to permit an audit or evaluation necessary to meet the requirements of a Centers for Medicare Medicaid Services (CMS) regulated accountable care organization (CMS regulated ACO) or similar CMS regulated organization (including a CMS-regulated Qualified Entity (QE)), under certain conditions.

The above are some of the primary changes contained in the new regulations.  Compliance and/or Privacy professionals should review their existing policies and practices to assure they are consistent with the new regulations.  This is also a good time to perform an overall review of confidentiality restrictions and practices that are applicable to individuals receiving treatment for a substance use disorder.  For the first time, providers (and other individuals) who may be lawful recipients of protected information must make certain they have adopted an effective program to assure protection of such information.

Source: Blue Ink Blog