In an unusual action, a Supplemental Notice of Proposed Rulemaking (“SNPRM”) accompanied the recent final rule on 42 C.F.R. Part 2 (“Part 2”) governing the confidentiality of certain substance use disorder information. On January 18, 2017, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued the SNPRM seeking public comment on issues either that were not addressed in the final rule or that require further consideration. Comments are due by 5:00 p.m. Eastern Standard Time on February 17, 2017.
Specifically, SAMHSA has proposed provisions: addressing the prohibition on re-disclosure; expanding disclosures permitted with written consent and for audits and evaluations; and shortening notifications to recipients of Part 2 information. These proposals are discussed in greater detail below. For anyone who comes into possession of Part 2 information but is not itself a Part 2 program, such as a third party payor or a health care provider coordinating with a Part 2 program, this SNPRM includes very important potential changes. We encourage clients who potentially handle Part 2 information to comment on the SNPRM, including voicing support where appropriate.
Expanded Disclosures Permitted with Written Consent
SAMHSA seeks comment regarding a proposal that would clarify the circumstances under which disclosures to contractors, subcontractors, and legal representatives of lawful holders of Part 2 information may receive and use Part 2 information for purposes of carrying out the lawful holder’s payment and health care operations activities. Currently, a recipient of Part 2 information, such as a health plan, cannot disclose the information to its subcontractors unless they are identified by name in a patient consent, which often is infeasible or burdensome. SAMHSA proposes to explicitly list and limit the specific types of payment and health care operations activities for which a lawful holder of Part 2 patient information would be allowed to further disclose the information without patient consent. Specifically, SAMHSA proposes that the following would be considered a permissible use or disclosure for payment or health care operations:
- Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data process
- Clinical professional support services (e.g., quality assessment and improvement; initiatives, utilization review and management services)
- Patient safety activities
- Activities pertaining to training of student trainees and health care professionals, assessment of practitioner competencies, assessment of provider or health plan performance, and training of non-health care professionals
- Accreditation, certification, licensing, or credentialing activities
- Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care
- Third-party liability coverage
- Activities related to addressing fraud, waste, and abuse
- Conducting or arranging for medical review, legal services, and auditing functions
- Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies
- Business management and general administrative activities, including, but not limited to, management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations
- Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers
- Resolution of internal grievances
- The sale, transfer, merger, consolidation, or dissolution of an organization
- Determinations of eligibility or coverage (e.g. coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims
- Risk adjusting amounts due based on enrollee health status and demographic characteristics and
- Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.
Although these activities are similar to those permitted by HIPAA, they are not identical. Contractors, subcontractors, and legal representatives that would receive data under this proposal would become lawful holders upon receipt of the data and, therefore, would be subject to Part 2. Further disclosures still would require consent.
Additionally, SAMHSA proposes to require that lawful holders of Part 2 information that engage contractors or subcontractors to carry out these payment and health care operations include specific contractual provisions requiring those entities to comply with provisions of Part 2.
SAMHSA seeks comment on whether the proposed listing of explicitly permitted activities identified as payment and health care operations activities is sufficient for the health care industry’s purposes while also promoting patient confidentiality. Moreover, SAMHSA seeks comment on the proper mechanisms to convey the scope of a patient’s consent to lawful holders, contractors, subcontractors, and legal representatives, including those who are downstream recipients of Part 2 information, given current electronic data exchange technical designs.
Audit and Evaluation
Under the recently published final rule, disclosures of patient Part 2 information to accountable care organizations and similar CMS-regulated entities are permissible to carry out Medicaid and Medicare audits and evaluations. In the SNPRM, SAMHSA proposes a provision to clarify that certain contractors, subcontractors, and legal representatives may carry out audit and evaluation activities on behalf of certain CMS–regulated entities, even if the entities themselves are not regulated by CMS.
Statement Prohibiting Re-Disclosure
Under current law, any disclosure of information governed by Part 2, made with the patient’s written consent, must be accompanied with the following statement:
“This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.”
SAMHSA seeks comment on whether an abbreviated, alternative statement prohibiting re-disclosure should be included when making a disclosure. For example, SAMHSA suggests the following, “Data is subject to 42 CFR part 2. Use/disclose in conformance with part 2.”
Unlike the final rule published on January 18, 2017, the SNPRM proposes significantly greater flexibility for entities that frequently interact with Part 2 information but are not themselves Part 2 programs. Part 2 programs, lawful holders of Part 2 information, and downstream entities such as contractors and subcontractors that provide services to Part 2 programs are encouraged to submit comments to SAMHSA by 5:00 p.m. Eastern Standard Time on February 17, 2017.