Posted on: December 1, 2017

Everything you need to know about recent rule changes regarding substance abuse and mental health treatment records.

When a patient signs a consent to give you access to their medical records through a health information exchange (HIE) such as Hixny, you may not be able to see their complete medical records.

That’s because federal regulations set additional requirements for sharing treatment records for substance abuse and mental health issues. The Substance Abuse and Mental Health Services Administration (SAMHSA) has recently updated its rules to accommodate changes in how healthcare is delivered to patients and how medical information can be shared. SAMHSA is part of the U.S. Department of Health and Human Services and works to reduce the impact of substance abuse and mental illness in the United States of America.

The new rules took effect in January 2017. They are intended to make it easier to integrate healthcare services and share medical information while continuing to protect the privacy of patients who have been treated for substance abuse or mental health issues.

This article will help you understand the new rules and how they can affect your medical practice.

What does 42 CFR Part 2 do?

The Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 CFR Part 2) was enacted in 1975 to help remove the stigma that often accompanied treatment for substance abuse or mental health disorders. The intent of the 42 CFR Part 2 was to provide a set of rules that restrict how medical information would be shared so that people who needed treatment for substance abuse would not be deterred by fear of prosecution. The regulations require patient consent for medical disclosures, with only a few possible exceptions.

SAMHSA Part 2 regulations apply to any information that could be used to identify a person who has received treatment for substance abuse or mental health issues, or who could currently have a substance abuse problem.

The 42 CFR Part 2 regulations apply to anyone who has been diagnosed with, received or applied for treatment for alcohol or drug abuse at a federally assisted program. Patient identifying information, which is protected by Part 2, includes name, address, social security number, fingerprints, and photographs or any other identifying materials that could be compared to other publicly available information.

In addition, the regulations limit disclosure only to necessary information. They apply to providers who have received federal funding and who say they provide diagnosis, treatment, or referrals to other treatment providers for substance use disorders.

What changed in January 2017

SAMHSA regulations were updated in January 2017 to reflect changes in how healthcare is now delivered in the United States and how information is shared electronically. Here are some of the changes that were implemented:

  • Any provider who legally holds patient identifying information may now disclose that information to scientific researchers who meet specific regulatory requirements.
  • Researchers may link data they hold with data held in other data repositories if both the researcher and repository meet specific regulatory requirements. This change was designed to encourage research on substance use disorders.
  • Patients may consent to allowing disclosure of their information to providers through health information exchanges, according to the regulations of their state and HIE. If you are part of Hixny, for example, you will need to obtain specific consent from your patients before you can view data that is protected by Part 2. This change is intended to allow patients to share information with their providers and with integrated healthcare systems, yet retain control over who can see their data.
  • Patients who have consented to sharing their data may request a list of who has looked at their medical records.
  • Audit and evaluation procedures determine if an organization meets Centers for Medicare and Medicaid Services (CMS) requirements for a CMS-regulated accountable care organization (ACO) or similar CMS-regulated organizations. This helps ensure that CMS-regulated entities can perform necessary audit and evaluation activities, including financial and quality assurance functions. Hixny is a CMS-regulated Qualified Entity.
How does Part 2 differ from HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) helps protect the privacy of a patient’s medical records by limiting who can see those records and under what circumstances. HIPAA regulations apply to all health plans, health information exchanges or clearinghouses, and healthcare providers, such as physicians and hospitals.

The HIPAA regulations say that a patient’s medical records, or Protected Health Information (PHI), may not be released by the patient’s healthcare provider except under the following circumstances:

  • Submitting claims to the patient’s health plan
  • Coordinating benefits with health plans
  • Communicating with health plans to confirm coverage and eligibility, or check on the status of claims
  • Obtaining referral certification and authorizations from the patient’s health plan
  • Medical emergencies or when necessary for additional medical treatment
  • When the provider believes it is in the patient’s best interest to share information with another provider

The 42 CFR Part 2 regulations have adopted the HIPAA privacy rules listed above but also added additional protections and restrictions on what may be disclosed.

Providers must adhere to both HIPAA and 42 CFR Part 2 regulations to remain fully in compliance.

Does 42 CFR Part 2 ever allow disclosure without consent?

While the HIPAA regulations permit the release of patient information without consent for purposes of treatment or payment, 42 CFR Part 2 is much more restrictive. There are only limited exceptions, such as for medical emergencies or for provider audits and evaluations, when information can be disclosed without patient consent.

Some types of data exchanges can take place without patient authorization as long as patient data is shared only under a qualified service organization agreement (QSOA), or when exchange takes place between a program covered under Part 2 and an organization that controls that program.

A qualified service organization (QSO):

  • Is a provider or organization that provides services to a Part 2 program, such as data processing; bill collecting; dosage preparation; laboratory analyses; or legal, medical, accounting, or other professional services.
  • Has a written agreement with a Part 2 program that says the QSO will adhere to regulations whenever it receives, store, processes or deals with those records in any way. The QSO must also agree to resist any attempt to attain patient records through judicial proceedings except as the Part 2 regulations permit.

The Hixny health information exchange is a qualified service organization.

Who decides when a medical emergency exists?

The determination of a medical emergency is made by the provider who is treating the patient. Any healthcare provider treating a patient whose health is in immediate danger and requires immediate medical care can “break the glass” to get emergency access to a patient’s Part 2 records without their consent. In such a situation, Part 2 regulations allow all the patient’s medical records to be released to the provider. Mental health emergencies may also be sufficient to allow providers to “break the glass.”

How can I get access to a patient’s information that is protected by 42 CFR Part 2?

To access a patient’s medical records that are protected by 42 CFR Part 2, you must be a participating member of a health information exchange such as Hixny. If you are a participating member, you can look at all your patient’s medical records after they have signed a Part 2–compliant consent form.

If your patient has signed a consent form that covers only general medical records, you will not be able to look at any records about substance abuse treatment until they sign a second, specific release. Hixny has consent forms available on its website that cover both general medical records and records protected by Part 2. You can get that consent form here.

You must obtain a signed consent form for your patients, even if they have signed consent forms for other providers. That’s because New York is a consent-to-access state, which means patients must sign individual consent forms for every healthcare provider who they want to have access.

Keep in mind that patients may withdraw their consent at any time by completing a consent withdrawal form.

What makes a consent form Part 2 compliant?

Part 2–compliant consents must be in writing and must include all the following information:

  • The name of the program or person who is permitted to disclose information.
  • The name or title of the person or name of the organization that can receive medical information.
  • The patient’s name.
  • The reason for sharing the treatment records.
  • The amount of type of treatment information that can be shared.
  • The patient’s signature, or the signature of a parent if the patient is a minor.
  • If the patient is deceased or incompetent, the signature of a person, who is legally authorized to give consent.
  • The date the consent is signed.
  • A statement that the consent can be revoked at any time, except when the person or provider who was permitted to share information has already done so.
  • An acknowledgment that the HIE will act according to Substance Abuse Confidentiality regulations.
  • The date, event, or condition when the consent will expire if it has not been previously revoked. This condition must ensure that consent will last no longer than reasonably necessary
Are health information exchanges subject to additional requirements by 42 CFR Part 2?

To collect health information about substance abuse treatment, any HIE must have a Qualified Service Organization Agreement (QSOA) in place with the Part 2 substance abuse program. Hixny has QSOA in place with most Part 2 programs in the Capital Regional of New York state.

In New York, Hixny cannot grant any provider access to a patient’s medical information unless that patient has signed a consent form that allows access only to that provider.

States other than New York may use different types of consent models. In some states, for example, health information exchanges my collect and share a patient’s medical records unless the patient opts out of the exchange. Other states require an HIE to get a patient’s consent to collect information but can share that information without their consent. The consent model used in New York and by Hixny gives the patient the most control over who can and cannot see their medical information.

Regardless of which consent model the HIE uses, it must comply with all requirements of 42 CFR Part 2 when it comes to sharing information about treatment for substance abuse.

Part 2 compliance is up to you

You may find that knowing about your patients’ history of substance abuse treatment can help you provide them with the medical advice and treatment they need. When that is the case, that information is available to you through the Hixny health information exchange. Remember that if any of your patients have been treated for substance abuse issues, you will need to have a signed Part 2 compliant consent form and adhere to all 42 CR Part 2 regulations to help protect your patient’s privacy.

Hixny will be performing extended maintenance beginning Thursday, December 31 through Friday, January 1. During this time, all services
will be impacted and unavailable—including access to the provider portal.