SAMHSA final rule addresses permissible disclosures, alignment with HIPAA

The Substance Abuse and Mental Health Services Administration (SAMHSA) released updates to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 CFR Part 2). The final rule, 83 FR 239, was released January 2 and published in the Federal Register January 3. It comes almost a year after SAMHSAfinalized the first major overhaul of 42 CFR Part 2 since 1987 and attempt to address disclosures required by CMS audits and disclosures for treatment, payment, and healthcare operations. The final rule also corrects technical errors present in the 2017 update and attempts to provide clarification of certain points. The final rule is effective February 2.

In 2017, SAMHSA published a final rule (82 FR 6052) designed to address changes in the industry. Specifically, the 2017 final rule aimed to bring the regulations into the 21st century by addressing electronic data and new healthcare models that depend on greater information sharing and care coordination. Along with the 2017 final rule, SAMHSA issued a supplemental notice of proposed rulemaking (SNPR) asking for comments on several additional proposals. The additional proposals included:

• Payment and healthcare operations disclosures made to contractors, subcontractors, and legal representatives
• Disclosures made to carry out a Medicaid, Medicare, or Children’s Health Insurance Program audit or evaluation
• Whether an abbreviated notice of the prohibition on re-disclosure should be used and under what circumstances

The January 3 rule finalizes the proposals in the SNPR with some revisions based on public comments.

A number of the comments called for SAMHSA to further modify 42 CFR Part 2 to bring it in alignment with HIPAA. The regulations at 42 CFR Part 2 apply a stricter level of privacy to substance abuse and mental health records than HIPAA. This means that organizations that are required to comply with both HIPAA and 42 CFR Part 2 must implement two separate programs and levels of privacy for patient records. Comments requested that SAMHSA make changes that would allow organizations to implement a uniform privacy and security program as directed by HIPAA. Although the agency attempted to address these concerns in the 2018 final rule, the higher degree of privacy and protection included in 42 CFR Part 2 is at the core of the regulation and is designed to protect individuals from discrimination or legal consequences if the information is improperly disclosed. The agency noted that it plans to continue to explore options for greater alignment with HIPAA and may consider future rulemaking.