New Privacy Rules for Substance Abuse Complicate HIPAA Compliance

Patients seeking treatment for substance abuse are afforded special privacy protections under a rule that went into effect in 2017: Is your hospital prepared to comply with this complicated new regulation?

The rule for Confidentiality of Substance Use Disorder Patient Records—42 CFR Part 2—requires that anyone providing treatment to patients with a substance use disorder, including nurses and physicians, as well as staff like risk managers, compliance officers, program directors and health information management staff, need to understand when to report violations, when special consent forms are needed and when a minor can consent to treatment, said Sue Dill Calloway, the president of Patient Safety and Healthcare Consulting and Education. Calloway covers those issues in a conference for ProfEdOnDemand, “Confidentiality of Substance Use Disorder Patient Records: Complying with the New Federal Law 42 CFR Part 2.”

An Updated Law for a New Era of Healthcare

The rule updates regulations that were three decades old and reflects changes in the way the American healthcare system operates—there are new models of care, a focus on performance and digital methods of handling patient information.

But while modern, the new rules present plenty of challenges to those providing treatment to those with substance use disorders, said a pair of healthcare lawyers writing in HealtHITech Law.

“Compliance with many of the existing provisions of (the law) presents numerous operational challenges for substance use disorder treatment providers,” they wrote. “Generally, (the law) prohibits any disclosure of identifiable patient data reflecting substance use treatment without the express written consent from the individual. Complying with this requirement often curtails information exchange, which is critical to continuity of patient care, as well as other legitimate clinical and operational functions.”

In other words, the law could get in the way of quality care, wrote an opinion writer in The Hill.

“In order to operationalize the requirements of 42 CFR part 2, many organizations have had to create two different electronic health records, stratifying care and hindering the early identification and treatment of addiction,” wrote Patricia Maryland, president and CEO of Ascension Healthcare. “For that reason, we support modifications in 42 CFR part 2 to align its requirements with those of HIPAA, thus removing one regulatory barrier.”

Criticism and Support Found for New Law

Plenty of healthcare professionals take issues with 42 CFR Part 2, and do so for a variety of reasons. Writing in Health Affairs, two doctors said the barriers to sharing information present profound challenges for care providers.

“Designed to protect stigmatized patients, ironically this added layer of protection now creates virtual care silos, hinders good medical care and perpetuates stigma in the contemporary era of electronic health records (EHRs), health information exchanges, behavioral health integration and HIPAA privacy protections,” the doctors said, arguing that HIPAA is sufficient, and adding that the new law “blocks integration of addiction treatment into mainstream medicine.”

Another set of doctors writing for Health Affairs, however, disagreed, saying that the updated protections are needed to protect patients with substance abuse disorders who “still face enormous consequences associated with disclosure, including loss of employment, loss of housing, loss of child custody, loss of benefits, discrimination by medical professionals and even arrest, prosecution and incarceration. As our country faces an unprecedented epidemic of opioid addiction and overdose, we must ensure that fear of discrimination does not deter people from seeking treatment.”

Resources Available to Keep You Legal

The Department of Health & Human Services (HHS) has resources for facilities navigating HIPAA and 42 CFR Part 2. The Substance Abuse and Mental Health Services Administration (SAMHSA) also has an FAQ section.

“It is very challenging for providers—that means every front-line person with family contact—to know when, and when not, to share sensitive patient information with family members,” Kate Borten, president of privacy and security consulting firm The Marblehead Group, told Information Security Media Group.

But, noted Justice and Health Connect, don’t be lured into thinking that if you have HIPAA down you are good to go on 42 CFR Part 2 as well. “Unlike HIPPA,” the site said, “Part 2’s consent requirements apply to care providers when disclosures are for purposes of coordinating an individual’s treatment for other health conditions.”

To join the conference or see a replay, order a DVD or transcript, or read more

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Content is protected !!