The changes set forth in the Substance Use Disorder (SUD) Confidentiality Final Rule may necessitate immediate updates to agreements between the health plan or employer and service providers who receive SUD treatment information.
A final rule issued by the Substance Abuse and Mental Health Service Administration (SAMHSA) in January 2018 implemented new changes to the federal rules governing confidentiality and disclosures of SUD patient records, known as 42 CFR Part 2 or “Part 2.” This SUD Confidentiality Final Rule maintains important patient protections, including consent requirements, and it expands the ways in which patients’ protected substance use disorder information may be shared for purposes of payment or for healthcare operations.
Background to the SUD Confidentiality Final Rule
A recipient of information, such as a health plan or employer that is receiving health information on patients, is allowed to share that information with contractors, sub-contractors, and other third-party vendors, commonly known as business associates, as needed to carry out its operations. Business associates provide services ranging from billing to data retention, and they need to be able to access information in order to help the health care provider perform its work in compliance with the law.
While there are other protections for patient privacy, most notably HIPAA protections, the SUD Confidentiality Final Rule focuses specifically on protecting the privacy of individuals’ SUD treatment. Under the SUD Confidentiality Final Rule, the recipient of a patient’s written consent of such information (known as the “Lawful Holder”) is allowed to disclose said information, without further patient consent, with its contractors, sub-contractors, and legal representatives (collectively known as “third-party vendors”) as necessary to carry out the payment or health care operations. However, a written agreement specifically tailored to the requirements in the SUD Confidentiality Rule must be in place between the entity that holds information on the patient and the third-party vendor that receives the information. The agreement goes above and beyond HIPAA business associate agreement requirements.
Furthermore, these agreements must be in place by February 2, 2020, a deadline that is fast approaching.
Prior to the SUD Confidentiality Final Rule, only Part 2 programs (generally, specialty SUD treatment programs) were permitted to disclose SUD information without patient consent for audits and evaluations. Under the new rule, Lawful Holders may also disclose SUD information for the purpose of certain audits and evaluations. The SUD Confidentiality Final Rule permits information disclosed under Part 2’s audit and evaluation exception to be shared with auditors’ and evaluators’ contractors, sub-contractors, and legal representatives.
Details on Written Agreements with Third Parties
Patients are still required to provide general written consent regarding disclosures of SUD treatment, and this information may only be used in certain ways permitted by the SUD Confidentiality Final Rule. Information on an individual’s SUD treatment may not be used for civil, criminal, administrative, or other judicial or legislative procedure by any government authority. Disclosures are not allowed for activities related to diagnosis, treatment, referral, or care coordination.
The new SUD Confidentiality Final Rule requires a Notice of Prohibition on Re-Disclosure along with written consent forms, though this notice can now be abbreviated to simply state that “42 CFR Part 2 prohibits unauthorized disclosure of these records.” Third-party vendors and other business associates must be required by contract to report any unauthorized uses or disclosure of this information to the Lawful Holder. This written document must also state that the third party is fully bound by Part 2’s provisions regarding SUD information, and the information cannot be released until this documentation is in place and compliant.
The Final Rule impacts any arrangement in which SUD information from a federally assisted Part 2 Program is received, not simply from or to a health or welfare plan. Therefore, areas such as workers’ compensation, disability, or even retirement, could be impacted.
It is extremely important to review the type of information that you receive from participants, employees, and other individuals and entities and ensure that you update your current agreements (such as Business Associate Agreements or other service provider agreements) to include the required language. If you do not currently have an agreement in place, you should enact one immediately.
Penalties for Non-Compliance
Violations of this rule involve civil penalties, though certain willful and malicious failures could lead to criminal charges and SAMHSA has the authority to proceed in both directions. Fines are up to $500 for a first offense, increasing for subsequent offenses to $5,000 per offense.
It is possible in the future that there will be additional rules and guidance as SAMHSA works to align requirements with HIPAA and other legislation. Employers with employees who seek SUD treatment must pay close attention to ensure that their documents align with these rules and that patient privacy is protected.
The Hall Benefits Law team is already working with a number of clients to get compliant with the SUD Confidentiality Final Rules. To learn more about our expertise and the services we offer, call 678-439-6236, or visit the Hall Benefits Law website at