- The Confidentiality of Alcohol and Drug Abuse Patient Records regulations were recently updated and modernized, specifically addressing patient privacy concerns for individuals seeking treatment for a substance abuse disorder.
The changes were issued under a finalized rule from the Department of Health and Human Services (HHS).
Concerns had previously been raised over privacy of records for individuals who may seek treatment for substance abuse. There could be numerous consequences if records were released, including loss of employment, loss of housing, loss of child custody, or discrimination by medical professionals and insurers, according to HHS.
New regulations are meant “to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.”
It has been 29 years since the part 2 regulations were significantly amended, HHS explained in the rule’s executive summary. The policy changes will better align the regulations with “advances in the U.S. health care delivery system while retaining important privacy protections.”
“Over the last 29 years, significant changes have occurred within the U.S. health care system that were not envisioned by the current (1987) regulations, including new models of integrated care that are built on a foundation of information sharing to support coordination of patient care, the development of an electronic infrastructure for managing and exchanging patient information, and a new focus on performance measurement within the health care system,” HHS wrote.
One of the changes included adding a requirement under confidentiality restrictions and safeguards. Upon request now, patients who have a general designation of “To whom” in their consent form, “must be provided a list of entities (referred to as a List of Disclosures) to which their information has been disclosed pursuant to the general designation.”
Part 2 programs and other entities that legally hold identifying patient information are now also required to have “formal policies and procedures addressing security, including sanitization of associated media, for both paper and electronic records.”
The section on re-disclosure of information was also clarified. The Substance Abuse and Mental Health Services Administration (SAMHSA) stated that prohibiting data to be re-disclosed only includes information that would identify, directly or indirectly, an individual who has been diagnosed, treated, or referred for treatment for a substance use disorder.
This would include through standard medical codes and/or descriptive language. Other health information, shared by the part 2 program could be re-disclosed if it is allowed under other applicable laws.
In general, public comments were in favor of the proposed final rule. In particular, commenters stated that they supported how the rule focused on preserving substance use disorder patients’ confidentiality rights, while still facilitating health information sharing.
In response to certain comments, SAMHSA reiterated that part 2 now has more “stringent federal protections” than health data privacy laws, including HIPAA.
Other commenters raised concerns over finding the right balance between patient privacy and information exchange.
“Some commenters suggested that patient confidentiality should not be compromised by any updates to the part 2 regulations, reasoning that the stigma associated with having or having had a substance use disorder and the fear that this information may be used against an individual would lead them to not seek treatment,” the Rule read. “To this end, a few of these commenters cautioned SAMHSA to remain diligent in the oversight of these regulations to ensure that the information is only being conveyed to the appropriate parties with the sole intent to improve patient care.”
Furthermore, commenters maintained that part 2 should better align with HIPAA regulations. This could help find the right balance between sharing patient data without sacrificing patient privacy.
For example, business associate agreements, patient-requested restrictions on disclosure, and de-identification standards could all be incorporated from HIPAA.
“In response to comments about alignment of this regulation with HIPAA, SAMHSA has aligned the interpretation the definition of “Patient identifying information” with HIPAA to the extent feasible,” the Rule stated. “In addition, SAMHSA revised Security for records (§ 2.16) to more closely align with HIPAA.”