Healthcare Information Security

Patient Privacy News

AHA Calls for Revisions in Healthcare Data Privacy Rule

AHA suggests that a proposed rule governing the healthcare data privacy of behavioral health information should better align with HIPAA.

By Jacqueline Belliveau

- Federal regulation 42 CRF Part 2 (Part 2), a law that governs the healthcare data privacy of behavioral health information, should better align with HIPAA regulations to boost care coordination and health information exchange, according to a recent letter from the American Hospital Association (AHA).

AHA responds to healthcare data privacy regulations

Under Part 2, healthcare providers need written consent to access and share substance abuse and behavioral health information. The law provides strict regulations on how healthcare organizations can use and disclose behavioral health data.

AHA wrote a letter to the Administrator at the Substance Abuse and Mental Health Services Administration (SAMHSA) at HHS urging the organization to withdraw the current proposed revisions to Part 2 and reconsider how HIPAA Rules can be applied to the law.

“Instead, we urge full alignment of the Part 2 regulation with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation as the proper and effective solution to eliminating the existing barriers to the sharing of patient information essential for care coordination, compatible with electronic exchange of information and supportive of performance measurement and improvement,” wrote Senior Vice President and General Counsel at AHA Melinda Reid Hatton.

While SAMHSA does not have the authority to rewrite the law, AHA encourages SAMHSA to inform Congress about the data sharing barriers created by Part 2.

READ MORE: Updates Sought on Personal Health Record Model Privacy Notice

“We urge SAMHSA to prioritize efforts aimed at educating Congress about the significant burdens the existing statutory framework imposes for the integration of behavioral health and other medical care and to work directly with them to resolve the statutory conflicts that prevent full alignment of the federal requirements for privacy and confidentiality of health information related to behavioral health with the HIPAA requirements that govern all other patient health information,” explained Hatton.

AHA suggested that HIPAA regulations should become the national standard for protecting healthcare data privacy and security. HIPAA should preempt federal and state laws that regulate the management of healthcare data.

HIPAA provides a better privacy structure for maintaining and advancing robust healthcare information sharing, which promotes care coordination and population health management, reported Hatton.

Under HIPAA regulations, covered entities are allowed to share PHI for treatment, payment, and healthcare operations purposes without acquiring express consent. The requirement under Part 2 for written consent to share healthcare information is a significant burden for healthcare providers.

Healthcare providers would also be able to refer to a HIPAA as a healthcare data privacy and security framework. With laws like Part 2, healthcare organizations must navigate the myriad of federal and state laws that regulate how specific healthcare information is used and disclosed.

READ MORE: Is Patient Privacy Violated with New Wellness Program Rules?

For example, the separate Part 2 privacy structure isolates behavioral health information from being managed like all other healthcare data. Healthcare providers cannot integrate behavioral and physical healthcare records to provide coordinated care without written consent.

This has become a burden for primary care offices. With more value-base care incentives, the primary care office is becoming the main site of care for all healthcare needs rather than hospital outpatient settings or specialty practices.

AHA calls for the integration of behavioral and physical healthcare records to prevent this barrier. To improve patient outcomes, it is necessary for physicians, like primary care doctors, to access and share all types of healthcare data to make more appropriate decisions.

“Moreover, because the requirement to obtain individual patient consents significantly complicates the sharing of important patient information essential for coordinating care and population health improvement, it contributes to higher health care costs for patients with complex health needs, who already are among the highest-cost utilizers in health care,” said Hatton.

Additionally, AHA pointed out that SAMHSA does not carve out general medical facilities and practices from the scope of Part 2 as it proposed.

READ MORE: Are Views on Consent Unclear with Health Data Sharing?

SAMHSA proposed that general medical facilities and practices do not have to comply with Part 2 privacy and data sharing regulations as long as their primary function is not the provision of substance abuse services and they do not hold themselves out as delivering substance abuse disorder diagnosis, treatment, or referral for treatment.

As noted earlier, more general medical facilities are integrating and coordinating physical and behavioral healthcare. These general medical facilities would still need to comply with Part 2 regulations, explained Hatton.

The healthcare system is evolving to include more care coordination, which calls for more healthcare data sharing.

“Applying the same requirements to all patient information − whether behavioral- or medically-related – would support the appropriate information sharing essential for clinical care coordination and population health improvement in today’s patient care environment, where behavioral and medical health care are integrated to produce the best outcomes for all patients,” said Hatton.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks