Healthcare Information Security

HIPAA and Compliance News

Congress Urged to Improve Healthcare Data Privacy Rule

The AHA reiterated its call for better alignment between a proposed behavioral healthcare data privacy rule and HIPAA regulations.

By Elizabeth Snell

The current healthcare data privacy laws of 42 CFR Part 2 (Part 2), which discuss the confidentiality of drug and alcohol treatment and prevention records, need to better align with HIPAA regulations, according to the American Hospital Association (AHA).

Congress urged to reconsider healthcare data privacy rule, HIPAA regulations

In a letter to members of Congress, the AHA urged them to set requirements that limit the use and disclosure of patient substance abuse records from certain substance abuse programs. Moreover, having patients submit multiple consent forms is “challenging and creates barriers to whole-person, integrated approaches to care, which are part of our current health care framework.”

“Part 2 regulations may lead to a doctor treating a patient and writing prescriptions for opioid pain medication for that individual without knowing the person has a substance use disorder,” the AHA explained. “Separation of substance use from the rest of medicine creates several problems and hinders patients from receiving safe, effective, high quality substance use treatment and whole-person care.”

While the recently proposed rulemaking from the Substance Abuse and Mental Health Services Administration (SAMHSA) are a step in the right direction, the AHA maintained that it does not go far enough.

Specifically, Part 2 requirements need to be designed more similarly to HIPAA regulations when it comes to the use and disclosure of patient information for treatment, payment, and healthcare operations. This way, providers and organizations involved in patient treatment can have access to a complete medical record.

“Without access to a complete record, providers cannot properly treat the whole person and may, unknowingly, endanger a person’s recovery and his or her life. For example, a medical doctor in primary care may not know that he or she is prescribing pain medication to someone with a history of addiction. Harmonization of Part 2 with HIPAA would also increase care coordination and integration among treating providers and other entities in communities across the nation.”

The HIPAA Privacy Rule explains that a covered entity is permitted – but not required – to use and disclose PHI without the patient’s consent in the following situations:

  • To the Individual (unless required for access or accounting of disclosures);
  • Treatment, Payment, and Health Care Operations;
  • Opportunity to Agree or Object;
  • Incident to an otherwise permitted use and disclosure;
  • Public Interest and Benefit Activities;
  • Limited Data Set for the purposes of research, public health or health care operations.

Without the proposed changes, patients could potentially face increased safety risks as providers may not know the extend of their records. As the nation currently faces an “opioid epidemic,” it is especially critical to patient safety that providers understand the full gamut of individuals’ records.

The reform is also necessary in part because Part 2 was first introduced in the 1970s, when not many patients with substance abuse disorders were actually treated with addiction treatment medication because there were only two options at the time.

“Today, there are three FDA-approved treatments for opioid addiction and three for alcohol dependence,” the AHA wrote. “With approximately two million individuals currently receiving these addiction treatment medications, there is a significant risk for drug interactions.”

The AHA also said that it supported the decision to prevent Part 2 information from being disclosed to law enforcement, employers, divorce attorneys, and anyone else who wants to use the data against the patient, if the situation is not treatment-related.

With the exception of treatment, payment, healthcare operations, this information must be kept secure.

“We do not want consumers to be made vulnerable as a result of seeking treatment for a substance use disorder,” the letter stated.

The letter to members of Congress is very similar to one the AHA wrote last month to SAMHSA, urging it to withdraw the proposed Part 2 until HIPAA regulations had been properly considered.

“We urge SAMHSA to prioritize efforts aimed at educating Congress about the significant burdens the existing statutory framework imposes for the integration of behavioral health and other medical care and to work directly with them to resolve the statutory conflicts that prevent full alignment of the federal requirements for privacy and confidentiality of health information related to behavioral health with the HIPAA requirements that govern all other patient health information,” the AHA wrote to SAMHSA.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks