Although it has been nearly 30 years since the addiction treatment disclosure rules of Title 42 CFR, Part 2 have undergone change, the climate of gathering, sharing and protecting data has been anything but static. Proposed rule modifications are now in development, and they will require the careful attention of providers.
As you know, Title 42 CFR, Part 2 limits certain disclosures regarding addiction treatment without the treated individual’s written consent. However, for-profit programs and private practitioners that do not receive federal assistance are not subject to the requirements of 42 CFR, Part 2.
On February 9, 2016, the U.S. Department of Health and Human Services (HHS) released proposed rules designed to modify aspects of 42 CFR, Part 2. In the main, these changes would allow providers to share information more freely about an individual who has been diagnosed with or treated for addiction. Although the proposal is extensive and still maintains HIPAA’s requirement that the individual must grant prior consent for the disclosure of his or her personal health information, the new rules would allow treatment programs to obtain a general disclosure consent from the individual—such as the name of a health information exchange or “my treating providers,” rather than requiring the individual to include the name or title of the specific individuals or organizations in a written consent form to which disclosures may be made, as is currently the case.
Additionally, to balance the allowance of more general disclosure consents, the proposed rules require greater specificity in other areas—namely, requirements to identify the program (or other holder of the information) that will be making a disclosure and to explicitly describe the substance use disorder-related information to be disclosed. According to the proposed rules, descriptions such as “all my records” and “only the substance use disorder records my family knows about” are insufficient.
Last, under the proposed rules, a valid written disclosure consent form must contain representations that the individual signing the form understands the terms of the consent and that the individual understands his or her right to obtain an accounting of disclosures made.
Although the proposed rules have yet to be finalized, many addiction treatment providers are asking how to make sure they are in compliance with the current version of 42 CFR, Part 2 and how they might prepare for any upcoming changes.
From a compliance perspective, there are a few key areas to which providers should consider paying close attention:
1. Policies and Procedures – Does your organization have policies and procedures in place concerning information privacy that are specifically tailored to addiction treatment providers and the requirements of 42 CFR, Part 2, as well as HIPAA regulations? Do your policies and procedures reflect state law requirements? Do you have a trusted advisor able to modify your policies and procedures to reflect changes in the law?
Many provider organizations in the addiction treatment space are still using a set of “canned” policies and procedures downloaded from the internet or purchased from an attorney with little knowledge of addiction treatment regulation. This is a recipe for liability. Make sure your policies and procedures are narrowly tailored for your organization’s needs. Cutting corners in this area can lead to violations, fines and penalties.
2. Education and Training – Does your organization effectively train your staff at least annually on how to properly apply your policies and procedures and the requirements of HIPAA? Does the training cover the requirements of 42 CFR, Part 2, or is it just an “off the shelf” version of HIPAA training designed for a general physician’s office? Does your training cover your organization’s state law obligations as well? Do you have a plan in place to modify your staff training to cover the future regulatory changes set forth in the proposed rules?
Failing to properly train employees regarding your policies and procedures substantially increases your compliance risk. Make sure the necessary education is undertaken frequently and with care, and that your training is updated when legal requirements change.
3. Disclosure Authorization Forms and Other Documentation – Does your organization use up-to-date information disclosures and other authorizations? Do these forms comply with HIPAA, 42 CFR, Part 2, as well as state law restrictions? Do you have a means of amending your forms when federal or state laws are modified?
Using dated forms or “canned” versions may save money in the short run but courts disaster in the long run. In many cases, staying in compliance is much more affordable than you might believe and is certainly less expensive than the costs of defense lawyers, fines and penalties.