Skip to content Skip to navigation

SAMHSA, ONC hear, respond to privacy critics

June 24, 2010
by Dennis Grantham, Senior Editor
| Reprints
Feds clarify old privacy law, prepare for new discussions

In a new FAQ document, “Applying the Substance Abuse Confidentiality Regulations to the Health Information Exchange,” SAMHSA and the Office of the National Coordinator (ONC) for Health Information Technology, address recent questions about the applicability of 42 CFR Part 2 in light of healthcare reform and the nation’s vision for interoperable electronic health records.

Concerns about the limitations of 42 CFR Part 2 confidentiality protections, raised by groups including the Patient Protection Coalition, were captured in the article, Confidentiality law: Time for change?, authored by nationally-known privacy advocate Renee Popovits, JD, in the April issue of Behavioral Healthcare magazine.

The 42 CFR Part 2 law and regulations are intended prevent stigma and discrimination by protecting the confidentiality of persons involved in treatment for drug or alcohol abuse. 42 CFR Part 2 restrictions apply to any personally identifiable information (PII) that would, directly or indirectly, “identify a patient as an alcohol or drug abuser” and ban the release of that information, with limited exceptions, without a signed patient consent.

The Q & A document, whose complete text is found at www.samhsa.gov/HealthPrivacy/, affirms that although “the consent requirement is often perceived as a barrier to the electronic exchange of information, it is possible to electronically exchange ... treatment information while meeting the requirements of 42 CFR Part 2.” Other highlights of the document include:

  • Patient consent on a 42 CFR Part 2-compliant consent form is always required for the release of PII associated with the purposes of treatment, payment, or healthcare operations, except in situations of medical emergency or when the Part 2 (treatment) program has entered into a Qualified Service Organization Agreement (QSOA) with an entity that needs the information to provide covered services.
  • Patient consent is required for exchange of PII to or through an HIO regardless of the HIO’s operating model (i.e., opt-in, opt-out, or “no consent”).
  • Patient consent is also required to allow the HIO to “redisclose” PII to other HIO affiliated members. Consent for initial disclosure to an HIO and subsequent redisclosure to HIO affiliates may be obtained using a single 42 CFR Part 2-compliant consent form, provided the consent form specifically lists each affiliated member organization or provider and the purpose of the disclosures remains the same.
  • Patient consent forms do not require an original “wet” signature. Facsimiles, photocopies, or electronic consent forms may be used, provided the Part 2 program, provider, and patient act with “reasonable caution” in their use.

The document also outlines requirements for compliance with 42 CFR Part 2 for medical personnel, HIOs, and Part 2 programs in the event of a medical emergency that requires access to PII in the absence of patient consent. In such an event:

  • Medical personnel:
    - Must “use their professional judgment” to determine that there is an emergency that “poses an immediate threat to the health of any individual and which requires immediate medical intervention.”
    - Must document the “circumstances surrounding the medical disclosure” to the HIO or other vehicle of disclosure in its request for the 42 CFR Part 2 information. Specifically, this involves documenting, in the patient’s electronic record, the name and affiliation of the medical personnel receiving the information and treating the patient, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency.
    - May download and store the PII used to treat the emergency in their own medical records and redisclose it without patient consent to others, provided the redisclosure “is limited to the information necessary to carry out the purpose of the disclosure.”
  • HIOs:
    - Must document, in the patient’s electronic record, the name and affiliation of the medical personnel receiving the information and treating the patient, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency.
    - Must notify the Part 2 program and inform it that a disclosure has occurred. HIOs can automate this notification with data systems that automatically notify and provide the required information to the Part 2 program when a “break the glass” disclosure occurs in a medical emergency.
  • Part 2 programs must:
    - Document, in the patient’s electronic record, the name and affiliation of the medical personnel receiving the information and treating the patient, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency.

Additional discussion about 42 CFR Part 2 will take place on Aug. 4 in a meeting hosted by SAMHSA and ONC. For those unable to participate on Aug. 4, a SAMHSA webcast on the topic is planned, though timing has not been announced.

Topics