SAMHSA Public Session to Discuss Part 2 Regulations & HIE

The Part 2 regulations which govern and protect information created by drug and alcohol rehabilitation providers have caused challenges for electronic health information exchange ever since HIE became a household term (....ok, well at least in the homes of the people working tirelessly in this space!)  Finally, tomorrow SAMHSA (the Substance Abuse and Mental Health Services Administration) is finally taking a hard look at Part 2 to see if the time has come to introduce amendments that align how such information flows in a new world of coordinated care and networked HIE.

I am registered and will participate in the public listening session tomorrow Wednesday, June 11, 2014 from 9:30-4:30.  The agenda is posted here.  Notice of the public session was previously announced in the Federal Registrar on May 12, 2014

Here is a list of identified "issues" with Part 2 that SAMHSA is reviewing:

1. Applicability

Part 2 currently applies to federally funded individuals or entities that “hold themselves out as providing, and provide, alcohol or drug abuse diagnosis, treatment or treatment referral” including units within a general medical facility that hold themselves out as providing diagnosis, treatment or treatment referral (§ 2.11 Definitions, Program). The U.S. health care system is changing and more substance abuse treatment is occurring in general health care and integrated care settings which are typically not covered under the current regulations. It has also posed difficulties for identifying which providers are covered by Part 2; whether a provider or organization is covered by Part 2 can change depending on whether they advertise their substance abuse treatment services (i.e. `hold themselves out'), which can change over time.

SAMHSA is considering options for defining what information is covered under 42 CFR Part 2. Covered information could be defined based on what substance abuse treatment services are provided instead of being defined by the type of facility providing the services. For example, the regulations could be applied to any federally assisted health care provider that provides a patient with specialty substance abuse treatment services. In this scenario, providers would not be covered if they provided only substance abuse screening, brief intervention, or other similar pre-treatment substance abuse services.

  • How would redefining the applicability of 42 CFR Part 2 impact patients, health care provider organizations, HIEs, CCOs, HIT vendors, etc.?
  • Would this change address stakeholder concerns?
  • Would this change raise any new concerns?

2.   Consent

SAMHSA has heard a number of concerns from individuals and stakeholders regarding the current consent requirements of 42 CFR Part 2. 42 CFR 2.31 requires the written consent to include the name or title of the individual or the name of the organization to which the disclosure is to be made. This is commonly referred to as the “To Whom” consent requirement. Some stakeholders have reported that this requirement makes it difficult to include programs covered by 42 CFR Part 2 in HIEs, health homes, ACOs and CCOs. These organizations have a large and growing number of member providers and they generally do not have sophisticated consent management capabilities. Currently, a Part 2 compliant consent cannot include future un-named providers which requires the collection of updated consent forms whenever new providers join these organizations. As a result, many of these organizations are currently not including substance abuse treatment information in their systems.

While technical solutions for managing consent collection are possible, SAMHSA is examining the consent requirements in § 2.31 to explore options for facilitating the flow of information within the health care context while ensuring the patient is fully informed and the necessary protections are in place. Specifically, we are analyzing the current requirements and considering the impact of adapting them to:

1. Allow the consent to include a more general description of the individual, organization, or health care entity to which disclosure is to be made.

2. Require the patient be provided with a list of providers or organizations that may access their information, and be notified regularly of changes to the list.

3. Require the consent to name the individual or health care entity permitted to make the disclosure.

4. Require that if the health care entity permitted to make the disclosure is made up of multiple independent units or organizations that the unit, organization, or provider releasing substance abuse related information be specifically named.

5. Require that the consent form explicitly describe the substance abuse treatment information that may be disclosed.

SAMHSA welcomes comments on patient privacy concerns as well as the anticipated impact of the consent requirements on integration of substance abuse treatment data into HIEs, health homes, ACOs, and CCOs.

  • Would these changes maintain the privacy protections for patients?
  • Would these changes address the concerns of HIEs, health homes, ACOs, and CCOs?
  • Would these changes raise any new concerns?

3.     Redisclosure

SAMHSA has also heard numerous concerns regarding the prohibition on redisclosure (§ 2.32). Currently most EHRs don't support data segmentation. Without this functionality, EHR systems must either keep alcohol and drug abuse patient records separate from the rest of the patient's medical record or apply the 42 CFR Part 2 protections to the patient's entire medical record if such record contains information that is subject to 42 CFR Part 2.

SAMHSA is considering revising the redisclosure provision to clarify that the prohibition on redisclosure only applies to information that would identify an individual as a substance abuser, and allows other health-related information shared by the Part 2 program to be redisclosed, if legally permissible. This would allow HIT systems to more easily identify information that is subject to the prohibition on redisclosure enabling them to utilize other technological approaches to manage redisclosure. If data are associated with information about where the data were collected (data provenance) which reveals that the data were collected by a practice that exclusively treats addiction, the data would still be protected under the proposed change.

  • Would this type of change facilitate technical solutions for complying with 42 CFR Part 2 in an EHR or HIE environment?
  • Would these changes maintain the privacy protections for patients?

4.     Medical Emergency

SAMHSA has heard concerns regarding the medical emergency exception of 42 CFR Part 2 (§ 2.51). The current regulations state that information may be disclosed without consent “for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” The statute, however, states that records may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency. SAMHSA is considering adapting the medical emergency exception to make it more in-line with the statutory language and to give providers more discretion as to when a bona fide emergency exists. For example, amending this standard to allow providers to use the medical emergency provision to prevent emergencies or to share information with a detoxification center when a patient is unable to provide informed consent due to their level of intoxication.

  • What factors should providers take into consideration in determining whether a medical emergency exists?
  • Are there specific use cases SAMHSA should take into consideration?
  • Are there patient concerns about the impact of this change on their privacy?

5.     Qualified Service Organization (QSO)

SAMHSA has also heard concerns from payers and health management organizations related to disclosing information that is subject to 42 CFR Part 2 to health care entities (ACOs/CCOs) for the purpose of care coordination and population health management; helping them to identify patients with chronic conditions in need of more intensive outreach. Under the current regulations, substance abuse information may not be shared for these purposes without consent.

SAMHSA is analyzing the regulations to identify options for allowing Part 2 data to flow to health care entities for the purpose of care coordination and population management while maintaining patient protections. One potential solution includes expanding the definition of a qualified service organization (QSO; § 2.11) to explicitly include care coordination services and to allow a QSO Agreement (QSOA) to be executed between an entity that stores Part 2 information, such as a payer or an ACO that is not itself a Part 2 program, and a service provider.

  • Are there other use cases we should be taking into consideration?
  • Are there specific patient concerns about the impact of this change on their privacy?

6.     Research

Under the current regulations, the Part 2 “program director” has to authorize the release of information for scientific research purposes. This issue has been brought to SAMHSA's attention from organizations that store patient health data, including data that are subject to Part 2, which may be used for research (e.g. health management organizations). Under the current regulatory framework, absent consent, these organizations do not have the authority to disclose Part 2 data for scientific research purposes to qualified researchers or research organizations. This issue can be addressed by expanding the authority for releasing data to qualified researchers/research organizations to other health care entities that receive and store Part 2 data, including third-party payers, HIEs, and care coordination organizations for the purposes of research, audit, or evaluation.

SAMHSA is considering expanding the authority for releasing data to qualified researchers/research organizations to health care entities that receive and store Part 2 data, including third-party payers, health management organizations, HIEs, and care coordination organizations.

  • Are there factors that should be considered related to how current health care entities are organized, how they function or how legal duties and responsibilities attach to entities that make up an umbrella organization?
  • Would this change address concerns related to research?
  • Are there specific privacy concerns associated with expanding the authority or releasing data to qualified researchers/research organizations in this way?
  • Are there additional use cases that should be considered in the research context?

7.     ePrescribing and Prescription Drug Monitoring Programs

Part 2 protections include a prohibition on the redisclosure of information received directly from a Part 2 program. A pharmacy that receives electronic prescription information directly from a Part 2 program must obtain patient consent to send that information to a PDMP, and patient consent is also required for the PDMP to redisclose that information to those with access to the PDMP. Pharmacy data systems do not currently have mechanisms for managing patient consent or segregating data that are subject to Part 2 and preventing the data from reaching the PDMP. Pharmacy systems also lack the ability to identify which providers are subject to Part 2, making it difficult to prevent the Part 2 data from reaching the PDMP.

If a patient does not consent to sharing their data via e-prescribing, their only option for filling their prescription is to bring a paper prescription to the pharmacy. In this instance, since the information is given by the patient, it is not protected by 42 CFR Part 2. They, therefore, cannot prevent the information from reaching the PDMP which in some states is accessible by law enforcement and has the potential to lead to investigation/arrest and other forms of discrimination.

  • How do pharmacy information system vendors anticipate addressing this issue? Are there specific technology barriers SAMHSA should take into consideration?
  • Are there other concerns regarding 42 CFR Part 2 and PDMPs? Please describe relevant use cases and provide recommendations on how to address the concerns.
  • Are there patient concerns about the impact of e-prescribing and PDMPs on their privacy?




Reminder: Public Comment Period Open for Meaningful Use NPRM

Last month, CMS and ONC released a Notice of Proposed Rulemaking ("NPRM") which would grant flexibility to providers participating in Meaningful Use who are having trouble implementing 2014 Editions of their CEHRT. The public comment period is open until July 21, at 11:59pm and I encourage you to take a few minutes to submit your comments, concerns and questions online.  All of them. 

The general gist of the NPRM is that CMS and ONC have finally acknowledged the frustration and concern of vendors and providers with having 2014 Edition CEHRT up and running in time to demonstrate Meaningful Use for the 2014 reporting period.  Despite concerns regarding insufficient timing after the Stage 2 rule's publication for vendors to certify to the 2014 requirements and roll-out upgraded products to their consumers (not to mention all the steps taken on the provider side for implementation), CMS plowed ahead with its original timeframes and requirements.  

CMS now seems to be regretting this decision and is offering potential solutions for all providers, regardless of Stage.  Can't implement 2014 Editions in time? Don't worry about it, says CMS, just take your pick from one of the following options:   

  • Stage 1 (2013 Definition) using 2011 Edition CEHRT, or using a combination of 2011 and 2014 Edition CEHRT;
  • Stage 1 (2014+ Definition) using 2014 Edition CEHRT; or
  • Stage 2 (2014+ Definition) using 2014 Edition CEHRT.

This is not entirely a "get-out-of-jail free card" from CMS. A provider would need to be able to demonstrate that it had trouble fully implementing 2014 Edition CEHRT required to demonstrate Meaningful Use in its applicable stage of participation.  

There are plenty of problems with CMS's proposed solution.  First of all, the public comment period is open until July 21 at 11:59pm. That means there won't be any formal action taken by CMS until the end of July at the earliest.  This is an entire month into the last available reporting period for hospitals in FY 2014.  

Secondly, providers that have been working tirelessly to implement the necessary changes for the 2014 Edition CEHRT may not be able to reverse gears at this point and go back to the 2011 Editions where needed. And third, (but certainly not the last of the concerns), even if they can switch gears, all providers still need to be ready to go with 2014 Edition CEHRT for the 2015 reporting period.  For hospitals, this means midnight on October 1, 2014.  

CMS may have had good intentions, but the proposed solution is creating more confusion than alleviating concerns. Let's hope we see some more clarity in the final rule, whatever it may look like.  Until then, keep calm and carry on.    

When Do Conduits Cross the HIPAA BA Line?

Don't shoot the messenger.pngWhat Is a “Conduit” and When Do They Cross The HIPAA BA Line? [1]

As health information organizations (HIOs) start to facilitate secure networked health information exchange (HIE), the question of whether the HIO is or is not a HIPAA business associate (BA) almost always comes up.  In the beginning stages of networked HIE, an HIO often plays a very limited role in the actual exchange of health information.  The HIO do not access, maintain or store patient data at all.  Instead, encrypted data is routed directly from a trusted source to the authorized user requesting the patient data.  Therefore, the HIO behaves more like a “conduit” as described by the Department of Health and Human Services (HHS) in HIPAA.

However, as data exchange activities become more robust, the HIO may increasingly become involved in overseeing, managing and storing patient data on behalf of its trusted participating organizations.  At that time, the HIO begins to transition and act in a new capacity as a HIPAA BA. This also requires the HIO to then put in place a HIPAA-compliant BA Agreement and to comply in full with the HIPAA Security Rule and certain other requirements made applicable to it by the Health Information Technology for Clinical and Economic Health Act (HITECH).  As such, it is important to understand if an HIO’s activities are limited to those of a conduit, and to recognize when they cross the HIPAA BA “line”.  This blog post reviews HIPAA’s definitions of “conduit” and “business associate” as well as suggests one approach to allow an HIO to transition from its initial “conduit” role to a HIPAA BA role when appropriate.

A HIPAA “business associate” is any person or entity that “creates, receives, maintains or transmits” protected health information (PHI) when performing “health care operations” and other activities for or on behalf of a covered entity.  See 45 CFR § 160.103. A business associate is required to comply directly with certain provisions of the HIPAA Privacy and Security Rules, including, but not limited to, maintaining written HIPAA security and other policies.  Business associates must also enter into a written business associate agreement (HIPAA BAA) with each covered entity they provide business associate services to. 

The movement of PHI through or facilitated by an HIO implicates a business associate relationship because, by definition, a business associate includes,

“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.” (emphasis added) 

See 45 CFR § 160.103.

This provision was added to the HIPAA business associate definition by HITECH to hold HIOs accountable as HIPAA business associate where they transmit PHI and perform other functions for and on behalf of a covered entity.          

However, the Office for Civil Rights (OCR) and Department of Health and Human Services (HHS) have historically recognized a limited exception to the business associate relationship for certain entities that simply transport or transmit PHI.  Entities such as the United States Postal Service, couriers, and their electronic equivalents transport but do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended.   See  These entities have been and are treated by OCR and HHS as “conduits” through which PHI is transported, not business associates.   As reiterated by the Preamble to the Final HITECH Rule,

“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.]  As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”

78 Federal Register pg 5571 (emphasis added).

Therefore, the occasional, random access by a data transmission entity does not make the entity a HIPAA business associate.  The Preamble to the Final HITECH Rule gives the example of a telecommunications company which may have access to PHI when it reviews whether data being transmitted over its network is arriving to its intended destination.  See 78 Federal Register pgs 5571-5572.

Conversely, an entity that manages the exchange of PHI through a network, including record locator services and various oversight and governance functions, has more than “random access” and would therefore meet the definition of a HIPAA business associate.  See 78 Federal Register pg 5571.  Furthermore, while there may be a few exceptions, any entity that “maintains” PHI (i.e., provides data hosting of any kind) is almost always considered a business associate, even if the entity does not actually access the PHI given the persistent nature of that opportunity versus transient only.  78 Federal Register pg 5572.

HIOs and entities that act as health information service providers (HISPs) can appropriately be treated as “conduits” and not business associates where the only services and functions they provide relate to data transmission or routing of point-to-point encrypted messages.  According to DIRECT Project [2] protocols, best practice standards, and related guidance for HISPs and secured health transport, a HISP which provides mere transmission or routing functions is not a HIPAA business associate.  Likewise, a HISP that transports only data that has already been encrypted by a sender and will remain encrypted until received by the intended recipient will not be considered a HIPAA business associate unless it otherwise has access to unencrypted PHI on a routine basis or possess decryption keys or other mechanisms.

Therefore, a HIPAA BA relationship is generally not implicated by an HIO, HISP or similar entity simply performing just fully encrypted data routing or transmission activities for a covered entity.  A HIPAA BA relationship will, however, be found where such HIO, HISP or similar entity performs more than such limited activities, such as, for example, data aggregation, processing, hosting and transmission (other than as a conduit), encryption/decryption functions/management, record locator/querying functions, auditing and other oversight and governance functions requiring access to PHI, and creating data sets of de-identified information.  See 45 CFR § 160.103 and § 164.103.  Such activities will cause a conduit to “cross” the HIPAA BA “line” and trigger HIPAA BA obligations, including compliance with applicable provisions of the HIPAA Security Rule, written security policies and procedures, and written BAAs, among others.  But what should an HIO and its participants do during the transition period between when an HIO is functioning as a conduit but before it engages in full-out HIPAA BA activities? 

One approach to this issue is to put in place a “springing” HIPAA BA between the HIO and its participating organizations.  Such a “springing” HIPAA BAA essentially requires the HIO to fully comply with HIPAA’s requirements applicable to business associates at such time when the HIO crosses the line from supporting data exchange as a mere conduit to more integrally supporting, accessing, managing and supporting such data exchange as a HIPAA BA.  The HIO is thereby required to regularly and closely evaluate its activities and be prepared to already be fully compliant with HIPAA (i.e., the Security Rule) as soon as it crosses the HIPAA BA line.

[1] This article first appeared as a Guest Column in HealthShare Exchange of Southeastern PA's "Connector" Newsletter. HealthShare Exchange is a collaboration of stakeholders representing over 30 hospitals and healthsystems and several health plans in the five-county region of greater Philadelphia. HSX was created for the purpose of enabling the electronic exchange of patient data in order to improve healthcare outcomes in the region.  Learn more about HealthShare.

[2] DIRECT Project is a federal and stakeholder initiative aimed at establishing standards and documentation to support sending encrypted health data and messages to known recipients. For more information, visit