SAMHSA Public Session to Discuss Part 2 Regulations & HIE

The Part 2 regulations which govern and protect information created by drug and alcohol rehabilitation providers have caused challenges for electronic health information exchange ever since HIE became a household term (....ok, well at least in the homes of the people working tirelessly in this space!)  Finally, tomorrow SAMHSA (the Substance Abuse and Mental Health Services Administration) is finally taking a hard look at Part 2 to see if the time has come to introduce amendments that align how such information flows in a new world of coordinated care and networked HIE.

I am registered and will participate in the public listening session tomorrow Wednesday, June 11, 2014 from 9:30-4:30.  The agenda is posted here.  Notice of the public session was previously announced in the Federal Registrar on May 12, 2014

Here is a list of identified "issues" with Part 2 that SAMHSA is reviewing:

1. Applicability

Part 2 currently applies to federally funded individuals or entities that “hold themselves out as providing, and provide, alcohol or drug abuse diagnosis, treatment or treatment referral” including units within a general medical facility that hold themselves out as providing diagnosis, treatment or treatment referral (§ 2.11 Definitions, Program). The U.S. health care system is changing and more substance abuse treatment is occurring in general health care and integrated care settings which are typically not covered under the current regulations. It has also posed difficulties for identifying which providers are covered by Part 2; whether a provider or organization is covered by Part 2 can change depending on whether they advertise their substance abuse treatment services (i.e. `hold themselves out'), which can change over time.

SAMHSA is considering options for defining what information is covered under 42 CFR Part 2. Covered information could be defined based on what substance abuse treatment services are provided instead of being defined by the type of facility providing the services. For example, the regulations could be applied to any federally assisted health care provider that provides a patient with specialty substance abuse treatment services. In this scenario, providers would not be covered if they provided only substance abuse screening, brief intervention, or other similar pre-treatment substance abuse services.

  • How would redefining the applicability of 42 CFR Part 2 impact patients, health care provider organizations, HIEs, CCOs, HIT vendors, etc.?
  • Would this change address stakeholder concerns?
  • Would this change raise any new concerns?

2.   Consent

SAMHSA has heard a number of concerns from individuals and stakeholders regarding the current consent requirements of 42 CFR Part 2. 42 CFR 2.31 requires the written consent to include the name or title of the individual or the name of the organization to which the disclosure is to be made. This is commonly referred to as the “To Whom” consent requirement. Some stakeholders have reported that this requirement makes it difficult to include programs covered by 42 CFR Part 2 in HIEs, health homes, ACOs and CCOs. These organizations have a large and growing number of member providers and they generally do not have sophisticated consent management capabilities. Currently, a Part 2 compliant consent cannot include future un-named providers which requires the collection of updated consent forms whenever new providers join these organizations. As a result, many of these organizations are currently not including substance abuse treatment information in their systems.

While technical solutions for managing consent collection are possible, SAMHSA is examining the consent requirements in § 2.31 to explore options for facilitating the flow of information within the health care context while ensuring the patient is fully informed and the necessary protections are in place. Specifically, we are analyzing the current requirements and considering the impact of adapting them to:

1. Allow the consent to include a more general description of the individual, organization, or health care entity to which disclosure is to be made.

2. Require the patient be provided with a list of providers or organizations that may access their information, and be notified regularly of changes to the list.

3. Require the consent to name the individual or health care entity permitted to make the disclosure.

4. Require that if the health care entity permitted to make the disclosure is made up of multiple independent units or organizations that the unit, organization, or provider releasing substance abuse related information be specifically named.

5. Require that the consent form explicitly describe the substance abuse treatment information that may be disclosed.

SAMHSA welcomes comments on patient privacy concerns as well as the anticipated impact of the consent requirements on integration of substance abuse treatment data into HIEs, health homes, ACOs, and CCOs.

  • Would these changes maintain the privacy protections for patients?
  • Would these changes address the concerns of HIEs, health homes, ACOs, and CCOs?
  • Would these changes raise any new concerns?

3.     Redisclosure

SAMHSA has also heard numerous concerns regarding the prohibition on redisclosure (§ 2.32). Currently most EHRs don't support data segmentation. Without this functionality, EHR systems must either keep alcohol and drug abuse patient records separate from the rest of the patient's medical record or apply the 42 CFR Part 2 protections to the patient's entire medical record if such record contains information that is subject to 42 CFR Part 2.

SAMHSA is considering revising the redisclosure provision to clarify that the prohibition on redisclosure only applies to information that would identify an individual as a substance abuser, and allows other health-related information shared by the Part 2 program to be redisclosed, if legally permissible. This would allow HIT systems to more easily identify information that is subject to the prohibition on redisclosure enabling them to utilize other technological approaches to manage redisclosure. If data are associated with information about where the data were collected (data provenance) which reveals that the data were collected by a practice that exclusively treats addiction, the data would still be protected under the proposed change.

  • Would this type of change facilitate technical solutions for complying with 42 CFR Part 2 in an EHR or HIE environment?
  • Would these changes maintain the privacy protections for patients?

4.     Medical Emergency

SAMHSA has heard concerns regarding the medical emergency exception of 42 CFR Part 2 (§ 2.51). The current regulations state that information may be disclosed without consent “for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” The statute, however, states that records may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency. SAMHSA is considering adapting the medical emergency exception to make it more in-line with the statutory language and to give providers more discretion as to when a bona fide emergency exists. For example, amending this standard to allow providers to use the medical emergency provision to prevent emergencies or to share information with a detoxification center when a patient is unable to provide informed consent due to their level of intoxication.

  • What factors should providers take into consideration in determining whether a medical emergency exists?
  • Are there specific use cases SAMHSA should take into consideration?
  • Are there patient concerns about the impact of this change on their privacy?

5.     Qualified Service Organization (QSO)

SAMHSA has also heard concerns from payers and health management organizations related to disclosing information that is subject to 42 CFR Part 2 to health care entities (ACOs/CCOs) for the purpose of care coordination and population health management; helping them to identify patients with chronic conditions in need of more intensive outreach. Under the current regulations, substance abuse information may not be shared for these purposes without consent.

SAMHSA is analyzing the regulations to identify options for allowing Part 2 data to flow to health care entities for the purpose of care coordination and population management while maintaining patient protections. One potential solution includes expanding the definition of a qualified service organization (QSO; § 2.11) to explicitly include care coordination services and to allow a QSO Agreement (QSOA) to be executed between an entity that stores Part 2 information, such as a payer or an ACO that is not itself a Part 2 program, and a service provider.

  • Are there other use cases we should be taking into consideration?
  • Are there specific patient concerns about the impact of this change on their privacy?

6.     Research

Under the current regulations, the Part 2 “program director” has to authorize the release of information for scientific research purposes. This issue has been brought to SAMHSA's attention from organizations that store patient health data, including data that are subject to Part 2, which may be used for research (e.g. health management organizations). Under the current regulatory framework, absent consent, these organizations do not have the authority to disclose Part 2 data for scientific research purposes to qualified researchers or research organizations. This issue can be addressed by expanding the authority for releasing data to qualified researchers/research organizations to other health care entities that receive and store Part 2 data, including third-party payers, HIEs, and care coordination organizations for the purposes of research, audit, or evaluation.

SAMHSA is considering expanding the authority for releasing data to qualified researchers/research organizations to health care entities that receive and store Part 2 data, including third-party payers, health management organizations, HIEs, and care coordination organizations.

  • Are there factors that should be considered related to how current health care entities are organized, how they function or how legal duties and responsibilities attach to entities that make up an umbrella organization?
  • Would this change address concerns related to research?
  • Are there specific privacy concerns associated with expanding the authority or releasing data to qualified researchers/research organizations in this way?
  • Are there additional use cases that should be considered in the research context?

7.     ePrescribing and Prescription Drug Monitoring Programs

Part 2 protections include a prohibition on the redisclosure of information received directly from a Part 2 program. A pharmacy that receives electronic prescription information directly from a Part 2 program must obtain patient consent to send that information to a PDMP, and patient consent is also required for the PDMP to redisclose that information to those with access to the PDMP. Pharmacy data systems do not currently have mechanisms for managing patient consent or segregating data that are subject to Part 2 and preventing the data from reaching the PDMP. Pharmacy systems also lack the ability to identify which providers are subject to Part 2, making it difficult to prevent the Part 2 data from reaching the PDMP.

If a patient does not consent to sharing their data via e-prescribing, their only option for filling their prescription is to bring a paper prescription to the pharmacy. In this instance, since the information is given by the patient, it is not protected by 42 CFR Part 2. They, therefore, cannot prevent the information from reaching the PDMP which in some states is accessible by law enforcement and has the potential to lead to investigation/arrest and other forms of discrimination.

  • How do pharmacy information system vendors anticipate addressing this issue? Are there specific technology barriers SAMHSA should take into consideration?
  • Are there other concerns regarding 42 CFR Part 2 and PDMPs? Please describe relevant use cases and provide recommendations on how to address the concerns.
  • Are there patient concerns about the impact of e-prescribing and PDMPs on their privacy?