At times, patients as well as healthcare entities may have to share confidential health information, mainly related to mental health to enhance patient treatment or for reimbursement. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has developed regulations to protect the privacy and security of health information. Healthcare organizations must be compliant with HIPAA regulations and state privacy rules while sharing patient records as well as while outsourcing medical transcription tasks. With the rise in opioid crisis, the Office for Civil Rights has launched two new websites – one for patients and their families and another for providers to reorganize existing HIPAA provisions to make the guidance more user-friendly. These sites clarify the circumstances under which HIPAA allows covered entities to disclose information, especially that related to mental health and substance use disorders, to family and caregivers.
On January 3, 2018, The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS) released the final rule on how patient records related to substance use disorders should be used. The rule that goes into effect on February 2, 2018, makes changes to the regulations on 42 CFR Part 2 that aims at supporting payment and healthcare operations activities while protecting the confidentiality of patients.
In January 2017, SAMHSA updated these Part 2 rules which provided greater flexibility in disclosing patient identifying information within the healthcare system while continuing to address the need to protect the confidentiality of substance use disorder patient records.
Under Part 2 written in 1975, a federally assisted substance use disorder program may only release patient identifying information with the individual’s written consent, pursuant to a court order, or under a few limited exceptions. However, the latest rule will permit healthcare providers to more easily conduct activities such as quality improvement, claims management, patient safety training, and program integrity efforts with the patients’ consent.
SAMHSA’s steps to modernize Part 2 include:
- An option for an abbreviated re-disclosure prohibition notice in recognition of electronic medical record (EMR) character limitations
- Lawful holders of Part 2 data may disclose data to contractors, subcontractors and legal representatives for payment and healthcare operations-related purposes without specific consent
- Government entities funding Part 2 programs may have access to program information as necessary to conduct audits and evaluations without patient consent, and similarly may share Part 2 information with contractors, subcontractors and legal representatives for audit and evaluation purposes
With its updates to the 42 CFR Part 2 rules, SAMHSA aims at increasing opportunities for individuals with substance use disorders to participate in new and emerging health IT, facilitating data sharing within the healthcare system to support new models of integrated healthcare, improving patient safety while maintaining or strengthening privacy protections for individuals seeking treatment for substance use disorders and decreasing burdens associated with several aspects of the rule, including consent requirements.
Though SAMHSA has attempted to align this final rule with HIPAA based on the proposed revisions in the supplemental notice of proposed rulemaking (SNPRM) and the public comments received, this part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA.
Several comments submitted for SNPRM claim that aligning part 2 with HIPAA could allow complete patient record sharing between providers, facilitate interoperability, improve compliance, and enhance privacy protections by making confidentiality restrictions more uniform across healthcare settings, promote innovative models of healthcare delivery, establish uniform, workable regulations with respect to treatment, payment and operations, improve patient care, and reduce stigma and potential harm to patients. Physicians specialized in psychiatry or behavioral medicine relying on medical transcription companies to document clinical notes, consultation notes, psychiatric evaluations, referral letters or discharge summaries must make sure that the company they partner with is experienced in providing HIPAA-compliant solutions.