1

2

Part 2 and the Health Information Exchange:Applying Federal Substance Abuse Treatment Regulations (42 C.F.R. Part 2) to Health Information Exchanges (HIEs)

Beus Center for Law and Society, Great HallJuly 25, 2018

3

• Welcome

• Introduction of 42 CFR Part 2

• Applying Regulations to HIE Users: an Interactive Exercise

• Networking Break

• Key Q&As: Discussion and Audience Participation

Agenda

4

Introduction to 42 C.F.R. Part 2Melissa A. Soliz, Esq.

Coppersmith Brockelman, PLC

5

• Brief Historical Overview• Applicability • Overview of 2017 and 2018 Rule Changes• Disclosure Restrictions and Exceptions• Consent Requirements

Roadmap

6

Historical Overview

• Part 2 implements the Confidentiality of Records requirements in the Public Health Service Act (42 U.S.C. § 290dd-2)

• Part 2 supplements other privacy laws, including HIPAA and other state confidentiality laws

• DOJ enforces Part 2 with criminal fines

1970/1972: Congress enacted SUD legislation

(P.L. 91-616; P.L. 92-255; 37 Fed. Reg. 24636)

1975 & 1987: Part 2 regulations

promulgated, then revised

(40 Fed. Reg. 27802; 52 Fed. Reg. 21798)

2017 & 2018: first major changes to Part 2 in over 2

decades(82 Fed. Reg. 6052; 83 Fed.

Reg. 239)

7

Determining Applicability

You can determine whether Part 2 applies by answering 3 questions:1. What Information?2. From whom?3. How was it received?

8

What Information? (42 C.F.R. § 2.12)

Part 2 only applies to:• Protected health information (PHI) that • Identifies a person as having (or having had) a substance use disorder

(SUD) directly, by reference to publicly available information, or through verification of such identification by another person; AND . . . .

9

From Whom? (42 C.F.R. §§ 2.11, 2.12)

• Part 2 data must originate from a “Part 2 program”- WARNING! Part 2 protections follow the data…. (more ahead!)

• A Part 2 program is a “federally assisted” “program”• “Program”

- An individual, entity (other than a general medical facility) or identified unit within a general medical facility that holds itself out as providing and providesSUD diagnosis, treatment, or referral (“SUD services”); OR

- Medical personnel/other staff of a general medical facility whose primaryfunction is SUD services and who are identified as such providers

• “Federally Assisted” – very broad!- Examples: receives federal funds, Medicare/Medicaid certified, authorized to

provide MAT, DEA registered to prescribe controlled substances for SUDs, 501(c)(3) status

10

How was it Received? (42 C.F.R. §§ 2.11, 2.12, 2.33, 2.52, 2.53)

• Part 2 protections follow the Part 2 data depending on how the information is disclosed

• Other Lawful Holders of Part 2 data subject to Part 2:- Third party payers who receive Part 2 data from Part 2 programs or from

another source pursuant to a patient’s consent- Entities that have direct administrative control over the Part 2 program

(Ex: a general medical facility that has a addiction medicine department)- Consent recipients who receive the Part 2 data pursuant to a patient’s consent

with the prohibition on re-disclosure notice- Contractors and their subcontractors who receive Part 2 data under contract- Researchers and auditors who receive Part 2 data under the Part 2 exceptions

11

2017 & 2018 Rule Changes

• Definitions: modernized • Alignment with HIPAA: security & record destruction• Part 2 Summary for Patients: must include contact info for reporting

violations• Consent Requirements: changes to the “to whom,” “amount and kind,” and

“purpose” elements • Exceptions to Consent: existing exceptions broadened to permit greater

flexibility in disclosures to medical personnel in a medical emergency, researchers, auditors, and contractors/subcontractors

• Prohibition on Re-Disclosure Notice: updated language and use of an abbreviated notice now permitted

12

Disclosure Restrictions and ExceptionsGeneral Rule: patient consent required unless an exception appliesExceptions• Medical emergency (42 C.F.R. § 2.51)• Research (42 C.F.R. § 2.52)• Audit and evaluations (42 C.F.R. § 2.53)• Court orders (42 C.F.R. Subpart E)• Direct administrative control (42 C.F.R. § 2.12(c)(3))• Contractors and subcontractors (42 C.F.R. §§ 2.11, 2.12(c)(4), 2.33)• Child abuse/neglect (42 C.F.R. § 2.12(c)(6))• Mandatory death reporting/death investigations (42 C.F.R. § 2.15(b))• Reporting to law enforcement of crimes on Part 2 program premises/against Part 2 program personnel (42 C.F.R. §

2.12(c)(5))• FDA disclosures to notify patients/physicians of danger due to error in manufacturing, labelling or sale of product

under FDA jurisdiction (42 C.F.R. § 2.51(b)) • VA/Armed Forces (42 C.F.R. § 2.12(c)(1)-(2))

13

Medical Emergency Exception (42 C.F.R. § 2.51)

Exception Requirements: all 3 requirements must be met• The disclosure must be limited to medical personnel• It must be necessary to meet a bona fide medical emergency• The patient’s prior informed consent cannot be obtained

Part 2 Program Obligations: document in the medical record• Name of the medical personnel who received the Part 2 data• Name of the individual who made the disclosure• The date/time of the disclosure; and• Nature of the medical emergency

Limitations• Technology cannot be used to automate the medical emergency determination • Cannot be used to circumvent the consent requirement• A intermediary entity must immediately notify the Part 2 program of the “break the glass”

disclosure and provide information the Part 2 program needs to document the disclosure

14

Contractors/Subcontractors (42 C.F.R. §§ 2.11, 2.12, 2.33)

2018 Changes: clarifies that other lawful holders who receive Part 2 data pursuant to a patient’s consent for TPO can redisclose Part 2 data to their contractors/subcontractors for payment and health care operations purposes

Who are Contractors/Subcontractors?: individuals/entities who provide payment or health care operations (excluding care coordination/case management) services to, or on behalf of, Part 2 Programs or other lawful holders and who need access to Part 2 data to perform those services• This includes vendors who provide data exchange, hosting and data analytic

services

15

Limitations on Disclosures to Contractors

• The contractual requirements for contractors of Part 2 programs are different from those for contractors of other lawful holders (e.g., general hospitals, other non-Part 2 program providers)

• The contractor relationship CANNOT be used for disclosures for treatment, care coordination, case management or medication management without patient consent

• Only Part 2 data necessary for the contractor/subcontractor to perform services may be disclosed

• Contractors/subcontractors cannot redisclose Part 2 data to third parties, unless the third party is a contract agent of the contractor/subcontractor, helping to provide services described in the contract, and only as long as the contract agent only further discloses the Part 2 data back to the contractor/subcontractor or data source, or as otherwise permitted by Part 2

16

Comparison of Contractual Requirements

Part 2 Programs and Qualified Service Organizations (QSOs)• Must have a Qualified Service Organization

Agreement (QSOA)• QSOA Requirements: QSO must

- Acknowledge that in receiving, storing, processing, or otherwise dealing with any Part 2 data from the Part 2 program, it is fully bound by Part 2; and

- If necessary, will resist in judicial proceedings any efforts to obtain access to Part 2 data related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by Part 2

• Part 2 programs do not need to give the QSO the redisclosure notice

Other Lawful Holders and their Contractors/SubcontractorsThe Lawful holder must:

- Be holding the Part 2 data pursuant to a patient’s consent that includes use of Part 2 data for payment and/or health care operations

- Give the contractor the prohibition on re-disclosure notice and ensure that this is given to any downstream recipients

Contract Requirements: contractor / subcontractor • Must acknowledge it is fully bound by Part 2

upon receipt of Part 2 data;• Will implement appropriate safeguards to

prevent unauthorized uses and disclosures; and• Will report any unauthorized uses, disclosures, or

breaches of Part 2 data to the lawful holder

17

• Patient consent: yes OR exception to consent (e.g., medical emergency)

• Re-disclosure notice: yes, unless an exception applies (e.g., medical emergency)

• Contract: no• Purpose: stated in consent OR exception to consent

Part 2 Program Subcontractorof QSO

Qualified Service Organization (“QSO”)A QSO is a contractor of a Part 2

Program.

Other Third Parties

QSO Part 2 Information Flow ChartThis flow chart depicts the permissible flows of Part 2 data to

and from a QSO.

18

Part 2 Program

Scenario 1:Lawful Holder – Consent (hospital or clinic receives Part 2 data pursuant to patient consent with the

re-disclosure notice)

Lawful Holder Part 2 Information Flow ChartThis flow chart depicts the permissible data flows of Part 2 data to and from a Lawful Holder Contractor.

Scenario 2:Lawful Holder -

Medical Emergency (hospital or clinic receives Part 2

data without the re-disclosure notice)

• Patient consent: no• Re-disclosure notice: no• Contract: no• Purpose: medical emergency

• Patient consent: yes• Re-disclosure notice: yes• Contract: no• Purpose: consent must include

payment and/or health care operations (may be in addition to treatment and other purposes)

• No Part 2 restrictionsAll Third Parties(including contractors and

subcontractors)

Lawful Holder Contractor

Subcontractor of Lawful Holder Contractor

Other Third Parties

• Patient consent: no• Re-disclosure notice: yes• Contract: yes (bound by Part 2;

safeguards; reporting)• Purpose: payment and/or health

care operations (NOT treatment or care coordination) covered by the contract

• Patient consent: no• Re-disclosure notice: yes• Contract: yes (bound by Part 2; safeguards; reporting)• Purpose: payment and/or health care operations

covered by the contract between the Lawful Holder and Lawful Holder Contractor

• Patient consent: yes OR exception to consent (e.g., medical emergency)

• Re-disclosure notice: yes, unless an exception applies (e.g., medical emergency)

• Contract: no• Purpose: stated in consent OR exception to

consent

19

Overview of Consent Requirements (42 C.F.R. §§ 2.31, 2.32)

Patient name, signature and date• Special rules apply if the patient is a minor, incompetent or deceased, and when a personal representative may sign

From whom• Either a specific entity/individual name or general designation of “all my substance use disorder treatment providers”

To whomAmount and KindPurposeRevocation right

• Patient can revoke at any time, except if a consent is already relied upon• A patient can orally revoke

Expiration date or event• If appropriate, the expiration could be upon the patient’s deathAdditional Requirements

• Right to request a list of disclosures if a general designation consent is used• Disclosures to central registries and elements of the criminal justice systems (e.g., probation/parole) must meet

additional requirements• The consent form must also comply with HIPAA if for purposes other than treatment, payment or health care

operations purposesNotice of Prohibition on Redisclosure Notice

• Either the full length or abbreviated written notice on the prohibition on re-disclosure must accompany each disclosure of Part 2 data made pursuant to a patient’s written consent

20

To Whom (82 FR 6052, 6080)

21

To Whom (42 C.F.R. § 2.31(a)(4))

1987 Standard: name/title of individual or organization; SAMHSA prohibited use of a general designation, such as “all my healthcare providers”

2017 Rule Change• Name of entity/individuals with a treating provider relationship (XYZ Clinic) • Name of health plan (ABC Plan)• Name of individual that does NOT have a treating provider relationship (Jane Doe)• General designation (called the “general designation” consent option)

- Name of entity without a treatment provider relationship (HIO or ACO); AND- Name of entities with a treating provider relationship, individuals, or general

designation of individuals/entities/class limited to those with a treating provider relationship (past, current or future).

Treating Provider Relationship (42 C.F.R. § 2.11)

22

List of Disclosures (42 C.F.R. §§ 2.31(a)(4)(i)(B)(3)(i), 2.13(d))

• Required if a “general designation” consent form is used• Consent form must include a statement notifying patients that they have a

right to make a written request for a list of disclosures (up to 2 years)• List of Disclosures requirements:

- Must respond within 30 days- For each disclosure list the name of the entities, date and brief

description• Obligation is on the intermediary entity• Intermediary entity must be able to generate a “list of disclosures” before

a general designation consent is used

23

Amount and Kind (42 C.F.R. § 2.31(a)(3), 82 Fed. Reg. at 6086)

2017 Rule Change: The consent for must describe “[h]ow much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed”

SAMHSA’s “Granular Consent” Interpretation: Interpreted by SAMHSA to allow for the disclosure of “all substance use disorder information,” but only if more detailed options are included other than “all or nothing”

24

Big Changes Ahead?

HB6082 (passed by U.S. House) would amend the Public Health Service Act to permit the disclosure of Part 2 data for treatment, payment and health care operations (https://legiscan.com/US/bill/HB6082/2017)

25

Applying Regulations to HIE UsersMelissa Kotrys, MPH

Health Current

26

Part 2 Data in the HIE: Application

• Health Current assists providers in determining:

1. Whether a participant is (or contains) a “Part 2 Program”2. If yes, whether the participant can segregate Part 2 from other health information (e.g. physical, behavioral health data)

27

Part 2 Data in the HIE: Application

Health Current Participants are required to abide by the Health Current Data Submission Policy:Requirements for Part 2 Programs: A Participant must notify Health Current in writing if it operates a Part 2 Program before submitting any Data to the HIE.

Requirements for All Other Participants: Participants that are not Part 2 Programs but are in possession of Part 2 Data must NOT disclose the Part 2 Data to Health Current without (1) a mechanism to segregate that Part 2 Data; and (2) advance notice to Health Current to send the Part 2 Data to the HIE.

28

Part 2 Data in the HIE: Restriction on Redisclosure

Lawful recipients of Part 2 data about a patient may not redisclose information “that identifies a patient as having or having had a substance use disorder… ” without the patient’s written consent (42 C.F.R. Part 2 § 2.32)

29

Scenario 1: Does Part 2 Apply?

You are the compliance officer for a small OB/GYN group. Yesterday a patient disclosed to a provider that she is has an opioid addiction. Concerned about the viability of the fetus, the treating physician prescribes the appropriate regimen of buprenorphine. Though she does not generally treat or hold herself out as treating patients with an SUD, the physician has prescribed a similar regimen for the handful of expecting mothers presenting with similar symptoms. Should this diagnosis and treatment regimen be segregated from the patient’s general health record to ensure compliance with Part 2?

30

31

Scenario 1: Does Part 2 Apply?No, the information should not be segregated from the patient’s general health record.

Part 2 does not apply – can share without consent

§ 2.11 Definitions:

Program defined as “an individual, entity (or than a general medical facility), or identified unit within a general medical facility that “holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment” OR “medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.”

32

Scenario 2: Does Part 2 Apply?

Substance Abuse Treatment of Arizona (SATA) is recognized in the community as an excellent inpatient SUD clinic. This morning, a patient fell and sustained a laceration to the leg. The supervising NP directed staff to irrigate and suture the wound, and document the same pursuant to SATA policy. Later that day, the patient complained of severe pain in the affected leg. The NP directed a staff member to accompany the patient to the local ED. The attending ED physician conducted a physical examination and is concerned that the topical ointment the SATA staff used was causing a severe irritation. The physician accesses the Health Current portal for a copy of the treatment record (relating only to the laceration on the patient’s leg) to determine which topical was used. Can the physician access this limited record without the patient’s consent?

33

34

Scenario 2: Does Part 2 Apply?

No, cannot share without consent

§ 2.12 Applicability:

The restrictions on disclosure in the regulations in this part apply to any information, whether or not recorded, which:

(i) Would identify a patient as having or having had a substance use disorder…

Consider though…

§ 2.51 Medical Emergencies: “patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient's prior informed consent cannot be obtained.”

35

Scenario 3: Are the Necessary Agreements in Place?

You are the CEO of a large hospital that offers a variety of services including psychiatric and SUD treatment. An analytics vendor approaches you about a product that can greatly assist your staff in identifying high utilization areas. After negotiating the terms of the agreement, the vendor assures you that, as your business associate (with a business associate agreement in place), they can hold your data without issue. You are confident that the BAA outlines the various measures the vendor will take to ensure the privacy and confidentiality of your data, and the vendor has agreed that they will not disclose your data to any third party. Are you ready to direct your staff to begin sending data to the vendor?

36

37

Scenario 3: Are the Necessary Agreements in Place?

No, must have patient consent (lawful holder) or QSOA in place

Part 2 generally requires patient consent except§ 2.51 Medical Emergencies§ 2.52 Research

However, the regulations do not require consent for disclosures to a Qualified Service Organization that

“Provides services to a part 2 program … andHas entered into a written agreement [QSOA]… under which that individual or entity:

(i) Acknowledges … it is fully bound by the regulations; and(ii) If necessary, will resist in judicial proceedings any efforts to obtain access to patient

identifying information related to substance use disorder diagnosis, treatment, or referral for treatment…” § 2.12

38

Scenario 4: Implementing Appropriate Redisclosure Restrictions

You are counsel for a large valley health plan. As of this month, members of your organization have begun accessing the HIE in order to conduct care coordination activities. In addition to access to physical health data about members, the plan has received consent to view Part 2 information for some members. The project lead communicates that the care coordinators should document all of their interactions/record access from the HIE in the plan’s care coordination application, without regard to the whether the data originated from a Part 2 Program. The plan is not a Part 2 Program after all. Do you agree with the project lead’s assertion? What steps might you take to ensure compliance with the rule?

39

40

Scenario 4: Implementing Appropriate Redisclosure Restrictions

No, Part 2 data that may be redisclosed should be kept separateA receiving party of Part 2 information is prohibited from redisclosing such information without the patient’s consent, unless an exception applies.

Plans in possession of Part 2 information should ensure Part 2 records are kept separate from general medical information. Plans should only use the information for the purpose for which the patient consented (e.g. care coordination), and should not include this information in any redisclosure without the patient’s consent.

General Health Data Part 2 Data

41

Part 2 Data in the HIE: Access

Health Current’s technical infrastructure supports segregation of Part 2 information and includes appropriate auditing requirements for medical emergency (“break the glass”) access

HIE Participants will obtain Part 2 consent from patients/members at the point-of-care to make a patient’s Part 2 information available to that Participant organization

Designated individuals within a Participant organization will have the ability to upload the Part 2 consents of their patients/members

42

Part 2 Data in the HIE: Rollout

Health Current will begin limited roll-out of Part 2 access in August, with full roll-out anticipated to begin this fall

Additional training and education related to the roll-out process, system functionality, etc. will be provided by the Health Current team to the relevant individuals within each Participant organization

43

Key Questions and AnswersChase J. Millea, Esq.

Health Current

44

True or False. Disclosure of a record containing a prescription for methadone (a common opioid addiction treatment medication) requires a Part 2 consent.

Key Question 1

45

46

True or False. Disclosure of a record containing a prescription for methadone (a common opioid addiction treatment medication) requires a Part 2 consent.

Did the data originate from a Part 2 Program covered by the regulations?

Key Question 1

It Depends

47

True or False. Disclosure of a record containing a diagnosis of a mid-ankle sprain requires a Part 2 consent.

Key Question 2

48

49

True or False. Disclosure of a record containing a diagnosis of a mid-ankle sprain requires a Part 2 consent.

Key Question 2

It DependsDid the data originate from a Part 2 Programcovered under the regulations that onlyprovides substance use disorder treatment (andno other health services)?

50

True or False. A payor adjudicating a claim from a Part 2 Program must receive consent before viewing any information about the treatment the patient received from that Part 2 Program.

Key Question 3

51

52

True or False. A payor adjudicating a claim from a Part 2 Program must receive consent before viewing any information about the treatment the patient received from that Part 2 Program.

Part 2 requires patient consent for disclosures to health plans for payment purposes. There is no exception for treatment, payment and health care operations disclosures to health plans

Key Question 3

True

53

Yes or No. A patient, an admitted alcoholic, presents at a major Valley emergency department with symptoms of alcohol poisoning. Must the charge nurse ensure that the course of treatment is documented in a separate chart that will require the patient’s consent before future disclosure?

Key Question 4

54

55

Yes or No. A patient presents at a major Valley emergency department with symptoms of alcohol poisoning. Must the charge nurse ensure that the course of treatment is documented in a protected chart that will require the patient’s consent before future disclosure?

§ 2.11 Definitions: “Program” means an individual or entity (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment”

Key Question 4

No

56

True or False. Once a provider or plan receives consent to view a patient’s Part 2 record, the receiving party may integrate that information into their EMR, and may further disclose the patient’s information without any additional restrictions.

Key Question 5

57

58

True or False. Once a provider or plan receives consent to view a patient’s Part 2 record, the receiving party may integrate that information into their EMR, and may further disclose the patient’s information without any additional restrictions?

Key Question 5

False§ 2.32 Prohibition on Redisclosure: 42 CFR part 2 prohibits unauthorized disclosure of these records

59

Questions?

Mel Soliz: msoliz@cblawyers.comMelissa Kotrys: melissa.kotrys@healthcurrent.orgChase Millea: chase.millea@healthcurrent.org

60

Resources

• 42 eCFR Part 2, https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=b1fd15d2e501d6b26c2385bb733c99c5&mc=true&n=pt42.1.2&r=PART&ty=HTML#se42.1.2_112

• Federal Register: 82 FR 6052 (2017 Final Rule); 83 FR 239 (2018 Final Rule)

• SAMHSA Substance Abuse Confidentiality Regulations Fact Sheets & FAQs, https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs

• SAMHSA YouTube Channel, https://www.youtube.com/samhsa/• The Legal Action Center, Sample Forms https://lac.org/new-sample-

consent-forms-42-cfr-part-2/