Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
With the new rules around the confidentiality of substance abuse records circulated this month, physicians need to update policies and procedures.
On Feb. 9, The Substance Abuse and Mental Health Services Administration (SAMHSA) published proposed rules in the Federal Register (81 Fed. Reg. 6988 (Feb. 9, 2016) that aims to balance the electronic exchange of substance use disorder information with confidentiality protections. This is the first update since 1975 of the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 CFR Part 2 (aka part 2), which “protects the confidentiality of the identity, diagnosis, prognosis, or treatment of any patient records which are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research.” Therefore, this article focuses on the recent updates, as well as steps physicians and other providers should take to protect this highly sensitive information.
There has always been concern given to the confidentiality of substance abuse records because of “the potential use of substance abuse information against individuals.” In relation to the proposed rules, new or revised terminology is brought to light and addresed. The SAMHSA rules extend to both “general medical facilities” and “general medical practices.” Moreover, under “Section III.D., Confidentiality Restrictions and Safeguards (§ 2.13), SAMHSA proposes to add a requirement that, upon request, patients who have included a general designation in the 'To Whom' section of their consent form (see § 2.31) must be provided a list of entities to which their information has been disclosed pursuant to the general designation.” In relation to additional technical, administrative, and physical security measures, SAMHSA requires standards that are already defined in HIPAA and the Omnibus Rules. These standards include: formal policies and procedures; sanitization of media – both paper and electronic; and the duty to report violations to authorities.
For physicians, this means taking the following actions:
• Revise the HIPAA Consent Form to include the requisite SAMHSA “To Whom” and “From Whom” language;
• Review current policies and procedures to ensure that disposal of both paper and electronic records are detailed in accordance with the requisite standards; and
• Refine processes to address the “Prohibition on Re-disclosure (§2.32).
Failing to address these new rules could lead to significant consequences for both physicians and the entities that request the information.