United States: SAMHSA Proposes Changes To Substance Use Disorder Treatment Confidentiality Regulations

On February 5, 2015, the Substance Abuse and Mental Health Administration (SAMHSA) released a long-awaited proposed rule to modify the confidentiality rules that apply to patient identifying information generated by federally assisted substance use disorder treatment programs (42 CFR Part 2). The proposed revisions to the rules, which if finalized would be the first material revision in almost 30 years, attempt to modernize 42 CFR Part 2 to account for changes in the way health information is used and shared in the U.S. health care system, and for new health reform priorities, such has value-based payment and population health management, while retaining protections more stringent than HIPAA for substance use disorder treatment records maintained in connection with the performance of a 42 CFR Part 2-covered program (Part 2 Records).

42 CFR Part 2 only covers a limited subset of individually identifiable health information relating to substance use disorder diagnosis and treatment. In order for 42 CFR Part 2 to apply, the information must have been obtained from a "federally assisted" alcohol or drug abuse treatment "program", and must identify the individual as an alcohol or drug abuser. The definition of "program" is currently limited to individuals or entities (other than general medical care facilities) who hold themselves out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment; or identified units within a general medical facility that provide such care. Accordingly, if a patient were to tell his or her psychiatrist that he or she was depressed on account of a problem with substance use disorder, that information would not be protected by 42 CFR Part 2 when added to a patient's electronic medical record, unless the psychiatrist was holding him or herself out as providing alcohol or drug abuse diagnosis, treatment, or referral for treatment. The same information, however, when disclosed to a federally assisted program, would be protected. 42 CFR Part 2 interprets "federally assisted" broadly to include any program that participates in Medicare, or has received tax-exempt status from the Internal Revenue Service.

The proposed rule would extend this paradigm to general medical practices and individual practitioners within them. This proposed change would clarify that while general medical practices are not covered by 42 CFR Part 2, the records of individual practitioners within the practice could be covered by 42 CFR Part 2 if they are federally assisted and: (1) hold themselves out as an identified substance use disorder treatment unit; or (2) are identified as primarily performing substance use disorder diagnosis, treatment or referral for treatment.  SAMHSA proposed this change to account for increasing provision of substance use treatment services in integrated care settings. This proposal, if finalized, could create challenges for general medical practices that implement a common electronic health record (EHR).  General medical practices' EHRs would need to be capable of tracking whether information relating to a patient's substance use disorder was added to the EHR by a provider meeting the definition of a "program" under 42 CFR Part 2, or instead by a provider that is not covered by 42 CFR Part 2.  Only the substance use disorder diagnosis or treatment information entered into the EHR by a "program" would be considered a Part 2 Record. The general medical practice would also need to prevent Part 2 Records from being visible through the EHR to other practitioners within the practice unless a patient had signed a written consent in compliance with 42 CFR Part 2 permitting other practitioners to access the information.

Under HIPAA, health care providers and payors are permitted to share health information for treatment, payment and health care operations without first obtaining an individual's authorization. 42 CFR Part 2, however, generally requires substance use disorder treatment programs covered by the regulation, as well as any lawful recipient of Part 2 Records, to obtain written patient consent before sharing Part 2 Records, even for treatment, payment or health care operation purposes. The written consent must, among other things, specify the name or title of the individual, or the name of the organization to which disclosure is to be made. This model made sense when Part 2 was first issued, as medical records were paper records and disclosures occurred manually and only sporadically. These requirements, however, when considered against the modern backdrop of increasing exchange of health information to support the legitimate efforts of clinically integrated care networks, essentially preclude patients of substance use disorder treatment programs from benefitting from advancements in care coordination and quality improvement. It is unrealistic for patients of substance use disorder treatment programs to provide a consent permitting the program to disclose Part 2 Records to a clinically integrated care network, because neither the patient nor the substance use disorder treatment program could name all providers participating in the clinically integrated care network with specificity.

The proposed rule acknowledges that the 42 CFR Part 2 consent requirements have prevented substance use disorder treatment programs and their patients from participating in new integrated care models, which require health information to flow more freely among a patient's treating health care providers. The proposed rule proposes to create a new consent pathway that would permit substance use disorder treatment programs to disclose Part 2 Records to an integrated care network under a written consent from a patient, generally designating a class of network participants that have a treating relationship with the patient. For example, under the proposed rule, a patient could consent to a substance use disorder treatment program's disclosure of Part 2 Records to a clinically integrated care network with the general designation that the Part 2 Records may be shared with all providers involved in the patient's past, present and future care within that clinically integrated care network. The clinically integrated care network could then, based on the same consent, disclose the information to all individuals involved in the patient's past, present and/or future care. As long as quality improvement is specified by the consent as a purpose for the disclosure of Part 2 Records, it would also appear that entities or individual providers within the clinically integrated care network that are involved in the patient's care could use the Part 2 Records to perform quality improvement as well as treatment.

The proposed rule, however, does not permit patients to consent to a clinically integrated care networks' disclosure of Part 2 Records to other entities or classes of providers that are not involved in the patient's care. As a result, any quality administrator or provider not involved in a patient's care, or not part of an entity involved in the patient's care, would need to be listed by name on a patient's consent form to receive Part 2 Records from the clinically integrated care network. A clinically integrated network might elect instead to enter into a Qualified Service Organization Agreement (similar to a Business Associate Agreement under HIPAA) with the appropriate substance use disorder treatment programs to perform population health management on the treatment program's behalf. A Qualified Service Organization performing quality improvement or population health management services, however, may only disclose Part 2 Records within the office or unit responsible for quality improvement and population health, or back to the substance use treatment program.

To compensate for the perceived risks of making Part 2 Records more readily available through integrated care networks to all of a patient's past, present or future treating providers, SAMHSA has proposed requiring a variety of additional safeguards. Chiefly, SAMHSA proposes to require clinically integrated care networks to: a) have a mechanism in place to determine whether a treating provider relationship exists with the patient whose information is being disclosed; and b) maintain a list of disclosures made to treating providers and produce a list of disclosures to patients upon request. The "list of disclosures" requirement stands in contrast to HIPAA, which does not currently require covered entities to include within an "accounting of disclosures" those made for purposes of treatment, payment, or health care operations.  SAMHSA's list of disclosure requirement closely resembles a proposal from the Office for Civil Rights (OCR) from 2011 to require covered entities to maintain an "access log" of treatment, payment, and health care operations uses and disclosures. OCR's proposal was criticized by some for being overly burdensome to both health information technology vendors and health care providers, and OCR delayed its implementation in 2014 to obtain additional public comment, and it is still outstanding.  SAMHSA attempts to distinguish its proposal from OCR's by only requiring that the list of disclosures to include the entities that receive Part 2 Records, rather than the individual health care providers who access the information.  For example, if an HIE disclosed Part 2 Records to a doctor at ABC Hospital, the list of disclosures would only need to inform the patient that the HIE disclosed Part 2 Records to ABC Hospital, and would not need to list the individual doctor who received or accessed the information. 

Nevertheless, HIEs, ACOs, and other clinically integrated care networks might still find SAMHSA's two requirements to be technologically burdensome. Some, but not all, clinically integrated care networks can track whether or not a treating relationship exists between a particular provider within the integrated care network and the patient in question. Other clinically integrated care networks would need to build this capability or create a mechanism that requires providers to attest that they are treating providers before permitting them to access Part 2 Records.  Additionally, health information technologies implemented by clinically integrated care networks may not be capable of producing a human readable report with a list of disclosures, or "accesses" to the information on demand. As a result, these entities would also need to invest in this capability. If the price tag for such changes is significant, HIEs, ACOs, and clinically integrated care networks could choose instead to not integrate with substance use disorder treatment programs. Due to the uncertainty of OCR's accounting of disclosures proposal, HIEs, ACOs, and clinically integrated care networks may also be hesitant to make an investment in creating "list of disclosures" without knowing whether the technology would be consistent with future OCR mandated requirements. Finally, clinically integrated care networks wishing to accept Part 2 Records would need to implement technologies that segment Part 2 Records from other information within the clinically integrated care network to prevent Part 2 Records from being used for quality improvement activities unless an appropriate consent or Qualified Services Organization Agreement was in place.

In addition to the changes to written consent, the proposed rule also attempts to modernize 42 CFR Part 2's research provisions. The proposed rule would permit researchers covered by the Common Rule and/or the HIPAA Privacy Rule to follow the Common Rule and HIPAA Privacy Rule pathways for performing research on identifiable information when the informed consent or authorization is waived. The proposed rule would also, however, require additional research protections unique to researchers that receive Part 2 Records. For example, an individual or entity conducting research would need to agree to be fully bound by 42 CFR Part 2 with respect to Part 2 Records, and would be required to resist in judicial proceedings disclosures of Part 2 Records sought by law enforcement. Additionally, the proposed rule would only permit researchers who receive Part 2 Records without the consent of the patient to link Part 2 Records to other data sets if the data sets come from federal data repositories, such as "research identifiable files" from CMS. SAMHSA expressed a preference for federal data repositories because of the policy framework in place at the federal level for ensuring the privacy and security of such data sets. SAMHSA requested comment on allowing additional data linkages.  The data linking limitations, if finalized, could research efforts aimed at determining connections between behavioral health and other medical conditions more difficult because it would eliminate access to other data assets, even those accompanied by robust data protections.  SAMHSA will likely consider this balance during the comment period.

SAMHSA's proposed changes come at a time in which there is increasing public awareness in the importance of substance use disorder treatment due to rising rates of opioid addiction and overdose. 42 CFR Part 2 was designed to ensure the confidentiality of Part 2 Records due to the stigma attached to getting treatment, and the fear that the exposure of Part 2 Records could create criminal justice or employment status consequences. Some argue, however, that 42 CFR Part 2 has had the unintended effect of segmenting substance use disorder care from other forms of health care, thereby perpetuating the stigma the rule is meant to protect against.  While SAMHSA's proposal could potentially create a pathway for health information exchange that does not exist currently under 42 CFR Part 2, the proposed rule still maintains the current paradigm of protecting Part 2 Records above and beyond HIPAA's protections, without providing protection for equally sensitive substance use disorder treatment information that is not generated by federally assisted substance use disorder treatment programs. Currently, there are multiple bills in consideration by Congress that would increase funding to substance use disorder treatment and attempt to change the paradigm of separating substance use disorder care from other types of care. One such bill currently under consideration, the Helping Families in Mental Crisis Act (H.R. 2646), would change 42 CFR Part 2's authorizing statute so that HIEs, ACOs, health homes, and other integrated care arrangements that exchange electronic health records would be exempt from complying with 42 CFR Part 2 altogether. Advocates for broader exchange of Part 2 Records with other care providers may continue to push for legislative changes like this in light of the stringent requirements that would remain in place if the proposed rule is finalized.

The comment period for the proposed rule will run until April 11, 2016. Interested parties should submit comments electronically through the Federal eRulemaking Portal.

SAMHSA Proposes Changes To Substance Use Disorder Treatment Confidentiality Regulations

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.