SAMHSA Final Rule Updates the 42 C.F.R. Part 2 Substance Abuse Confidentiality Requirements

By Will Blackford, Class of 2017

After four decades of anticipation, the Substance Abuse and Mental Health Service Administration (“SAMHSA”) published on January 18 a Final Rule modernizing the laws governing how providers share data about individuals with a substance use disorder (“SUD”). The affected regulations, known as 42 C.F.R. Part 2 (“Part 2”), were updated to meet the demands of the electronic age. The Final Rule is meant to facilitate broader data delivery and electronic exchange while safeguarding the privacy of the patient information.

Revisions to Part 2 under the Final Rule include:

  • Consent. Rather than requiring the identification of a specific information recipient, patients are now allowed, in certain circumstances, to consent to a “general disclosure” to intermediate entities (e.g., “my current and future treating providers”).
  • Disclosure. Any patient who opts for this general designation consent may request in writing (paper or electronic) a list of entities to which their information has been disclosed (“List of Disclosures”), and the disclosing entity named on the general consent form must respond within 30 days with a brief description of each disclosure made within the past two years.
  • Description. All patient consent forms are required to include an explicit description of the amount and kind of information that may be disclosed.
  • Scope. The applicability of restrictions on disclosures under Part 2 is expanded to include individuals or entities receiving patient records from “other lawful holders of patient identifying information.”
  • Security. Part 2’s security requirements now apply to both electronic and paper records, as well as require Part 2 programs and “other lawful holders” to have formal security policies and procedures in place.
  • Exclusions. Simply providing screening, brief intervention, or referral to treatment, within the scope of general healthcare, does not subject a provider to classification as a Part 2 program.
  • Qualified Service Organizations. The definition of a Qualified Service Organization (“QSO”) is expanded to include an entity that provides population health management (“PHM”) services to a Part 2 program; however, disclosures under QSO agreements are limited to specific offices or units that actually carry out PHM and such agreements may not be used to circumvent patient consent.
  • Re-disclosure. As a clarification, the prohibition on re-disclosure under Part 2 now applies only to information that would identify a patient as having been diagnosed, treated, or referred for a SUD, unless the patient expressly authorizes such disclosure.
  • Other Disclosures. The Final Rule also relaxes requirements in specific areas, such as disclosure without consent for certain scientific research, medical emergencies, and audits or evaluations.
  • Payment and Operations Disclosures. Due to commenter concerns, SAMHSA issued, alongside the Final Rule, a Supplemental Notice of Proposed Rulemaking (“SNPRM”) to seek comment on disclosures to contractors for payment and operations facilitations, as well as disclosures for Medicare, Medicaid, and other federal program audits or evaluations.


Although the Final Rule was scheduled to go into effect on February 17, 2017, President Trump’s 60-day hold on all rules published in the Federal Register that are not yet effective will likely delay the effective date until at least March 21, 2017. But even with the delay, those providers subject to Part 2 have a very limited timeframe to thoroughly review the new provisions and implement necessary changes.

Specifically, Part 2 providers should implement or update security procedures to address both paper and electronic records. Security measures should also clarify internal policies for creating, maintaining, transferring, destroying, and de-identifying such records. Should providers choose to utilize the new general designation consents for disclosures, there will need to be adequate recordkeeping processes in place to ensure compliance with any List of Disclosure requests. Additionally, providers working with QSO vendors should review relevant contractual documentation to confirm that such vendors are correctly categorized as a QSO under the new definition.

Stay tuned as we continue to monitor the implementation of this Final Rule and analyze its legal consequences.

Leave a Reply

Your email address will not be published. Required fields are marked *