SAMHSA and ONC: FAQs on Substance Abuse Confidentiality Regulations for HIEs

Monday 21 June 2010
The Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office of the National Coordinator for Health Information Technology (ONC) announced last week the release of FAQs for Applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges (HIEs).

Cover letter regarding the FAQs by Pamela S. Hyde, the Administrator of SAMHSA, and David Blumenthal, National Coordinator for ONC. The letter describes that the the Substance Abuse Confidentiality Regulations under 42 CFR Part 2 were enacted years ago (circa 1975). Due to the age of the regulations SAMHSA and ONC created the FAQs to provide guidance and understanding of the scope of these regulations in the context of today's move toward an electronic health information system.

The FAQs outline the general requirements under 42 CFR Part 2, provide guidance on its application to HIEs, and identify methods for including substance abuse related health information into HIEs that is consistent with the Federal statute.

As a follow-up to the release of the FAQs, SAMHSA and ONC will convene a meeting of concerned or interested parties from both the Behavioral Health and Information Technology (BH-IT) communities on August 4, 2010. The meeting will be an opportunity for SAMHSA and ONC to receive questions and comments on the FAQs.

  1. Does the federal law that protects the confidentiality of alcohol and drug abuse patient records allow information about patients with substance use disorders to be included in electronic health information exchange systems?
  2. What types of providers are covered programs under 42 CFR Part 2 (“Part 2”)?
  3. What patients, and which records and information, are protected by 42 C.F.R Part 2?
  4. For the purposes of the applicability of 42 CFR Part 2, does it matter how HIOs are structured?
  5. Does 42 CFR Part 2 permit the disclosure of information without a patient’s consent for the purposes of treatment, payment, or health care operations?
  6. Under Part 2, can a Qualified Service Organization Agreement (QSOA) be used to facilitate communication between a Part 2 program and an HIO?
  7. May information protected by Part 2 be made available to an HIO for electronic exchange?
  8. If Part 2 information has been disclosed to the HIO, either pursuant to a Part 2- compliant consent form authorizing such disclosure or under a QSOA, may the HIO then make that Part 2 information available to HIO-affiliated members?
  9. How do different HIO patient choice models regarding whether general clinical health information may be disclosed to or through an HIO (e.g., no consent, opt in or opt out) affect the requirements of 42 CFR Part 2?
  10. If an HIO is holding or storing Part 2 patient data through a QSOA, can the HIO redisclose the data coming from the Part 2 program to a third party without patient consent?
  11. What are the required elements of a patient consent under Part 2?
  12. What must a Part 2 program do to notify the HIO, or any other recipient of Part 2 protected information, that it may not redisclose Part 2 information without patient consent?
  13. Can a single consent form be used to authorize the disclosure of Part 2 information to an HIO, as well as authorize the redisclosure of that information to other identified parties, such as HIO affiliated members?
  14. Does Part 2 allow the use of multiple-party consent forms?
  15. Does Part 2 require the use of original signed consents?
  16. Under Part 2, may an HIO release demographic information about Part 2 patients without patient consent?
  17. Under Part 2, can an HIO reveal that a patient had an encounter at a mixed use facility (or “general medical” facility – see FAQ #2) as long as the HIO does not reveal that the patient was in the mixed use facility’s Part 2 program? A mixed use facility can be defined as a service provider organization that provides substance abuse treatment services as well as other health services such as primary care, dental care, mental health services, social services, etc.
  18. Under Part 2, can an HIO use a consent form that provides for disclosure to “HIO members” and refers to the HIO’s website for a list of those members?
  19. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to future HIO affiliated health care providers?
  20. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to health care providers who are providing on-call coverage for HIO affiliated health care providers or with whom those affiliated providers consult?
  21. Can a Part 2 patient consent be used to enable multiple disclosures?
  22. Can a Part 2 program or HIO use a consent form that has no specific expiration date but rather states that disclosure is permitted until consent is revoked by the patient?
  23. Is “treatment” a sufficient description of the intended purpose of a disclosure on a Part 2 consent?
  24. Under Part 2, can any health care provider make the determination that a medical emergency exists, or must a Part 2 provider make that determination?
  25. May a computer system be used to automatically determine whether a medical emergency exists and whether a disclosure of Part 2 data can be made without the patient’s consent?
  26. If a medical emergency exists, can the entire Part 2 record be released?
  27. For documentation purposes, if a medical emergency is present, would it be permissible under Part 2 to have treating providers simply check a drop down box signifying the existence of such a medical emergency?
  28. Under Part 2, may an HIO system make clinical decision support functions (such as showing a patient’s medications to clinicians when they write prescriptions, automatically ordering medications, and/or alerting clinicians about potential drug interactions) available to HIO affiliated health care providers in a medical emergency?
  29. Does the Part 2 definition of medical emergency also include mental health emergencies?
  30. When the HIO keeps an electronic record of a medical emergency, does that fully meet Part 2’s requirement to document disclosures made in a medical emergencies in the patient’s record?
  31. If an HIO’s electronic system makes a disclosure in a medical emergency, would documenting the name of the discloser as “electronically disclosed through the system administered by HIO” meet Part 2’s requirement that the name of the person who made the disclosure be documented in the patient’s record?
  32. If an HIO’s electronic system sends Part 2 data in a medical emergency to a printer or fax machine in the emergency room, can “the printer in the emergency department” meet Part 2’s requirement to document in the patient’s record the name of the person to whom the disclosure was made?
  33. Once Part 2 information is disclosed in a medical emergency, can that information be redisclosed without obtaining patient consent?
  34. If a patient has previously refused to consent to the release of his/her Part 2 record to a particular HIO affiliated health care provider, and then the patient is brought to that provider in a bona fide medical emergency situation, can that provider gain access through the HIO to the information without the patient’s consent under Part 2?
  35. Can an HIO disclose data for Disease Management purposes under Part 2 without patient consent?
  36. Under Part 2, would an HIO be permitted to disclose to an HIO affiliated payer the data of several patients held by the HIO, which may include Part 2 data, in order for the payer to target where interventions could be made with particular patients to improve care and management of disease?
  37. If an HIO affiliated health care provider wishes to gain access to a minor’s Part 2 record held by the HIO, may the HIO or provider obtain only the consent of a parent or guardian, or must the minor’s consent also be obtained?