21 Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE)
In 2010, the HHS Substance Abuse and Mental Health Services Administration (SAMHSA) and the HHS Office of the National Coordinator (ONC) published FAQs “Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE).” The 2010 FAQs are available at Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE) (PDF | 381 KB).
This document is an educational document from the Substance Abuse and Mental Health Services Administration (SAMHSA) and the U.S. Department of Health and Human Services. It was prepared by SAMHSA staff, in collaboration with staff from the Office of the National Coordinator for Health Information Technology, and contractors and should not be considered legal advice.
FREQUENTLY ASKED QUESTIONS
Q1. Does the federal law that protects the confidentiality of alcohol and drug abuse patient records allow information about patients with substance use disorders to be included in electronic health information exchange systems?[1]
A1. Yes. The federal confidentiality law and regulations (codified as 42 U.S.C. § 290dd-2 and 42 CFR Part 2 [“Part 2”]), enacted almost three decades ago after Congress recognized that the stigma associated with substance abuse and fear of prosecution deterred people from entering treatment, has been a cornerstone practice for substance abuse treatment programs across the country. Part 2 permits patient information to be disclosed to Health Information Organizations (HIOs)[2] and other health information exchange (HIE) systems; however, the regulation contains certain requirements for the disclosure of information by substance abuse treatment programs; most notably, patient consent is required for disclosures, with some exceptions.[3]
This consent requirement is often perceived as a barrier to the electronic exchange of health information. However, as explained in other FAQs, it is possible to electronically exchange drug and alcohol treatment information while also meeting the requirements of Part 2.
Q2. What types of providers are covered programs under 42 CFR Part 2 (“Part 2”)?
A2. To be a “program” that falls under 42 CFR Part 2, an individual or entity must be federally assisted and hold itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment (42 CFR § 2.11). A program is “federally assisted” if it is:
- authorized, licensed, certified, or registered by the federal government;
- receives federal funds in any form, even if the funds do not directly pay for the alcohol or drug abuse services; or
- is assisted by the Internal Revenue Service through a grant of tax exempt status or allowance of tax deductions for contributions; or
- is authorized to conduct business by the federal government (e.g., certified as a Medicare provider, authorized to conduct methadone maintenance treatment, or registered with the Drug Enforcement Agency [DEA] to dispense a controlled substance used in the treatment of alcohol or drug abuse); or
- is conducted directly by the federal government.
A different definition of a “program” applies when services are provided by a specialized unit or staff within a general medical facility (or “mixed use” facility—see FAQ #15). A general medical facility has a Part 2 program if:
- there is “an identified unit within a medical facility which holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment”; or
- there are “medical personnel or other staff in a general medical facility whose primary function is the provision of alcohol or drug abuse diagnosis, treatment or referral for treatment and who are identified as such providers.” (42 CFR § 2.11 [b], [c])
Most drug and alcohol treatment programs are federally assisted. However, there are for-profit programs and private practitioners that may not receive federal assistance of any kind. These programs and practitioners only see clients who have private health insurance or self-pay. Unless the state licensing or certification agency requires those programs or private practitioners to comply with Part 2, they are not subject to the requirements of 42 CFR Part 2, because they are not federally assisted. States may, however, enact laws requiring compliance with Part 2, and programs should refer to their state laws in these situations. Clinicians who use a controlled substance (e.g., benzodiazepines, methadone, or buprenorphine) for detoxification or maintenance treatment of a substance use disorder require a federal DEA registration and become subject to Part 2 through the DEA license. In contrast, a physician who does not use a controlled substance for treatment, such as Naltrexone, and does not otherwise meet the definition of a Part 2 program is not subject to Part 2.
Q3. What patients, and which records and information, are protected by 42 C.F.R Part 2?
A3. The Part 2 regulations “impose restrictions upon the disclosure and use of alcohol and drug patient records which are maintained in connection with the performance of any federally assisted alcohol and drug abuse program.” (42 CFR § 2.3[a]) The restrictions on disclosure apply to any information disclosed by a Part 2 program that “would identify a patient as an alcohol or drug abuser …” (42 CFR §2.12[a][1])
Under 42 CFR § 2.11:
- “Patient” means “any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program.”
- “Records” mean “any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program.”
- “Disclose or disclosure” means the “communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the records of a patient who has been identified.”
- “Patient identifying information” means the “name, address, social security number, fingerprints, photographs of similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.”
In sum, the information protected by Part 2 is any information disclosed by a Part 2 program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem, or as a participant in a Part 2 program.
Q4. For the purposes of the applicability of 42 CFR Part 2, does it matter how HIOs are structured?
A4. No. HIOs may take any number of forms and perform a variety of functions on behalf of the health care providers and other entities participating in the HIO network.[4] Regardless of the functions performed by the HIO, 42 CFR Part 2 still applies. HIOs may:
- provide the infrastructure to exchange patients’ health records among entities participating in the HIO network and facilitate the exchange of patients’ electronic health information;
- serve as a data repository that holds or stores patient records supplied by entities participating in the HIO network, and then makes them available for exchange in response to participants’ requests for such records;
- provide a record locator service for HIO participants and match individuals to their health records from different locations; or
- review and respond to requests for patient records from HIO participating providers.
Each of these scenarios involves the disclosure of Part 2 information. In some cases, the Part 2 program is disclosing protected information to the HIO, which stores it within the HIO system and then makes it available to HIO affiliated members on request. In other cases, the Part 2 program is disclosing protected information to the HIO, which does not keep it in a repository but rather passes the information along to HIO affiliated members. In either event, the disclosure of Part 2 protected patient information to and through the HIO would only be permitted in ways authorized by Part 2. This means that in nonmedical emergency situations, either a patient consent or a Qualified Service Organization Agreement (defined in other FAQs) will need to be in place in order for the Part 2 program to disclose the information to the HIO, and patient consent will be needed to allow the HIO to redisclose the Part 2 information to other HIO affiliated members.
Q5. Does 42 CFR Part 2 permit the disclosure of information without a patient’s consent for the purposes of treatment, payment, or health care operations?
A5. Unlike HIPAA, which generally permits the disclosure of protected health information without patient consent or authorization for the purposes of treatment, payment, or health care operations, Part 2, with limited exceptions (i.e., medical emergencies and audits and evaluations), requires patient consent for such disclosures (42 CFR §§ 2.3, 2.12, 2.13).[5] Some types of exchange, however, may take place without patient consent when a qualified service organization agreement (QSOA) exists or when exchange takes place between a Part 2 program and an entity with administrative control over that program.
A qualified service organization (QSO) means a person or organization that:
- provides services to a Part 2 program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting or other professional services or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and
- has entered into a written agreement with a program under which that person a) acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by these regulations; and b) if necessary, will resist in judicial proceedings any efforts to obtain access to patient records, except as permitted by these regulations.
Where a Part 2 program has entered into a QSOA with an entity that provides any of the covered services, and where the information exchanged is needed to provide the covered services, patient consent is not required. (42 CFR § 2.11)
In addition, patient consent is not required when information is exchanged within a Part 2 program or between a Part 2 program and an entity that has direct administrative control over the program. When a substance use disorder unit is a component of a larger behavioral health program or of a general health program, specific information about a patient arising out of that patient’s diagnosis, treatment or referral to treatment can be exchanged without patient consent among the Part 2 program personnel and with administrative personnel who, in connection with their duties, need to know information (42 CFR § 2.12[c][3]). Patient information may not be exchanged among all of the programs and personnel that fall under the umbrella of the entity that has administrative control over the Part 2 program. A QSOA would be required to enable information exchange without patient consent in this situation.
Q6. Under Part 2, can a Qualified Service Organization Agreement (QSOA) be used to facilitate communication between a Part 2 program and an HIO?
A6. Yes. A QSOA under Part 2, which is similar but not identical to a business associate agreement under §§ 164.314(a) and 164.504(e) of the HIPAA Security and Privacy Rules, is a mechanism that allows for disclosure of information between a Part 2 program and an organization that provides services to the program, such as an HIO. Examples of services that an HIO might provide include holding and storing patient data, receiving and reviewing requests for disclosures to third parties, and facilitating the electronic exchange of patients’ information through the HIO network.
Before a Part 2 program can communicate with a Qualified Services Organization—in this case the HIO—it must enter into a two-way written agreement with the HIO. Once a QSOA is in place, Part 2 permits the program to freely communicate information from patients’ records to the HIO as long as it is limited to that information needed by the HIO to provide services to the program. The HIO may also communicate with the Part 2 program and share information it receives from the program back with the program. Patient consent is not needed to authorize such communications between the HIO and Part 2 program when a QSOA is in place between the two.
Q7. May information protected by Part 2 be made available to an HIO for electronic exchange?
A7. Information protected by 42 CFR Part 2 may only be made available to an HIO for exchange if:
- a patient signs a Part 2-compliant consent form authorizing the Part 2 program to disclose the information to the HIO, OR
- a Qualified Service Organization Agreement (QSOA) is in place between the Part 2 program and the HIO.
Q8. If Part 2 information has been disclosed to the HIO, either pursuant to a Part 2-compliant consent form authorizing such disclosure or under a QSOA, may the HIO then make that Part 2 information available to HIO-affiliated members?
A8. An HIO may disclose Part 2 information that it has received from a Part 2 program to HIO affiliated members (other than the originating Part 2 program) only if the patient signs a Part 2-compliant consent form. Patient consent is not needed to authorize such communications between the HIO and Part 2 program when a QSOA is in place between the two.
Q9. How do different HIO patient choice models regarding whether general clinical health information may be disclosed to or through an HIO (e.g., no consent, opt in, or opt out) affect the requirements of 42 CFR Part 2?
A9. HIOs have adopted a number of different policies for making general clinical information available to participating members. Some HIOs have adopted a “no consent” model, under which a patient’s health information may be disclosed to an HIO and subsequently disclosed by the HIO to its affiliated members for specified purposes without obtaining the patient’s consent. Other HIOs have adopted an “opt in” model, in which the patient’s information is disclosed to the HIO and subsequently disclosed by the HIO to affiliated members for specified purposes only if the patient has affirmatively agreed to such disclosures. Yet other HIOs have adopted an “opt out” model, in which the patient’s information is disclosed to the HIO and subsequently disclosed by the HIO to affiliated members for specified purposes unless the patient has affirmatively declined to participate in such exchange.[6]
Regardless of which model the HIO adopts for exchanging general clinical information, the HIO must still comply with the requirements of 42 CFR Part 2 with respect to Part 2 information. This means that even if an HIO adopts a “no consent” model for other information, the patient’s Part 2-compliant consent must be obtained to disclose Part 2 information to or through the HIO. On the other hand, the HIO may impose requirements in addition to 42 CFR Part 2. For example, because an “opt in” model requires affirmative patient consent to participate in the HIO, a Part 2 program may need to obtain patient consent to disclose Part 2 information to an HIO even if the Part 2 program has a QSOA with the HIO.
Q10. If an HIO is holding or storing Part 2 patient data through a QSOA, can the HIO redisclose the data coming from the Part 2 program to a third party without patient consent?
A10. Only in very limited circumstances. An HIO may disclose the Part 2 information to a contract agent of the HIO, if it needs to do so in order to provide the services described in the QSOA, and as long as the agent only discloses the information back to the HIO or the Part 2 program from which the information originated. If a disclosure is made by the HIO to an agent acting on its behalf to perform the service, both the HIO and the agent are bound by Part 2, and neither organization can disclose the information except as permitted by Part 2.
The HIO would not be allowed to redisclose the information to third parties, including HIO affiliated members (except in a medical emergency, which will be discussed in other FAQs), because the HIO affiliated members are not acting as agents of the HIO, but rather are receiving services provided by the HIO. Consequently, if an HIO wants to redisclose the Part 2 program’s records to a participating member, it would need the consent of the patient.
Q11. What are the required elements of a patient consent under Part 2?
A11. A written consent to a disclosure under the Part 2 regulations must be in writing and include all of the following items (42 CFR § 2.31):
- the specific name or general designation of the program or person permitted to make the disclosure;
- the name or title of the individual or the name of the organization to which disclosure is to be made;
- the name of the patient;
- the purpose of the disclosure;
- how much and what kind of information is to be disclosed;
- the signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under § 2.15 in lieu of the patient;
- the date on which the consent is signed;
- a statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third party payer; and
- the date, event or condition upon which the consent will expire if not revoked before. This data, event, or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given.
Q12. What must a Part 2 program do to notify the HIO, or any other recipient of Part 2 protected information, that it may not redisclose Part 2 information without patient consent?
A12. Part 2 requires each disclosure made with written patient consent to be accompanied by a written statement that the information disclosed is protected by federal law and that the recipient cannot make any further disclosure of it unless permitted by the regulations. Thus, when information is disclosed electronically, an accompanying notice explaining the prohibition on redisclosure must also be electronically sent. Under 42 CFR § 2.32, the statement must read:
“This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.”
Q13. Can a single consent form be used to authorize the disclosure of Part 2 information to an HIO, as well as authorize the redisclosure of that information to other identified parties, such as HIO affiliated members?
A13. Yes. Under Part 2, a single consent form can authorize a disclosure of information about a patient to one recipient, such as an HIO, and simultaneously authorize that recipient to redisclose that information to an additional entity or entities (such as other HIO affiliated health care providers identified in the consent form), provided that the purpose for the disclosure is the same. The required statement prohibiting redisclosure must accompany the information disclosed through consent, so that each subsequent recipient of that information is notified of the prohibitions on redisclosure.
Q14. Does Part 2 allow the use of multiple-party consent forms?
A14. Yes. A Part 2 consent form can authorize an exchange of information between multiple parties named in the consent form. The key is to make sure the consent form authorizes each party to disclose to the other ones the information specified and for the purpose specified, in the consent.
If patients want to authorize all or many members of the HIO to access their Part 2-protected record as well as to exchange information with one another, a multiple-party consent form must comply with all relevant requirements of Part 2, including a list of the names of each person or organization to whom disclosures are authorized, that the parties may disclose to each other, and for what purposes.
Q15. Does Part 2 require the use of original signed consents?
A15. No. While consent under Part 2 must be in writing and nonverbal, “wet” signatures—where the entity obtaining a patient’s consent gets the consent form signed by the patient in-person and sends the original, signed consent form to the Part 2 provider—are not necessary. Part 2 does not require programs (or recipients named in the consent) to have a patient’s “original” signed consent form in their possession to make disclosures. As long as the program or recipient of the consent acts with reasonable caution, it may accept a facsimile or a photocopy of a consent form. Some electronic health information systems may have, or may be developing, the capacity to obtain electronic consents. An electronic signed consent form would be allowable as well, provided an electronic signature is valid under applicable law.
Q16. Under Part 2, may an HIO release demographic information about Part 2 patients without patient consent?
A16. Yes. However, one must be sure to be in compliance with Part 2, which prohibits the disclosure of patient-identifying information. (42 CFR § 2.11 and § 2.13) Therefore, releasing demographic information would only be allowed under Part 2 if the demographic information does not reveal any information that would identify the person, either directly or indirectly, as having a current or past drug or alcohol problem or as being a patient in a Part 2 program.[7]
Q17. Under Part 2, can an HIO reveal that a patient had an encounter at a mixed use facility (or “general medical” facility—see FAQ #2) as long as the HIO does not reveal that the patient was in the mixed use facility’s Part 2 program? A mixed use facility can be defined as a service provider organization that provides substance abuse treatment services as well as other health services such as primary care, dental care, mental health services, social services, etc.
A17. Yes, such a disclosure would be permitted under Part 2 because no information protected under Part 2—any information that would identify the person, either directly or indirectly, as having a current or past drug or alcohol problem or as being a patient in a Part 2 program—is being disclosed. Part 2 explicitly permits “acknowledgement of the presence of an identified patient in a facility or part of a facility if the facility is not publicly identified as only an alcohol or drug abuse diagnosis, treatment, or referral facility, and if the acknowledgement does not reveal that the patient is an alcohol or drug abuser.” (42 CFR § 2.13[c][1])
Q18. Under Part 2, can an HIO use a consent form that provides for disclosure to “HIO members” and refers to the HIO’s website for a list of those members?
A18. No. 42 CFR Part 2, § 2.31(a)(2) states that consent forms must include the names of the individuals or organizations who will be the recipients of the Part 2 data. The purpose of this requirement is to ensure that patients are sufficiently informed about the disclosures that will be made under the consent. Many individuals throughout the country still do not have computers or access to the Internet, and many HIO affiliated health care providers do not have the resources to provide patients with access to the Internet at the HIO providers’ offices. Thus, Part 2 consents should identify, by attachment if necessary, all the HIO affiliated members that are potential recipients of the Part 2 data.
Q19. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to future HIO affiliated health care providers?
A19. No. If a health care provider joins the HIO after a consent is signed, and the patient later goes to that provider for care, Part 2 would require that the new HIO affiliated health care provider obtain the patient’s consent for access to the patient’s information. This is consistent with 42 CFR Part 2, §2.31(a)(2) that requires patient consent to include the names of the individuals or organizations that will be the recipients of the Part 2 data.
Q20. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to health care providers who are providing on-call coverage for HIO affiliated health care providers or with whom those affiliated providers consult?
A20. Yes, if those providing on-call coverage and consultation for an HIO affiliated provider are listed on the consent form. (See 42 CFR § 2.31[a][2] requiring the specific name of the individual or organization to whom disclosure may be made to be included in the consent form.)
Q21. Can a Part 2 patient consent be used to enable multiple disclosures?
A21. Yes. Under a Part 2 patient consent, information may be disclosed multiple times, as long as the consent has not yet expired and the entities to whom the information is to be disclosed, the nature of the information, and the purpose for the disclosure specified in the consent form are still the same. A separate consent form does not need to be obtained each time a disclosure of Part 2 records is made.
Q22. Can a Part 2 program or HIO use a consent form that has no specific expiration date but rather states that disclosure is permitted until consent is revoked by the patient?
A22. No. Under 42 CFR § 2.31, a Part 2 consent form must list the date, event, or condition upon which the consent will expire, if not revoked before. Thus, it is not sufficient under Part 2 for a consent form to merely state that that disclosures will be permitted until the consent is revoked by the patient. It is, however, permissible for a consent form to specify the event or condition that will result in revocation, such as having its expiration date be “upon my death.”
Q23. Is “treatment” a sufficient description of the intended purpose of a disclosure on a Part 2 consent?
A23. Yes, it is sufficient for “treatment” to be listed on a consent form as the intended purpose of a disclosure under Part 2. A consent authorizing Part 2 patient information to be included in, or exchanged through, an HIO’s system for the purpose of “treatment” would not permit that information to be shared or used for other purposes, such as for payment, disease management, or quality improvement activities, among others.
Q24. Under Part 2, can any health care provider make the determination that a medical emergency exists, or must a Part 2 provider make that determination?
A24. Any health care provider who is treating the patient for a medical emergency can make that determination. Under the medical emergency provision in Part 2, §2.51, “patient identifying information may be disclosed to medical personnel who have a need for information about the patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” (42 CFR § 2.51[a]) This provision does not require that the Part 2 program make that determination. Thus, any treating provider who determines that a condition which poses an immediate threat to the health of an individual exists can make the decision to “break the glass” (the term used when a health care provider, in the case of an emergency, gets access to a patient’s records without the patient’s consent) and gain access to Part 2 records. This includes HIO affiliated health care providers treating an individual in a medical emergency who might seek access to records about a patient that are held in, or made available through, an HIO.
Q25. May a computer system be used to automatically determine whether a medical emergency exists and whether a disclosure of Part 2 data can be made without the patient’s consent?
A25. Automated electronic health information systems can be programmed to flag specific patient information for a provider to use in determining whether a medical emergency exists and may be programmed to provide alerts to authorized providers. However, one may not automate the determination of a medical emergency. Part 2 requires medical personnel treating an emergency (the treating provider) to use their professional judgment to determine whether the situation meets Part 2’s definition of a medical emergency, defined as a particular condition that poses an immediate threat to the health of any individual and requires medical intervention. Once a medical emergency has been determined, Part 2 information may be disclosed without the patient’s consent. (42 CFR § 2.51[a])
Q26. If a medical emergency exists, can the entire Part 2 record be released?
A26. Yes. If there is a medical emergency, Part 2 would allow the entire record to be released through an HIO to a treating provider who indicates that he or she needs access to that information to treat a condition that poses an immediate threat to the health of any individual and requires immediate medical intervention.
Q27. For documentation purposes, if a medical emergency is present, would it be permissible under Part 2 to have treating providers simply check a drop down box signifying the existence of such a medical emergency?
A27. Under Part 2 it is permitted, but not sufficient, for treating providers in a medical emergency to merely check a drop down box to signify that they deem that a medical emergency exists under Part 2’s definition. Part 2 requires that when a disclosure is made in connection with a medical emergency, the Part 2 program must document in the patient’s record the name and affiliation of the medical personnel receiving the information, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency. Thus, the same information must be recorded by treating providers in any medical emergency and conveyed to the Part 2 program. Automated electronic systems may be used to generate information necessary for a provider to make a determination of a medical emergency, to enable provider entry of emergency information, and/or to generate a report documenting the emergency. Other laws or legal requirements that are, or may be, applicable to HIO affiliated health care providers have similar requirements for audit trails to document the specifics of “break the glass” incidents, such that it enables review by the relevant privacy officer that such access was proper.
Q28. Under Part 2, may an HIO system make clinical decision support functions (such as showing a patient’s medications to clinicians when they write prescriptions, automatically ordering medications, and/or alerting clinicians about potential drug interactions) available to HIO affiliated health care providers in a medical emergency?
A28. Yes. Access without patient consent is permitted for information protected by Part 2 in circumstances that meet Part 2’s definition of a medical emergency (42 CFR § 2.51). When a treating provider determines that a true medical emergency exists, the system can show the physician the information that is needed to treat that medical emergency, including revealing Part 2 information. In circumstances not involving a medical emergency, the system could not disclose any Part 2 data to the treating physician in the absence of consent. The system could only tell the provider that a specific consent must be obtained, and it must be set up so that such a notice would not reveal the existence of protected Part 2 information.
Q29. Does the Part 2 definition of medical emergency also include mental health emergencies?
A29. Yes. Part 2 does not distinguish between physical and mental health emergencies. A medical emergency is simply defined as a health emergency affecting any individual that requires immediate medical intervention. (42 CFR § 2.51[a])
Q30. When the HIO keeps an electronic record of a medical emergency, does that fully meet Part 2’s requirement to document disclosures made in a medical emergencies in the patient’s record?
A30. No. Part 2 requires that when a disclosure is made in connection with a medical emergency, the Part 2 program (emphasis added) must document in the patient’s record the name and affiliation of the recipient of the information, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency (42 CFR § 2.51[c]). Thus, data systems must be designed to ensure that the Part 2 program is notified when a “break the glass” disclosure occurs and Part 2 records are released pursuant to a medical emergency. The notification should include all the information that the Part 2 program is required to document in the patient’s records. The information about emergency disclosures should also be kept in the HIO’s electronic system.
Q31. If an HIO’s electronic system makes a disclosure in a medical emergency, would documenting the name of the discloser as “electronically disclosed through the system administered by HIO” meet Part 2’s requirement that the name of the person who made the disclosure be documented in the patient’s record?
A31. No. Part 2 requires that all the circumstances surrounding a disclosure in a medical emergency situation be immediately documented in writing in order to ensure that all the circumstances surrounding a medical emergency disclosure can be investigated and individuals held accountable for their decisions. The HIO is the vehicle for the disclosure of the Part 2 record but not the decision-maker. Thus, documenting the disclosure as “electronically disclosed through the system administered by the HIO,” while technically accurate, does not reveal the information that must be documented under Part 2—the identity of the individual who determined that the situation was in fact a medical emergency and determined that the patient’s records should be released. The name of the person who makes the determination and documentation of disclosure made electronically through a system administered by the HIO should be recorded in the HIO’s electronic system.
Q32. If an HIO’s electronic system sends Part 2 data in a medical emergency to a printer or fax machine in the emergency room, can “the printer in the emergency department” meet Part 2’s requirement to document in the patient’s record the name of the person to whom the disclosure was made?
A32. No. Part 2 requires that “[t]he name of the medical personnel to whom disclosure was made and their affiliation with any health care facility” be recorded in order to ensure that all the recipients of the information were authorized to receive that information and used it appropriately. Therefore, the name(s) of the medical personnel who received the information and used it to treat the patient should be recorded. (42 CFR § 2.51[c])
Q33. Once Part 2 information is disclosed in a medical emergency, can that information be redisclosed without obtaining patient consent?
A33. Yes. In contrast to circumstances where information is disclosed through patient consent, if a medical emergency exists, Part 2 provisions do not prohibit the redisclosure of Part 2 information once it is released. Consequently, medical personnel treating a patient for a medical emergency who are HIO affiliated providers may download and include in their own records the information they obtained in treating the emergency, and may then redisclose that information to others without obtaining patient consent. However, all disclosures of information under the regulation must be limited to the information necessary to carry out the purpose of the disclosure (42 CFR § 2.13[a]).
Q35. Can an HIO disclose data for Disease Management purposes under Part 2 without patient consent?
A35. No. The HIO may not disclose protected Part 2 information for Disease Management purposes unless the patient specifically authorizes such a redisclosure for that purpose in a consent form that meets Part 2’s requirements. It would be helpful for the consent form to explain the term “Disease Management” and even, perhaps, provide examples of how the information might be used. If a Part 2 program discloses information to the HIO via a QSOA, the HIO would still need to obtain the patient’s consent before redisclosing the protected information to any third parties for Disease Management purposes. A disclosure would be permitted in those rare situations where information disclosed by the HIO for Disease Management purposes does not implicitly or explicitly disclose the information protected by Part 2. An example would be when information is aggregated data that does not reveal that the patient has a drug or alcohol problem or the patient’s status as a participant in alcohol or drug treatment.
Q36. Under Part 2, would an HIO be permitted to disclose to an HIO affiliated payer the data of several patients held by the HIO, which may include Part 2 data, in order for the payer to target where interventions could be made with particular patients to improve care and management of disease?
A36. No. An HIO would not be permitted to disclose information protected by Part 2 to payers for any reason, including Disease Management, without a Part 2 consent specifically authorizing disclosure for that purpose.
Q37. If an HIO affiliated health care provider wishes to gain access to a minor’s Part 2 record held by the HIO, may the HIO or provider obtain only the consent of a parent or guardian, or must the minor’s consent also be obtained?
A37. Under Part 2, the HIO affiliated provider and/or the HIO (acting for the provider and Part 2 program) must always obtain the minor’s consent before the provider can gain access to the minor’s Part 2 record (42 CFR § 2.14). Depending on state law, the provider might also need to obtain the parent’s or guardian’s consent as well. Parental consent for a disclosure is required in addition to the minor’s only if the Part 2 program is required by state law to obtain parental consent before providing alcohol or drug treatment to the minor. In other words, if a state law gives a minor the legal authority to consent to treatment on his/her own, without a parent’s or guardian’s permission or knowledge, then only the minor’s consent is required for the HIO to disclose the minor’s information to the HIO affiliated health care provider under Part 2. If state law requires parental consent for the minor to be provided alcohol or drug treatment, then the consent of both the minor patient and the parent or guardian is required before the Part 2 program or HIO can make any disclosures. The minor’s written consent must be obtained first in all cases.
License and Attribution
Substance Abuse and Mental Health Services Administration. (2010). Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data? (PDF |1.6 MB) Frequently Asked Questions.
This work resides in the public domain.
- Health Information Exchange is a generic term that refers to a number of methods and mechanisms through which information can be exchanged electronically. ↵
- As used in this paper, the term “HIO” means an organization that oversees and governs the exchange of health-related information among organizations according to nationally recognized standards. See The National Alliance for Health Information Technology, Report to the Office of the National Coordinator for Health Information Technology on Defining Key Health Information Technology Terms, April 28, 2008, found at http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10741_848133_0_0_18/10_2_hit_terms.pdf. While the majority of these FAQs relate to HIOs, the principles for applying the Part 2 regulations apply to other methods of health information exchange as well. ↵
- Most substance abuse treatment programs are also subject to the HIPAA Privacy Rule. In 2004, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a guidance that summarizes variance between the two rules and implementation solutions. That guidance can be found at http://www.hipaa.samhsa.gov/download2/SAMHSAPart2-HIPAAComparison2004.pdf. ↵
- For purposes of these FAQs, entities that participate in an HIO network, including, but not limited to, participating health care providers, will be referred to as “HIO affiliated members.” Participating health care providers may also be referred to as “HIO affiliated health care providers.” ↵
- For a comparison of the HIPAA Privacy Rule and Part 2 provisions, see the SAMHSA guidance at: http://www.hipaa.samhsa.gov/download2/SAMHSAPart2-HIPAAComparison2004.pdf. ↵
- This discussion of patient choice models relies upon definitions presented in “Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis” found on the web page of the Office of the National Coordinator for Health Information Technology at http://healthit.hhs.gov/portal/server.pt?open=512&objID=1147&parentname=CommunityPage&parentid=10&mode=2&in_ hi_userid=11113&cached=true . There are variations on these general models, however, the principles with respect to 42 CFR Part 2 apply to all models. ↵
- Additional information about patient-identifying information can be found in the 2004 Substance Abuse and Mental Health Services Administration (SAMHSA) guidance document at http://www.hipaa.samhsa.gov/download2/SAMHSAPart2-HIPAAComparison2004.pdf. ↵