42 CFR Part 2 is a federal regulation that requires substance abuse disorder treatment providers observe privacy and confidentiality restrictions with respect to patient records. These regulations, together with the privacy regulations found in the HIPAA Privacy Rule, work to protect the confidentiality of patient identifying information and protected health information (PHI) found in substance abuse disorder (SUD) medical records. Recently, the Substance Abuse and Mental Health Services Administration (SAMHSA), a branch of the Department of Health and Human Services (HHS), has proposed changes to the 42 CFR Part 2 SUD privacy regulations. Proposed changes to substance abuse privacy regulations is discussed below.

Are you adequately protecting patient data? Find out now with our HIPAA compliance checklist.

What Changes Have Been Proposed to Substance Abuse Privacy Regulations?

42 CFR Part 2’s general rule places privacy and confidentiality restrictions upon disclosure of substance use disorder treatment records.

Under Part 2 substance abuse privacy regulations, providers may not disclose information in a substance abuse disorder (SUD) patient’s record, unless the provider can either obtain consent, or is permitted to disclose under an exception that specifically authorizes the disclosure.

The exceptions specifically authorizing disclosure are:

  • When there is a patient medical emergency.
  • When state law requires the reporting of incidents of suspected child abuse and neglect to the appropriate state or local authorities. 
  • When there are communications from part 2 program personnel to law enforcement agencies or officials which are directly related to a patient’s commission of a crime on the premises of the part 2 program or against part 2 program personnel, or a threat to commit such a crime.
  • When an individual determined by the part 2 program to be qualified to conduct an audit or evaluation of the part 2 program, or other lawful holder, is conducting an audit or evaluation that encompasses record review. 
  • Research requests.
  • When communications between a part 2 program and a qualified service organization of information are needed by the qualified service organization to provide services to the program.
  • When a valid court order authorizing disclosure and use of patient records is issued.

SAMHSA recently proposed changes to the “medical emergency” exception.

Under the current 42 CFR Part 2 medical emergency exception, patient identifying information may be disclosed to medical personnel, to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained.

Patient identifying information is defined as the “name, address, Social Security number, fingerprints, photographs or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.” 

Generally, a bona fide medical emergency exists when a person requires urgent care to treat an imminent, life-threatening condition, when it is not practical to obtain the person’s consent to disclose SUD records before treatment.

SAMHSA has proposed to broaden the scope of the phrase “medical emergency.” SAMHSA proposes to authorize a Part 2 program to disclose patient identifying information to medical personnel, without patient consent, as needed, in the event of a natural or major disaster to deliver effective ongoing substance use disorder services to patients in such disasters. 

Specifically, SAMHSA proposes that this medical emergency exception would apply only when:

  • A state or federal authority declares a state of emergency as a result of a disaster; and 
  • The part 2 program is closed and unable to provide services or obtain the informed consent of the patient as a result of the disaster.
Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.