Governance & Risk Management , Privacy
The Impact of New Privacy Rules for Substance Abuse PatientsAnalysis of HHS Proposal Designed to Ease Exchange of Data for Treatment
Federal regulators are proposing extensive changes to regulations governing the privacy of information about patients treated for substance abuse so that these individuals can more easily participate in new coordinated healthcare delivery models that rely on the electronic exchange of health data.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
While the proposed changes aim to streamline consent requirements for substance abuse patients to permit their health data to be electronically shared, some privacy experts say the proposals also potentially create new concerns, including new administrative and technology burdens. Most notably, those burdens include a requirement for providers to offer patients a "list of disclosures" that outlines the organizations to which information was disclosed after patients consent to have their information shared via health information exchanges.
The proposal also includes provisions for clarifying that healthcare providers holding information on substance abuse patients need to have in place formal policies and procedures for the security of both paper and electronic records.
Overall, the proposal is a step in the right direction, contends privacy attorney Adam Greene of the law firm Davis Wright Tremaine. The proposed new rule "is still going to be much stricter than HIPAA, but this proposal would ease some of the most significant challenges we have been seeing - challenges that have not allowed substance abuse treatment to reap some of the benefits of current health information technology and care coordination efforts."
But Deborah C. Peel, M.D., founder of advocacy group Patient Privacy Rights, takes a radically different point of view. She argues that the proposal is "designed to eliminate patients' control over their this sensitive information, which will drive millions away from treatment. This is all about personal data flows to third parties for business uses like revenue and return on investment."
Peel says the current regulations protecting information related to substance abuse "are the toughest and strongest federal privacy protections for any personal health data." She argues that the proposed changes would be "a tremendous blow to patient rights because it destroys the privacy needed for patients to be willing to seek substance abuse treatment in the first place."
The Department of Health and Human Services will officially publish its proposal in the Federal Register Feb. 9 and accept comments until April 11.
Better Care Coordination
In a Feb. 5 statement, HHS announced proposed revisions to the Confidentiality of Alcohol and Drug Abuse Patient Records "42 CFR Part 2" regulations, which govern the confidentiality of substance use disorder records. The goal of the proposed changes "is to facilitate information exchange within new healthcare models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder," HHS says.
"This proposal will help patients with substance use disorders fully participate and benefit from a healthcare delivery system that's better, smarter and healthier, while protecting their privacy," said Sylvia Burwell, HHS secretary in the statement. "We are moving Medicare, and the healthcare system as a whole, toward new integrated care models that incentivize providers to coordinate and put the patient at the center of their care, and we are modernizing our rules to protect patients."
HHS says its Substance Abuse and Mental Health Services Administration is proposing to modernize the existing rules because electronic exchange of patient information is critical in supporting coordination of patient care. HHS wants to ensure that patients with substance use disorders have the ability to participate in new integrated healthcare models - facilitated by health information exchange - without adverse consequences that could result from inappropriate disclosure of patient records.
Current Part 2 rules - which were first written in 1975 and last updated in 1987 - provide more stringent federal protections for substance abuse patients than most other health privacy laws, including the HIPAA Privacy Rule, HHS notes.
Among the proposed privacy and security related changes to 42 CFR Part 2 rules are:
- Rather than naming each authorized recipient, the proposal calls for allowing patients to give consent to a general designation of "to whom" their substance abuse disorder and treatment information can be disclosed, such as a class of participants of a specifically named health information exchange organization.
- Patients who have included a general designation in the "to whom" section of their consent form would be provided a list of entities to which their information has been disclosed.
- Current research exceptions would be revised to permit data protected by 42 CFR Part 2 regulations to be disclosed to qualified personnel for the purpose of conducting scientific research by a Part 2 program or any other individual or entity that is in lawful possession of Part 2 data.
- It would be clarified that both Part 2 programs and other lawful holders of patient identifying information must have in place formal policies and procedures addressing security for both paper and electronic records.
HHS writes in the proposed rule, "We expect the proposed changes ... to result in a decrease in the burdens associated with several aspects of this rule, including consent requirements. We anticipate there would be more individuals with substance use disorders participating in organizations that facilitate the exchange of health information - such as health information exchanges - and organizations that coordinate care, such as accountable care organizations."
Some privacy experts says the proposed changes are needed to reflect evolving healthcare delivery and electronic health information exchange trends in the U.S.
"This proposal tries to revise a very old regulation that predates the HIPAA rules by decades and developed a very protective approach for what was viewed as particularly sensitive information, in the absence of other federal privacy rules at the time," says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP.
"These [current] rules are substantially more aggressive and burdensome than the overall HIPAA approach," he notes.
"The goal is to put this regulation more in line with the privacy practices for all other healthcare information, including a broad range of information that is equally as sensitive."
Areas of Concern
Other experts say that while the proposed rule change include some welcome modifications, they also bring some potential new concerns.
"Overall, I think this proposed rule brings some much needed changes to the Part 2 regulations," says Greene, the privacy attorney. "From my experience, the most important and most needed change is to allow a consent to specify a class of recipients, rather than naming each recipient by name. This may not seem like much, but the prior language was precluding Part 2 information from being included in health information exchange, where the HIE participants may change over time, making it unrealistic to obtain a consent that specifies each organization by name," he says.
"The proposed rule is also welcome in its expansion of how Part 2 information can be shared for research purposes without patient consent in certain circumstances, subject to appropriate controls, such as Institutional Review Board oversight of the research," Greene adds.
But while the proposed consent allows patients to identify a class of recipients rather than having to specifically name each recipient, Greene points out that this is limited to disclosures to entities in which a provider has a treatment relationship with the patient.
"My concern is that in the care coordination setting, such as an ACO [accountable care organization] network, there may be benefit to sharing all of a patient's medical record - including substance abuse treatment information - with other providers within the network, even if they have not yet treated the patient. Under the proposed rule, this may not be possible, even if the patient is willing to consent to such sharing."
Ultimately, the proposed changes, if finalized, would make it easier for healthcare entities to share information for treatment, payment and population health purposes, notes privacy attorney David Holtzman of security consulting firm Cynergistek. However, in other circumstances, the proposed rule would allow for other health-related information to be shared by the substance abuse treatment provider without prior consent if the disclosure or exchange is permissible under other applicable laws, he says.
Greene says another concern with the proposal is the addition of the list of disclosures requirement. Anecdotal evidence indicates that few patients ever request a listing of how their information has been disclosed, he says. "But it can be a significant undertaking to maintain a tracking system to support such a requirement, especially for non-electronic disclosures. Overall, the burden of maintaining an accounting of disclosures has outweighed the benefit to patients under HIPAA, so I was discouraged to see the concept incorporated into the proposed Part 2 rule too."