January 31, 2023
Via electronic submission
The Substance Abuse and Mental Health Services Administration (SAMHSA) Department of Health and Human Services
5600 Fishers Lane
Rockville, MD 20857
Re: HHS-OCR-2022-0018: Confidentiality of Substance Use Disorder (SUD) Patient Records
Dear Assistant Secretary Delphin-Rittmon:
Connecting for Better Health is a coalition of industry stakeholders dedicated to advancing data sharing policies in California. We appreciate the opportunity to provide comments on HHS-OCR 2022-0018, the notice of proposed rulemaking regarding Part 2 of Title 42 of the Code of Federal Regulations (“Part 2”). Connecting for Better Health is supportive of HHS’ goals of strengthening integration of information and improving care coordination to better serve patients, and this proposed rule is an important step towards those goals.
As California’s Medicaid (“Medi-Cal”) program implements new initiatives to integrate behavioral health and strengthen data sharing across health and social services, the “no wrong door” approach means many clinical and community-based providers will be newly supporting patients with SUD services and collaborating across care teams.1 However, research demonstrates that privacy laws can impede collaboration between providers.2 As behavioral health integration relies on strong coordination among providers, we believe this proposed rule is a necessary update to privacy protections in order to bring Part 2 in line with HIPAA.
We strongly support the proposed changes that align Part 2 with HIPAA, as outlined below.
- Patient Consent and Redisclosure of Records: As a coalition, we support the proposed change to a single patient authorization with a general consent for the disclosure and use
1 “California Advancing and Innovating Medi-Cal (CalAIM) Behavioral Health.” https://www.dhcs.ca.gov/CalAIM/Documents/CalAIM-BH-a11y.pdf
2 Chris Collins, et al., “Evolving Models of Behavioral Health Integration in Primary Care.” https://www.milbank.org/wp-content/files/documents/10430EvolvingCare/EvolvingCare.p df
of Part 2 records to Part 2 programs, providers, and named intermediaries. We agree with the Department that these important changes align with the CARES Act. These changes will support data sharing efforts for treatment, payment, and operations (TPO) purposes, and support efforts to integrate behavioral health into primary care. This proposed change balances the need to align Part 2 with HIPAA more closely with the need to continue protecting sensitive patient information.
While we recognize the Department’s fear of “…reduced ability to make specific use and disclosure decisions could result in a greater likelihood of harm to reputation, relationships, and livelihood…,” we note that Part 2 programs will be limited to sharing these data for TPO purposes under the general consent provision. Although we agree with the Department that the general consent provision will create business efficiencies for Part 2 programs and their Business Associates, we also stress that there is an imperative to address the harm posed when Part 2 data are not shared in ways that can support the ongoing treatment and management of substance use disorders by Part 2 programs, primary care teams, health plans, and other key actors.
- Accounting of Disclosures: The coalition supports the proposed change to requiring patient disclosure for the prior six years, or three years prior with patient consent if the patient information was disclosed via an electronic health record. This aligns with the CARES Act’s requirement that the HITECH accounting provisions apply to “all disclosures” and not just those via an electronic health record. Additionally, we are supportive of this proposal to toll the effective compliance date of the accounting provisions, to ensure the consistency of the effective compliance data for patient disclosure regulations with those of HIPAA.
- Restrictions on Permitted Disclosures: We are supportive of the proposal to permit Part 2 programs to allow patients to request restrictions on the use and disclosure of Part 2 information to carry out TPO, bringing this regulation in line with HIPAA. Relatedly, we support the Department’s proposal to change references to “disclosure and use” to “use and disclosure” to align with HIPAA. We agree that these changes are not substantive in nature, given that under Part 2 and HIPAA, “use” and “disclosure” can be mutually exclusive, independent actions, and that the proposed definition of “use” is inclusive of the historical definition of “use” related to legal proceedings under Part 2.
- Breach Notifications and Security Standards: We support the proposal to align the breach notification requirements in Part 2 with those under the HIPAA Breach Notification Rule.
With regards to the Department’s request for information regarding the burden this may place on Part 2 programs, we recognize that adopting the HIPAA breach notification requirements may create additional financial and operational burdens for Part 2 programs that are not covered entities; however, aligning breach notification requirements for Part 2 programs that may or may not be covered entities aligns with the intent of the CARES Act and ensures that sensitive Part 2 data are subject to the same, higher breach notification requirements as those places on non-Part 2 covered entities and business associates that handle protected health information.
We similarly support the Department requiring Part 2 program compliance with the Security Rule for Part 2 programs that maintain electronic records but are not covered entities. Part 2 security regulations are not currently as stringent as those of the HIPAA Security Rule, particularly for data held electronically. The Office of the National Coordinator for Health Information Technology (ONC) has found that approximately 85% of substance abuse treatment centers utilize electronic records either exclusively or in combination with patient records,3 and the use of electronic records to manage Part 2 data necessitates security standards utilized more widely in the industry. As the Department has noted the risk of harm related to stigmatization should records be released inadvertently and given the increased threat of security breaches associated with the use of electronic records, we recommend that the Department adopt the HIPAA Security Rule standards to apply to Part 2 programs maintaining electronic records.
Connecting for Better Health strongly supports the proposed changes to Part 2 to better align patient confidentiality regulations with HIPAA. We appreciate the opportunity to submit these comments. If you have any questions, please contact Robby Franceschini, Director of Policy at BluePath Health, at email@example.com.
Sincerely, Timi Leslie
Director, Connecting for Better Health Founder and President, BluePath Health
3 Wesley Barker and Christian Johnson, Office of the National Coordinator for Health Information Technology, Variation in Methods for Health Information Management among U.S. Substance Abuse Treatment Centers, 2017 (2020),