2 min read

Sharing substance abuse records under HIPAA and 42 CFR Part

Sharing substance abuse records under HIPAA and 42 CFR Part

Under HIPAA and the 42 CFR Part 2 rule, substance abuse records can be shared with one written patient consent form for future uses and disclosures related to treatment, payment, and healthcare operations. Once shared, HIPAA covered entities and business associates can redisclose these records as permitted by HIPAA without needing additional consent.

 

Understanding HIPAA

HIPAA safeguards protected health information (PHI) across all healthcare sectors. It outlines requirements for PHI privacy and security, including information related to an individual's health condition, treatment, or payment for services. The HHS states, “A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations…" However, when it comes to substance abuse records, HIPAA's provisions must be interpreted alongside 42 CFR Part 2.

 

Introduction to 42 CFR Part 2

The final rule for 42 CFR Part 2, announced on February 8, 2024, modifies the confidentiality provisions concerning Substance Use Disorder (SUD) patient records. The update aligns certain aspects of Part 2 with HIPAA regulations, following provisions from the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The main goal remains to protect the confidentiality of individuals receiving SUD treatment, ensuring they feel safe disclosing sensitive information.

Under the new rule, healthcare providers can obtain a single consent form for all future uses and disclosures related to treatment, payment, and healthcare operations. According to the HHS, it "allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations."

 

Recommended practices for sharing substance abuse records

Healthcare organizations must implement best practices to ensure compliance with both HIPAA and 42 CFR Part 2:

  1. Obtain explicit patient consent: Always secure written consent before sharing SUD records. Consent should specify the information being shared, the purpose, and the recipient.
  2. Document consent properly: Maintain accurate records of consent forms and communications. Documentation helps with compliance and accountability.
  3. Train staff: Regularly educate healthcare staff about the differences between HIPAA and 42 CFR Part 2, focusing on the specific consent requirements for SUD records.
  4. Use secure communication channels: Ensure all electronic communications containing sensitive information are through secure, HIPAA compliant channels.
  5. Keep accurate records: Maintain meticulous records of shared information, including dates, recipients, and disclosure purposes. This practice helps in audits and indicates compliance efforts.

 

Addressing common challenges

Misunderstandings can arise regarding the applicability of HIPAA’s broader sharing provisions to SUD records. While the updated 42 CFR Part 2 allows for some flexibility, the requirement for explicit consent still exists for specific circumstances. Moreover, healthcare providers must be cautious of conflicting state laws that may impose additional restrictions. 

 

FAQs

What types of records are protected under 42 CFR Part 2?

42 CFR Part 2 protects records related to the identity, diagnosis, prognosis, or treatment of individuals in SUD programs that are federally assisted or regulated.

 

Can patients revoke their consent for sharing their SUD records?

Yes, patients have the right to revoke their consent at any time, but the revocation will not affect any disclosures made before the revocation.

 

Are there penalties for violating 42 CFR Part 2?

Violations can result in civil and criminal penalties, similar to those under HIPAA, including fines and potential imprisonment for severe breaches.