Opioid Crisis Raises Tough Privacy IssuesHealthcare Organizations Push Congress to Align Substance Abuse Privacy Regs With HIPAA
As CISOs, CIOs and privacy officers look for ways to boost the timely, secure sharing of healthcare information to improve treatment, one obstacle that potentially stands in the way is CFR-42 Part 2, a 1970s-era regulation.
That regulation, known as Confidentiality of Substance Use Disorder Patient Records, generally requires federally assisted substance use programs to have a patient's consent before releasing information to others involved in their treatment.
But in light of the current opioid addiction crisis, the regulation is seen by some as impeding timely treatment because it could lead to a physician not having timely access to a patient's complete drug addiction treatment history to support appropriate medical decisions.
Letter to Congress
With Congress considering broad legislation designed to help address the opioid crisis, more than 100 healthcare industry organizations, including insurers, providers and associations, sent a letter to legislators Sept. 18 asking them to change the privacy provisions of CFR-42 Part 2 to align with the HIPAA Privacy Rule, which does not require patient consent to share records for treatment, payment and business operations.
Such a change would affect how CISOs, privacy officers and others establish and carry out patient data privacy and security policies.
The House already passed the Overdose Prevention and Patient Safety Act, H.R. 6082, that would align CFR 42 Part 2's privacy provisions with the HIPAA Privacy Rule. An opioid-related bill passed by the Senate does not contain such a provision
"I believe there is a good chance that legislation amending the confidentiality provisions for personally identifiable substance abuse disorder treatment information will be in the final legislation that is approved by the Congress."
—David Holtzman, CynergisTek
The House bill, strongly endorsed by those who wrote the letter to Congress, also would strengthen protections against the use of addiction records in criminal, civil or administrative proceedings, the groups' letter notes.
To further protect individuals seeking and receiving addiction treatment, the House bill would enhance protections against inappropriate disclosure of substance abuse treatment records to entities not covered by HIPAA or CFR 42 Part 2.
In addition, the legislation would increase the penalties in the event of unlawful disclosure of substance abuse treatment records and would establish breach notification requirements in accordance with the HITECH Act.
The House bill also would require the Department of Health and Human Services to issue regulations that would prohibit discrimination based on data disclosed from substance abuse medical records and require covered entities to provide written notice of privacy practices. HHS would also be required to develop model training programs and materials for healthcare providers and patients and their families.
Sen. Patty Murray, D-Wash., ranking member of the Senate Health, Education, Labor and Pensions committee, is among those who are reportedly opposed to the efforts to align the CFR 42 Part 2 privacy provisions with the HIPAA Privacy Rule.
Among opponents' concerns it that it could become too easy for healthcare providers to view a patient's substance abuse records, potentially weakening individuals' privacy protections for sensitive addiction information.
Murray's office did not immediately respond to an Information Security Media Group's request for comment.
Still, the industry groups are urging the Senate to join the House in supporting changes to CFR 42 Part 2' privacy regulations.
"Modifying Part 2 to ensure that HIPAA covered entities have access to a patient's entire medical record will improve patient safety, treatment and outcomes across the care delivery spectrum," the letter says.
Built for a Paper-Based World?
The CFR 42 Part 2 regulation was first issued in 1975, well before HIPAA, with revisions in 1987 and 2017.
"The confidentiality provisions for personally identifiable substance abuse disorder treatment information are holdovers from a time when record keeping and healthcare operations were primarily paper-based," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"If Congress is committed to replace or rewrite the standards, the modifications should be designed to reflect the information technology realities of the 21st century," he says. "A good starting point would to be to mandate use of the National Institute of Standards and Technology's Cybersecurity Framework as the baseline standard for developing a security program and selecting controls to safeguard e-PHI or substance abuse treatment data."
Privacy attorney Kirk Nahra of the law firm Wiley Rein offers a similar perspective. "The Part 2 law and regulations made lots of sense when it was implemented - there was no general federal privacy law on healthcare ... substance abuse treatment was new, and there clearly was a stigma issue and treatment was provided by specialized providers," he says.
"Since the enactment of HIPAA, where all health information is given the same protection, there has been less rationale for CFR 42 Part 2," he says. The different requirements in HIPAA and CFR 42 Part 2 complicate the ability of healthcare providers to appropriately and securely share records - especially digital records - in the coordination of care for patients who often see many different providers, including those not directly involved with their substance abuse treatment, he argues.
Healthcare providers involved in treatment of patients for mental health and substance abuse often work together with with other healthcare providers who provide other kinds of care to those same patients, Nahra notes.
"We saw Part 2 becoming both a tremendous challenge and in some situations a problem for the health of the patients," Nahra says. "The opioid crisis is emphasizing these patient harms. So legislation that would make Part 2 entirely consistent with HIPAA would improve the overall operation of the healthcare system for the benefit of both patients and the system at large."
After years of discussions about the need for changes in CFR 42 Part 2's privacy provisions, the time could finally be right to win support for the changes, Holtzman says (see HHS Weighs Changes to Health Data Privacy Regulations).
"I believe there is a good chance that legislation amending the confidentiality provisions for personally identifiable substance abuse disorder treatment information will be in the final legislation that is approved by the Congress," he says.
"There are strong arguments on all sides, and the package of opioid legislation being negotiated for passage is probably the last, best chance to address this issue. It remains to be seen what form these provisions will take and how close the new standards will align with the HIPAA health information privacy, security and breach standards."
But the changes to 42 CFR Part 2 won't come easily, he warns.
"Should the Congress pass legislation to modify 42 CFR Part 2 or the HIPAA standards, there are additional steps that would lead to actual implementation of the statutory changes," Holtzman says. "For example, the Administrative Procedures Act requires HHS to go through a lengthy rule-making process in order to change or do away with the requirements of 42 CFR Part 2 or HIPAA privacy or security standards."
Changes in the regulations would also require many entities to adjust their processes and controls to allow for less restrictive sharing of patient records under various circumstances.