Skip to content

Final Rule Addresses Disclosures of Substance Use Disorder Records to Align More Closely With HIPAA


· 5 minute read


· 5 minute read

Confidentiality of Substance Use Disorder Patient Records, 42 CFR Part 2, 85 Fed. Reg. 42986 (July 15, 2020); Fact Sheet: SAMHSA 42 CFR Part 2 Revised Rule (July 13, 2020)


Fact Sheet

HHS’s Substance Abuse and Mental Health Services Administration (SAMHSA) has finalized regulations amending confidentiality protections for medical records of patients with substance use disorders (SUDs). As background, SAMHSA administers federal confidentiality protections for patient records created by federally assisted SUD treatment programs. These protections require patient consent for most disclosures of SUD records. Over the past several years, SAMHSA has updated its regulations to reflect changes in health care delivery and to be more consistent with HIPAA’s privacy rule. However, complete alignment has not been possible because SAMHSA’s governing statutes are distinct from HIPAA and establish more stringent protections. In the Coronavirus Aid, Relief, and Economic Security (CARES) Act, Congress modified the SUD confidentiality laws to expand the circumstances under which SUD information may be used and disclosed in accordance with HIPAA rules applicable to treatment, payment, and health care operations (see our Checkpoint article). HHS indicates that it anticipates releasing a proposed rule under the CARES Act within the next 12 months and notes that several of the provisions in these final regulations will serve as transitional standards in the interim.

Of interest to group health plans, the final regulations reiterate that, if a patient consents to disclosure of information for payment or health care operations, the recipient of the patient information may further disclose the information to its contractors, subcontractors, and legal representatives for payment and health care operations without additional consent. The disclosure must be limited to the information necessary to carry out the purpose of the disclosure. Moreover, the regulations now contain a non-exhaustive list of activities (previously mentioned only in a regulatory preamble) that will be considered payment and health care operations. Listed activities include claims management, obtaining payment under a contract for reinsurance, underwriting, enrollment, determinations of eligibility or coverage, medical necessity reviews, care coordination, and case management. A separate provision clarifies that third-party payers (such as health plans) may obtain SUD records without patient consent to conduct periodic audits or evaluations to improve patient care and outcomes; target limited resources more effectively; adjust payment policies to enhance care or coverage; or review appropriateness of medical care, medical necessity, and utilization of services.

EBIA Comment: The mismatch between HIPAA and the federal SUD confidentiality rules has been a source of confusion and frustration for many years. The CARES Act provisions, which take effect in March 2021, should help alleviate some of the challenges for group health plans and their business associates. Health plans and others dealing with SUD records will need to watch for further guidance on the CARES Act provisions, which also apply breach notification and notice of privacy practice requirements to SUD records. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXXIV.E (“Federal Substance Use Disorder Rules”).

Contributing Editors: EBIA Staff.

More answers