Addressing Opioid Crisis: A Call for Privacy Rule ChangesState Attorneys General Want Changes in Regulation to Ease Sharing of Data
The National Association of Attorneys General is urging Congress to drop "cumbersome, out-of-date privacy rules" contained in federal regulations related to substance abuse and instead apply the "effective and more familiar" HIPAA Privacy Rule. They portray the change as an essential step toward addressing the opioid crisis by easing the sharing of data that could lead to timely treatment.
In a letter signed by 39 state attorneys general that was sent this week to the leaders of the House and Senate, NAAG calls for changes to certain provisions of the Confidentiality of Substance Use Disorder Patient Records regulations, more commonly called 42 CFR Part 2, which pertain to the use and disclosure of data of substance disorder patients who participate in certain "federally assisted" treatment programs.
Under the HIPAA Privacy Rule, patient information can be shared without the patient's consent for the purposes of treatment, payment and healthcare operations. Under 42 CFR Part 2, information about addiction treatment cannot be shared with other providers by federally assisted treatment programs unless the patient consents.
Other industry groups, including the American Hospital Association and the College of Healthcare Information Management Executives, have also pushed for closer alignment between the privacy provisions of 42 CFR Part 2 and HIPAA, especially as federal regulators weigh potential changes to the HIPAA rules (see: Post-Breach HIPAA Enforcement Call for Safe Harbors).
The calls for closer alignment between 42 CFR Part 2 and HIPAA continue despite the Substance Abuse and Mental Health Services Administration - or SAMHSA - in 2018 issuing a final rule that made some changes to 42 CFR Part 2 to allow some better alignment with HIPAA (see: Analysis: Substance Abuse Confidentiality Rule Changes).
But those changes were relatively narrow, allowing more flexibility for disclosures of patient data related to payment and business operations.
For instance, under the revised 42 CFR Part 2, patient consent is still required to disclose to other providers information about patient diagnosis, treatment or referral for treatment substance disorder. The attorneys general argue that this impedes information sharing that could lead to better treatment.
In its letter to lawmakers, NAAG writes that the national opioid epidemic "has been so pervasive and so severe that life expectancy in the United States has declined for three years in a row for the first time since the influenza pandemic of 1918."
NAAG writes that the 42 CFR Part 2 privacy regulations, written four decades ago, are a major barrier to treatment for opioid addiction.
"The complexities of complying with 42 CFR Part 2 often prevent general practice providers from even attempting to treat patients with substance use disorders through the use of medication-assisted treatment because - while providers are familiar with how to comply with the privacy requirements of HIPAA - they may be intimidated by the requirements of 42 CFR Part 2," NAAG writes.
"These privacy rules were created more than 40 years ago in a time of intense stigma surrounding substance use disorder treatment. They were created to assure patients that they would not face adverse legal or civil consequences when seeking treatment by protecting confidentiality of substance use disorder patient records."
While maintaining confidentiality is imperative to encouraging individuals to seek and obtain treatment, NAAG's letter notes, "the inability to share records among providers can burden coordination of care, potentially resulting in harm to the patient."
The attorneys general call for aligning the 42 CFR Part 2 rules regarding disclosure of substance use disorder treatment records "with the protections against unwanted disclosure of patient records already contained in HIPAA, particularly as it relates to disclosure of substance abuse treatment information to authorized providers."
Some experts argue that the HHS modifications to 42 CFR Part 2 privacy regulations in 2018 were not significant enough to markedly improve health information sharing pertaining to substance abuse treatments.
"Those changes have been helpful, but still leave significant situations where the part 2 rules impose significant impediments to data sharing that is increasingly viewed as important," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"At this point, it will take a change in the Part 2 statute to make the two rules fit better together. While there seems to be some interest in this issue in Congress - with some bipartisan support - it is clearly going to be an uphill battle to get this through Congress."
To make the necessary changes, Nahra says, "Congress would have to revise Part 2 - or perhaps even eliminate it - and then HHS would revise the Part 2 rules if it still remained in effect," he says.
"One possibility is to focus the Part 2 rules on the key issue that initially drove the law - ensuring that substance abuse treatment information wasn't used against patients in criminal prosecutions. This mandate could be maintained while permitting other data sharing that is more consistent with HIPAA," he says.
But if 42 CFR Part 2 privacy regulations are recrafted to more closely resemble HIPAA privacy requirements, is there added risk of exposing sensitive patient information involving mental health and substance disorders?
"I don't think this alignment would create a real breach distinction or new risks," Nahra says. "All of the entities who would receive this information already have information about these patients; they just may have somewhat more limited information. And all of these recipients would be covered by the HIPAA Security Rule and the HIPAA Breach Notification Rule."
HIPAA covered entities are already required to protect "all kinds of sensitive information today," Nahra notes. "One of the principles of HIPAA is that all protected health information deserves protection at the same level - so this includes mental health and substance abuse, HIV, cancer, anything. So changes [to 42 CRF Part 2] wouldn't require additional steps by covered entities, but would remove the need to segment out this data from other data."
Privacy attorney Iliana Peters of the law firm Polsinelli offers a similar assessment.
"Given the broad protections of HIPAA, and the reduced stigma associated with treatment for substance use disorder since the passage of the original 1972 statute, it makes sense to protect substance use disorder information in the same way that other sensitive information is protected, including information about genetic disorders, HIV/AIDS, and cancer, particularly given that sharing information in accordance with HIPAA would be so beneficial for individuals in crisis and for research on opioid addiction."
Privacy Advocates' Concerns
But Deborah Peel M.D., founder and president of advocacy group Patient Privacy Rights, strongly opposes the idea of aligning 42 CFR Part 2 with HIPAA.
"We can expect ... terrible outcomes if opioid addiction data is used without consent: higher costs, lower quality and bad outcomes," she says.
"Hippocrates realized keeping secrets was the only way patients would trust doctors and share sensitive information. Opening up data on substance abuse and opioid abuse destroys trust in physicians, so people will avoid treatment. It's also true for mental illness and every other diagnosis that is costly, scary or difficult to treat. HIPAA is not a privacy rule; it granted data holders control over the nation's health data. Security isn't the problem; the lack of privacy/control over data is the problem."
Twila Brase, president and co-founder of privacy advocacy group Citizens' Council for Health Freedom, is similarly concerned.
"We would oppose all such efforts. Aligning Part 2 with HIPAA would eliminate the consent rights patients with substance use issues have today," she says. "The desire of a national group of attorneys to end patient consent for these individuals does not trump the rights of individuals to retain the power of consent. The administration should move the opposite direction and give everyone else Part 2 protections."
HIPAA authorizes vast sharing of private data without patient consent, she contends. "That data sharing includes making the patient's data available through internet-based state and national health information exchanges. Part 2 means substance use data will not be shared where all other data is allowed to be shared under HIPAA, including electronic data exchange systems," she says.
"Some practices and practitioners may better secure substance use data and may even keep paper records. However, if Part 2 is gutted, all the patient's data can be shared broadly to more individuals and entities and for more purposes, expanding exposure to hacking and other data breaches."