Legal Blog

Joseph T. Kelley III Featured in the Legal Intelligencer

Substance Use Disorder Confidentiality Rules for a New Era of Care

As Published in the Legal Intelligencer


According to the Center for Disease Control more than 120 Americans die every day as a result of drug overdose. Public exasperation with the opioid epidemic has helped raise the profile of treatment for substance use disorders (SUDs) and translated into political action.

Federal initiatives include the Comprehensive Addiction and Recovery Act of this year, provisions of the Affordable Care Act (ACA) and federal parity regulations applying to private and public health plans. At the state level, Gov. Tom Wolf has announced plans to fund 20 “Centers of Excellence” aimed at treating SUDs.

These initiatives not only aim to increase access and funding for SUD treatment, but also to integrate it with primary and other specialized health care to address each individual’s comprehensive needs. This “patient-centered” approach will involve more practitioners and organizations in SUD treatment, whether through screening or care coordination. Varied providers from across the continuum of care will continue to accumulate more SUD treatment information about their patients.


As a result, attorneys representing primary care and specialized practices, hospitals, long-term care providers, as well as industry vendors should be familiar with the unique rules governing SUD treatment confidentiality. The key rule, 42 CFR Part 2 (Part 2), while lacking in public profile or even a nickname, has caused much industry hand-wringing in recent years due to the severe restrictions it imposes on the sharing of information among providers and payers. In February of this year, the Substance Abuse and Mental Health Services Administration (SAMHSA) proposed modifications to Part 2 (proposed rule) aimed to modernize the 1987 rule and permit SUD patients to participate in integrated models of care while retaining certain distinct protections to match the unique sensitivity of the information.

HIPAA v. Part 2

• Part 2 scope.

While narrower in scope, Part 2 is much more restrictive than the HIPAA Privacy Rule, 45 CFR Parts 160 and 164. Part 2 applies to “federally assisted programs,” a term that is surprisingly inclusive. A program is any individual or entity that holds itself out as providing, and actually provides, SUD diagnosis, treatment or referral for treatment. Programs include not only single-purpose SUD service providers, but also some “units” or “staff” providing Part 2 services within “general medical facilities.”

The “federally-assisted” standard is met by the provider’s receipt of any ­federal funds (including through Medicare and Medicaid), federal tax exempt status, or any type of federal authorization, certification, licensure or registration. This would include not only SAMHSA certification for opioid treatment program (OTP) pursuant to 42 CFR Part 8, but also any Medicare/Medicaid enrollment or certification or DEA registration.

• Prohibition on Re-disclosure.

Part 2’s reach, however, extends even far beyond these covered programs. Under HIPAA, once a patient “authorizes” a disclosure, the information generally loses HIPAA protection and the recipient may use or disclose the information as it wishes unless it has an independent duty to protect it. In contrast, Part 2 expressly prohibits re-disclosure without a separate consent. This means, in effect, that any health care provider or entity that receives any Part 2-protected information must then comply with Part 2 as if it were a covered program.

• “To Whom.”

Part 2 is also more restrictive than HIPAA regarding the scope of permissible recipients of information. In its “To Whom” requirement, Part 2 places strict limitations on how recipients may be identified in a consent, generally requiring proper names as opposed to general class designations. For example, a Part 2 consent that states “to my health plan” or “to any network provider” lacks sufficient specificity.

No TPO exception. HIPAA sets forth broad and comprehensive exceptions to its patient-authorization requirement, notably including disclosures for treatment, payment and health care operations (TPO) and 12 public benefit activities, e.g.,research, judicial/administrative proceedings, law enforcement, public health.

In contrast to HIPAA’s baroque exception regime, Part 2 is narrow and austere. It requires a consent to disclose information under almost all circumstances, including for TPO. Exceptions exist only for medical emergencies, child abuse reports, crimes on premises, valid court orders, audits and evaluations and research. This Part 2 inflexibility, particularly the TPO restriction, impedes care coordination and thwarts managed care.

• Business associates/QSOs. Part 2 specifically permits covered programs to disclose Part 2 information to certain contractors, aka “qualified service organizations” (QSOs), pursuant to written agreements (QSOAs) requiring the QSOs to comply with Part 2. Although QSOs and HIPAA “business associates” (BAs) are related in concept, BAs are more broadly defined than their Part 2 counterparts. Part 2 also mandates specific QSOA provisions beyond those required by HIPAA for BA agreements. Finally, Part 2 does not expressly permit downstream QSO disclosures.

• Consents. Lastly, Part 2’s substantive requirements for consents differ from those for HIPAA authorizations. Notably, Part 2 does not permit electronic consents, which poses practical hurdles to electronic health record (EHR) implementation.

Effect of Part 2 Restrictions on Care Integration

This prohibition on re-disclosure has presented some operational challenges that have frustrated federal policy. For example, Accountable Care Organizations (ACOs) and Care Coordination Organizations (CCOs) have been unable to effectively coordinate SUD treatment, which is an essential health benefit under the ACA. Part 2 has also obstructed the development of “health homes,” authorized under Section 2703 of the ACA to integrate primary care with specialized treatment for individuals with chronic conditions, such as SUDs. Finally, Part 2 poses significant challenges to the creation and operation of EHRs and Health Information Exchanges (HIEs) which must apply separate rules to discrete data subsets.

Proposed Rule

Through the proposed rule, SAMHSA seeks to remove many of the barriers that Part 2 poses to care integration, while retaining a heightened level of protection commensurate with the sensitivity of SUD treatment information. The proposed rule would:

• Permit electronic consent;

• Loosen “To Whom” and re-disclosure requirements;

• Expand and clarify use of information for research and medical emergencies;

• Address discrimination and stigma regarding SUDs;

• Modernize QSO arrangements; and

• Enhanced security requirements.

Regarding “To Whom”, the proposed Rule would permit a consent to identify recipients at times by “general designation,” a change designed specifically for entities involved in the exchange of health information (e.g. HIEs) and care coordination (e.g., ACOs, CCOs, health homes). The definition of QSOs would be revised expressly to include providers of population health management services to Part 2 programs. Thus, a QSO relationship is another avenue for care coordination, as ACOs and CCOs can execute population health management QSOAs with Part 2 programs.

The proposed rule also clarifies that a recipient of Part 2 information may re-disclose information about the patient without a consent, so long as it does not reveal the patient’s association with SUDs.

Despite these changes, Proposed Rule would generally retain Part 2’s re-disclosure prohibition as well as its consent requirement for TPO disclosures.


The Department of Justice may issue maximum fines of $500 to $5000 for Part 2 violations. Accordingly, a HIPAA breach involving Part 2 information could significantly enhance an organization’s exposure. Moreover, while violation of many of Part 2’s requirements, as discussed, do not constitute express HIPAA violations, they may be construed as a violation of HIPAA’s “minimum necessary” requirements, to the extent that Part 2 represents the standard for the sharing of SUD information.

State law

The application of state law in this regard is potentially significant. Pennsylvania law includes extremely restrictive confidentiality rules regarding SUD treatment. The Drug and Alcohol Abuse Control Act, 71 P.S. Section 1690.108, permits the disclosure of covered SUD information only with a patient’s consent and only for treatment and payment/benefits purposes. Disclosure without the patient’s consent is only permissible in emergency medical situations or, in certain circumstances, with a court order upon a showing of good cause.

It is my experience that this statute, along with regulation at 4 Pa. Code 255.5, have been ignored. However, they may be significant given the health care system’s increasing reliance on certifications for compliance with all laws and for transactional due diligence.


Attorneys representing health care providers across the spectrum or their vendors should take the following steps when advising their clients regarding the SUD confidentiality:

• Assess whether your clients have units or staff programs or receive Part 2 information regarding SUDs;

• If covered, review their privacy practices to perform a Part 2 gap analysis, accounting for current law and as proposed. Focus on consent management, restrictions regarding recipients and re-disclosures, and contractor arrangements, and EHR implementation and HIE relationships;

• Revise BAAs to include necessary QSOA elements and authorization forms to include necessary Part 2 consent elements;

• Incorporate state law analysis; and

• Keep informed of the progress of the development of the final rule.

The Behavioral Health Task Force of the American Health Lawyers Association has prepared a paper on the subject that will be published later this year, which will be a great resource to attorneys on this issue. •


Joseph T. Kelley III joseph-t-kelly-iii-joe_lores-2 focuses his practice on healthcare law and issues of privacy, compliance, regulatory and administrative law. Mr. Kelley serves as compliance and privacy counsel to behavioral health care providers and other large and small businesses.

Mr. Kelley received his B.A. from Tulane University and his JD from Villanova University School of Law. He is a member of the American Health Lawyers Association, Association of Corporate Counsel. He writes and lectures on Privacy Information Governance and regulatory compliance in Behavioral Health and Long Term Care industries.




Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 120 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eight offices serve individual and corporate clients in the Maryland, Delaware, New Jersey, and Northern Virginia markets, as well as the Washington DC, Baltimore, Philadelphia, and New York City metropolitan areas. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.

You can connect with Offit Kurman via our BlogFacebookTwitterGoogle+YouTube, and LinkedIn pages.  You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.