Getty Images

ACHP Addresses Proposed Rule on Substance Use Disorder Patient Data

The CARES Act’s substance use disorder patient data requirements should be more aligned with HIPAA standards, ACHP and its co-signees argued.

The Alliance of Community Health Plans (ACHP) was among around 50 organizations—including AHIP and Blue Cross Blue Shield Association—to sign a letter to HHS that supported fully aligning the substance use disorder patient data requirements in the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) with the Health Insurance Portability and Accountability Act (HIPAA).

The letter was in response to a Notice of Proposed Rulemaking that seeks to amend part 2 of title 42 of the Code of Federal Regulations (42 CFR part 2 or “Part 2”) so that the CARES Act’s rules around substance use disorder treatment records align with HIPAA standards. The proposed rule was published in early December 2022.

“We were happy to see alignment with HIPAA on various definitions such as business associate, covered entity, breach, and health care operations,” the healthcare leaders explained.

“However, we are concerned that anything short of complete alignment with HIPAA for TPO will cause administrative burdens and continued data segmentation challenges and may impede treatment access and safe care. As such, we will continue encouraging Congress to remove the Part 2 consent requirement.”

The leaders affirmed the need for a single consent for treatment, payment, healthcare operations (TPO)—in other words, one patient signature that releases the healthcare organization to release or disclose TPO information.

However, the healthcare leaders found that the rule did not go far enough. TPO information should be allowed to be disclosed without consent or authorization in order to improve data sharing and care coordination, in alignment with HIPAA, ACHP and other organizations argued.

Without such an amendment, providers may not have all of the information they need to create an informed decision about patient treatment and provider burden will increase, the letter indicated.

The signees sought greater clarification on the definition of a “Part 2 record” and de-identified data. They found that the de-identification standard in the proposed rule departed from the HIPAA standard.

The signees also appreciated that Part 2 programs and other appropriate entities were allowed to transmit and retransmit Part 2 data without extra requests for consent. The letter requested that HHS and other federal entities address clearly whether they will need consent for a court order for the use, disclosure, and redisclosure of Part 2 data for HIPAA-permitted purposes, excluding legal proceedings against the patient.

The letter recommended expanding the definition of “lawful holder” to include entities not covered by Part 2 confidentiality rules, HIPAA, or the Health Information Technology for Economic and Clinical Health (HITECH) Act. It also requested policymakers to clarify the validity of general consent for business associate or covered entity redisclosures.

HHS and the other policymaking entities should ensure that payers and other entities are not required to store Part 2 data separately from the rest of the HIPAA database. The letter pointed to incongruities between the proposed rule and HIPAA and the challenges of managing multiple consent processes within a health information exchange or integrated system.

ACHP and the signees also touched on revocations, including oral revocations.

“It is essential to the Partnership that revocation of consent should only affect Part 2 record sharing from the point of revocation going forward,” the letter stated. “We encourage HHS, OCR, and SAMHSA to offer subsequent guidance on the best way to flag a revocation within electronic health records and work with regulatory and technology partners to support advancements that can help achieve this objective.”

The letter pushed for the eradication of an “intermediary” who holds the information under the general consent such as health information exchanges, accountable care organizations, researchers, and others. At the very least, ACHP and its co-signees pushed for the erasure of business associates as “intermediaries.” They found the regulation redundant.

Additionally, the organizations called for extending safe harbor protections and deleting at least the entity and business associates’ responsibility to attach a notice with disclosures and, if not, to eliminate this responsibility altogether. HHS and the other rulemaking entities should release more support for the technicalities of alerting patients to a breach.

ACHP and its co-signees asked for an additional year of delay in penalties following publication.

“This NPRM is a significant step towards aligning Part 2 with HIPAA for TPO,” the letter concluded.

“However, anything short of total alignment with HIPAA for TPO purposes will retain and reinforce the significant impediments to fully informed care for persons with a SUD or history of SUD treatment. In addition, it would cause undue administrative burdens and hinder certain providers from holding themselves out as SUD providers.”

AHIP shared privacy and cybersecurity goals suggesting that all entities that interact with patient data should be accountable to HIPAA requirements.

Access to data is critical for many reasons. One of the key drivers behind the need for data access is improving health equity efforts. Value-based care efforts also rely on data access.

Next Steps

Dig Deeper on Medicare, Medicaid and CHIP