M. Reneé Bostick joined Vorys Health Care Advisors (VHCA) as a full time Senior Advisor in 2018 to expand VHCA’s work with Health Information Technology (Health IT) – an essential and innovative capability for modern health care. VHCA assists health care providers, associations and stakeholders with compliance and management of electronic health record (EHR) systems and health information exchange in their rapidly changing health care business. VHCA also enables providers to strategically use opportunities of change to improve care quality, coordination and experience, enhance revenue cycle management, and build analytical capabilities to improve performance and outcomes.
On January 2, 2018, in another significant federal policy change supporting greater use of Health IT, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Final Rule on the Confidentiality of Substance Use Disorder Patient Records, pursuant to 42 CFR part 2 (part 2). A year ago, January 18, 2017, SAMHSA issued the Confidentiality of Alcohol and Drug Abuse Patient Records final rule (82 FR 6052), as well as an Supplemental Notice of Public Rule-Making (SNPRM) soliciting comment on: disclosures for “payment and health care operations,” and audit or evaluation, as well as the re-disclosure abbreviated prohibition notice. The new rule seeks to balance and clarify part 2 privacy protections for individuals seeking treatment of SUDs with advances in the health care delivery system, including integrated care, secure electronic health records (EHRs) and health information exchange (HIE) and performance measurement.
SAMHSA did not change the requirements for the strict, separate patient consent for disclosure, and reaffirm that part 2 programs and “lawful holders” of patient identifying information (PII) are responsible for maintaining and communicating part 2 requirements pursuant to part 2. The new final rule:
- permits disclosure of PII, with patient consent, to facilitate payment and healthcare operations such as claims management, quality assessment, and patient safety activities,
- allows disclosure of PII to contractors, subcontractors, and legal representatives with whom the provider has a “legal instrument” for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, and
- permits use of an abbreviated notice prohibiting re-disclosure which can be used in electronic health record (EHR) text fields (“Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records”)