|FAQs: What new SAMHSA confidentiality regulations mean to you|
February 3, 2017
Until last month, the applicable federal regulations governing confidentiality of patient records for substance abuse disorders had been in place since 1987—the same year President Reagan told Gorbachev to “tear down this wall” and Windows 2.0 was introduced. SAMHSA recently published its long-awaited final rules which are scheduled to take effect on February 17, 2017.
The following are the highlights of these new regulations, and what treatment centers need to know about them.
Do the regulations apply to me?
If you answer any of the following questions “yes,” then the new regulations apply to you:
Do the regulations change patient confidentiality requirements for most treatment centers?
Probably not. Generally, the confidentiality regulations restrict disclosure of information which would identify a patient with a substance use disorder and information obtained by a program for the purpose of treating a substance use disorder, making a diagnosis for that treatment or making a referral for that treatment. The regulations provide that patient records may only be disclosed in accordance with the regulations, and all disclosures must be limited to information necessary to carry out the purposes of the disclosure.
Acknowledging the presence of a patient at your treatment center is also restricted under the regulations. Most treatment centers already have protections in place which should satisfy the confidentiality requirements in the new regulations. The regulations do make clear, however, that compliance with the new regulations is unconditional and applies whether or not the program believes that the requesting party already has the requesting information, has other ways to get it, is a law enforcement agency or government official, has obtained a subpoena, or asserts any other justification for a disclosure contrary to the regulations.
Do I have to change patient record release forms and procedures?
Probably. The new regulations require the consent form to say, among other things, how much and what type of information may be released by the treatment center to others. If your current release form does not include this option, the form will need to be changed.
In addition, under the new regulations, the treatment center now has the option to allow the patient to adopt a general designation of to whom information can be disclosed. For example, where the former regulation required the specific identification of each person to whom records could be disclosed, the new regulation permits a general designation, such as to “all my treatment providers.” If this provision is added to the form, then the patient is entitled, upon written request, to a list of all entities to which information was provided within the preceding two years.
Under what circumstances can I release records without patient consent?
The regulations provide that patient identifying information may be disclosed to medical personnel without patient consent to meet a bona fide medical emergency in which prior informed consent cannot be obtained. Likewise, information may be disclosed for research purposes under limited circumstances, and for audits and evaluations, also under limited circumstances.
The new regulations contain an entire section dealing with court orders, which generally require a specific court order authorizing the disclosure as well as a subpoena compelling the disclosure. Before you release any patient records without patient consent, you will need to review the new regulations.
Do I have to notify patients of this new regulation change?
Yes. Each program is required to communicate to patients that federal law and regulations protect confidentiality of patient records, and provide a written summary in writing of the federal law and regulations. The notice may be in written or electronic form.
Am I required to have written policies and procedures in effect regarding security of patient records?
Yes. The regulations require that the program have written policies and procedures “to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information.” The regulations were updated to make clear that the security obligations apply to both written and electronic records.
For both, the regulations list subjects which the written procedures must address. For electronic records, the policies and procedures must address:
What are the penalties for violation of the regulations?
The new regulations provide that violations of its provisions will result in fines, but the range of those fines was not specified. The old regulation limited fines to not more than $500 for a first offense, and not more than $5,000 for each subsequent offense. There is no such limit specified in the current regulations.
Will the effective date of the new regulations be postponed?
Maybe. On Inauguration Day, the Trump administration issued a memorandum to all agency heads directing that for all regulations which had been published in the federal register but had not yet taken effect (which includes these new confidentiality regulations from SAMHSA), that the agency postpone the effective date for 60 days pending review by the incoming administration. The effect of that memorandum on these new regulations is unclear.
While the foregoing provides a general overview of the new regulations and important changes, it is important to note, as always, that the “devil is in the details.” A full review of the regulations and their requirements is necessary to ensure compliance. The patient record release requirement changes, in particular, will probably require corresponding amendments to existing consent forms and procedures.
Each treatment center will also have to provide notice of the new regulatory provisions to patients, and establish written policies and procedures with respect to security for patient records, if you have not already done so.
Walter H. Boone is a partner with Balch & Bingham, LLP, a corporate law firm with offices across the Southeastern United States. Balch & Bingham, LLP is an Advisor to the Behavioral Health Association of Providers (BHAP), a national trade association that provides online resources and training events, for licensing and certification, operations, reimbursement, clinical standards, patient privacy, quality assurance, and risk management.
 82 F.R. 6052, et seq.
 For example, in Georgia, the applicable state regulations require adherence to 42 C.F.R. Part 2 for all drug abuse treatment programs and narcotic treatment programs licensed by the Department of Community Health. Georgia Dept. of Community Health, Rules and Regulations for Drug Abuse Treatment and Education Programs, § 111-8-19-.09(6)(b); § 111-8-53-.09(6). See also Rules of Tennessee Dept. of Health and Mental Retardation, Minimum Program Requirements for All Facilities, § 0940-05-06-.02(1)(f).