SAMHSA Publishes Final Rule Changes to Federal Confidentiality Regulations for Providers of Substance Use Disorder Treatment

On January 18, 2017, the Substance Abuse and Mental Health Services Administration (“SAMSHA”) published a number of significant final rules changes to the 42 C.F.R. Part 2 Federal Substance Abuse (“SA”) Confidentiality regulations in an effort to “update and modernize” the regulations in light of changes that have occurred within the health care industry since 1987 (the last time the Part 2 Rules were updated), including new models of integrated care and the development of new information technology infrastructures.

The rule changes include:

  • Incorporation of new and amended definitions of key terms, including clarification of the meaning of a “qualified service organization”
  • Helpful clarifications of (i) when identified providers or units within a “general medical facility” or “general medical practice” qualify as a SA “program” subject to the Part 2 Rules, and (ii) what it means for a provider or facility to “hold itself out” to the public as SA provider
  • Permitting a patient to execute a consent form to disclose SA program information to a class of persons or entities, and requiring SA programs and “other lawful holders” of the patient’s information to provide to such patients upon request a list of all persons or entities receiving the patient’s information pursuant to such an authorization
  • New security policy and procedure requirements for SA programs and other “lawful holders of patient identifying information” to render the Rules more consistent with HIPAA’s security requirements
  • New Part 2 Notice requirements (this will necessitate revisions to SA programs’ HIPAA Notices of Privacy Practices)
  • Amending the medical emergency exception to confidentiality to allow SA providers more flexibility to determine when a “bona fide medical emergency” exists
  • Permitting recipients of SA program information to re-disclose parts of such information that do not identify an individual as a SA program patient (provided such re-disclosure is otherwise permitted by HIPAA and State law)

One of the most significant implications of the rule changes is the Rules’ incorporation of the concept of a “lawful holder” of SA program information, i.e., a health care provider, facility, emergency department, insurance company or other entity that is not itself a SA program but which nevertheless becomes subject to the Part 2 Rules’ requirements as a result of receiving information from a SA program.  SAMHSA’s response to comments on the new rules expressly states that health care providers and facilities that are not themselves SA programs but who receive information about a SA patient from a SA program either pursuant to the patient’s authorization or via a disclosure that complies with an applicable exception, are, as a result, bound by the Part 2 Rules with respect to any such information they receive from the SA program:

Once patient identifying information has been initially disclosed (with or without patient consent), no redisclosure is permitted without the patient’s express consent to re-disclose or unless otherwise permitted by the part 2 statute or regulations.  Only disclosure of patient identifying information made with the patient’s written consent must be accompanied by a written notice regarding the part 2 prohibition on re-disclosure.  Although there is no requirement to provide such written notice to individuals and entities who receive information through other means under the part 2 program, all lawful holders must comply with the part 2 program requirements, including, but not limited to the limitations on re-disclosure.

However, the new Part 2 Rules themselves only bind a recipient entity to comply with the Part 2 rules if (i) the recipient entity receives information from a SA-program pursuant to the patient’s written consent (but not if the disclosure was made pursuant to an exception that does not require the patient’s consent), and (ii) the information received from the SA program is accompanied by the written notice required by 42 C.F.R. §2.32 (the notice is not required to accompany the information if the disclosure is pursuant to an exception, such as a disclosure to a treating emergency room provider pursuant to the medical emergency exception).  See 42 C.F.R. §2.12(d)(2)(i)(C).

SAMHSA helpfully published the entire Part 2 Rules as amended by the new rule changes in the Federal Register, which can be found at 82 Fed. Reg. 6052, 6115-6127 (January 18, 2017).

The final Rules become effective February 17, 2017.  It is incumbent upon Part 2 programs, providers and “lawful holders” of Part 2 program information, to promptly:

  • Update their privacy, confidentiality and security policies, procedures, and forms, including HIPAA Notices of Privacy Practices , to comply with the new rules; and
  • Train their workforce members on the new rules.

If we can be of assistance to you in clarifying (i) how these rule changes might affect your organization, or (ii) what updates to your policies, procedures, authorization forms and Notice of Privacy Practices these rule changes necessitate, please don’t hesitate to contact Steven L. Johnson, Esq. (, or Michael A. Burian, Esq. ( at (207) 621-4390.