When patients seek treatment for substance use disorders (SUDs)—in a society that stigmatizes and discriminates against people with SUDs in so many ways—they naturally want to know if their treatment will be “confidential.” This means: private, not shared with anyone unless they give permission to share it. There’s a federal regulation meant to guarantee this, dating from 1975: the Confidentiality of Substance Use Disorder Patient Records, codified as 42 CFR Part 2.
That regulation, even after several updates meant to satisfy the hungry electronic health record (EHR) systems out there, requires that patients sign off—literally—on who gets their information. The consent must say exactly “to whom” the information goes, be time-limited, and prohibit re-disclosure. This obviously would not include EHRs, which allow the entire patient record to be called up. Other provisions include restrictions on the use of ID cards that might identify patients as having SUDs, records security, and documentation of disclosure in cases of medical emergency.
Influential groups in the SUD space are actively advocating to strip away the regulation’s protections.
But CFR Part 2 is now under severe threat. Too often, only lip-service is paid to patient needs, with most of the attention going to the convenience of the system. Influential groups in the SUD space are actively advocating to strip away the regulation’s protections—and the Department of Health and Human Services recently joined that campaign.
“I think that the patient perspective is the most important since they are the people that stand to lose the most,” as Mark W. Parrino, president of the American Association for the Treatment of Opioid Dependence (AATOD), told Filter. “As broad policy thinkers suggest changes to convert to HIPAA, they do not really understand the challenges the patients face.”
Relying on HIPAA, the Health Insurance Portability and Accountability Act of 1996, to safeguard their privacy would mean SUD patient receive far fewer protections. For example, 42 CFR Part 2 requires a specific court order for patient information to be shared, while HIPAA doesn’t. And unlike other types of protected health information, SUD records may expose a patient to negative legal consequences.
Larger opioid treatment programs’ data systems also do not support a conversion to HIPAA, said Parrino, who understands the financial reasons for groups supporting the conversion.
NAMA Recovery, which represents methadone patients, has indicated that it is extremely worried by this prospect. At an important “listening session” convened by the Substance Abuse and Mental Health Services Administration (SAMHSA) in 2014, the federal agency clearly opened the door to changing the rule to weaken patient protection.
The current regulation already applies only narrowly—to SUD treatment programs, not primary care or mental health or any other program which receives federal funds (in any way: including taking Medicaid or Medicare patients or getting tax write-offs).
Omens for Privacy
A year ago, SAMHSA, which implements 42 CFR Part 2 and is not impervious to pressures to change it, carved out an exception to the regulation—that SUD treatment information could be released without consent for “healthcare operations.”
While stopping short of the dire outcome of making 42 CFR Part 2 like HIPAA, this exception was open to incredibly broad interpretation. However, even this didn’t satisfy the growing chorus of voices who wanted the regulation completely eliminated.
Ominously for patients, there are indications that SAMHSA itself finds the regulation onerous. Former SAMHSA administrator Pam Hyde said in 2013 that the regulation was “getting in our way.” At the time, SAMHSA was in the throes of trying to merge SUDs with mental illness, so that one provider would treat both under the rubric of behavioral health care, and to this day, that thinking underscores much of the attempt to get rid of 42 CFR Part 2 on the part of the mental health treatment community.
This shows an amazing disregard for the privacy that many people regard as essential to their health care.
Even more ominously, the Department of Health and Human Services (HHS), in a Request for Information (RFI) released last month, suggests that even HIPAA is too onerous.
The HHS RFI says, as a criticism of HIPAA, that the legislation “may limit or discourage information sharing.” This shows an amazing disregard for the privacy that many people regard as essential to their health care, particularly for substance use disorders.
As H. Westley Clark, M.D., J.D., former director of SAMHSA’s Center for Substance Abuse Treatment points out, in the context of the fight to kill 42 CFR Part 2, this HHS move shows that commercial interests—in the form of EHRs and selling of patient data—come before health.
“In other words, the critics of 42 CFR Part 2 argue that we should abandon 42 CFR Part 2 in favor of the protections of HIPAA, all the while critics of HIPAA are asking how HIPAA can be weakened,” Clark told Filter. “The right to privacy is being questioned in favor of commerce, not public health.”
We shouldn’t assume that these threats lie only in the future. The Legal Action Center, along with Faces and Voices of Recovery, has already documented numerous examples of the impacts of stigmatization and discrimination due to SUD treatment.
Driving Patients Away From Treatment
The bottom line is that patients will not seek treatment if they think their information won’t be safe. During an overdose crisis, how does this disincentive make sense? Some methadone patients are even tapering already out of fear that their records will no longer be safe.
“When I went into treatment, the first thing that I asked was, how might this information be used,” William Stauffer, chair of the public policy committee of Faces and Voices of Recovery and executive director of the statewide Pennsylvania Recovery Organization–Alliance (PRO-A) told Filter. “I listened and watched very carefully, and would not have shared things had I not gotten an affirmative answer that my information would be protected.”
Trust between a therapist and the person they’re treating is paramount, added Stauffer. “Most providers recognize this.”
This was the crux of a letter that the American Medical Association sent to Congress last fall. It urged lawmakers “to refrain from removing rights from a specific, already-at-risk population, and exercise its discretion to thoroughly consider the range of issues related to alignment of Part 2 and HIPAA.”
The AMA realized that its members might lose patients who would otherwise seek treatment, and from a public health angle, more people will overdose if treatment isn’t protected.
This is, after all, a country in which a nurse could not obtain a life insurance policy because she had a prescription for naloxone, which she carried—as the US Surgeon General recommends all of us do—in order to save the life of someone who might have overdosed.
Implications of the Digital Age
As it is, patients who go to physicians–not methadone clinics (opioid treatment programs or OTPs) – for buprenorphine treatment do not have their information protected, because the prescriptions automatically go into the state Prescription Drug Monitoring Program (PDMP). This is not the same as the patient health record, but it is accessible to law enforcement, and to any physicians who search it.
Background for the development of 42 CFR Part 2 started in the 1970s when police officers would go into OTPs in New York City. It quickly became established policy in treatment programs. And it was entirely uncontroversial, because consent was obtained by patients signing pieces of paper. What happened? Paper was eliminated from medical practices. Electronic records and prescriptions took over.
About nine years ago, after three decades of 42 CFR Part 2’s existence, the EHR industry starting fighting this regulation, because signing a piece of paper—what patients had done in those pre-EHR days—did not comport with digital systems (there is significant doubt on whether EHRs and confidentiality can coexist at all). As Paul Samuels, director and president of the Legal Action Center, put it, “We’re moving into an electronic age.” There should be a way to incorporate individualized consent into the electronic process, Samuels pointed out, way back in 2010.
Indeed, that’s exactly what Clark, a passionate supporter of confidentiality and 42 CFR Part 2, worked on. In a pilot project collaborating between SAMHSA and the Veterans Administration, Clark developed a program which embedded consent to share information electronically. But the big EHRs found this too cumbersome.
The Attitude of Treatment Programs
One would think that treatment programs, which make money by treating SUDs—which it’s safe to say most patients would like to keep private—would want to safeguard the regulation. But they didn’t.
Over the years, one by one—with a few notable exceptions—most treatment programs and organizations have caved: the National Association of Addiction Treatment Providers, whose members are private residential programs; the American Society of Addiction Medicine; Hazelden Betty Ford; and the National Association for Behavioral Healthcare (formerly the National Association of Psychiatric Health Systems) have all done so.
Only the American Association for the Treatment of Opioid Use Disorders, a membership organization of OTPs which treat patients with methadone (and buprenorphine and naltrexone, to a much lesser extent), Faces and Voices of Recovery, Treatment Communities of America, and the National Association for Addiction Professionals (NAADAC) have held out and still support keeping 42 CFR Part 2 as is. (NAADAC was originally in the group supporting eliminating 42 CFR Part 2, but changed its collective mind when counselors recognized that they didn’t want their liability to extend to the vast potential harms of the release of treatment information).
The intervention of the American Medical Association last fall, however, represents a big new player in the pro-privacy camp.
View From an Opioid Treatment Program
Patients may not even realize that they can harm themselves—their jobs, their insurance, their health care, their families, even their freedom from incarceration—by disclosing that they are in treatment.
“We have patients who will willfully disclose that they’re in treatment not realizing that they’re doing anything wrong, because they aren’t doing anything wrong,” explained Zac Talbott, treatment center director for MedMark Treatment Centers.
This is particularly problematic with child protection services in Georgia, where he is based. “There are so many exclusions and loopholes when it comes to HIPAA,” he told Filter. Child protective services can access the medical record without consent—unless it is protected by 42 CFR Part 2. “Law enforcement and child welfare can access these records at will now in Georgia,” Talbott said. “And there is a movement for law enforcement to access PDMPs.”
Under a letter from SAMHSA (which regulates OTPs) sent to OTPs, these programs are directed not to upload patient information into Prescription Drug Monitoring Programs (PDMPs). Rather, OTPs check the PDMP to see if their patients are getting controlled substances from other physicians.
“42 CFR Part 2 is the one thing standing between us and having to upload into the PDMP,” said Talbott. While methadone stigma is not as bad as it used to be, it still exists, he said. “We have so far to go.”
For example, he currently shares a medical director with a sister clinic, and needs to find his own. “Every doctor that I interview, as soon as they find out what we are, they aren’t interested,” said Talbott. These same physicians could adversely affect methadone patients if they had the information. “These are physicians who are treating my patients for cholesterol, for example, they could call up the record [if not protected], see that the patient is in an OTP, and suddenly they’re labeled as a drug-seeker,” he said. “Our patients talk about this all the time—how the physician attitude completely changes.”
“The people who want to undermine confidentiality will do so regardless of the lives it will hurt.”
Of course, when a patient trusts his or her physician, signing a consent to release information to that physician–and that physician only, is not a problem. Talbott described a situation in which a patient in his program was prescribed amphetamine for ADHD. “She is not abusing but she is scared the psychiatrist will stop seeing her, so she didn’t want to coordinate care” (which required her to sign a release so the OTP could share information).
She finally changed her mind, saying she would sign the release because she wanted her doctors to be able to talk to each other. “But first, she wanted to tell her psychiatrist herself,” Talbott recalled. The patient told her: “’I don’t want to blindside [you] out of the blue, by you sending this fax.’”
It’s pretty simple: Patients want control over their own health care, their own records. “Before you drop this stigma bomb, let them talk to their doctor themselves, is all they want,” said Talbott.
Talbott is not only a patient advocate, but a person in recovery with medication-assisted treatment. “I’m also a man of science, and I believe in research,” he said. “But do people stop and think? The people who want to undermine confidentiality will do so regardless of the lives it will hurt.”
What is happening with possible legislative and regulatory changes to confidentiality is not transparent, said Patty McCarthy Metcalf, executive director of Faces & Voices of Recovery. “In terms of legislation, we need to slow down,” she told Filter. “I don’t think people are even going to know that it changes, if it does, because the treatment providers aren’t going to tell patients that their information is no longer protected.”
The fact is, she said, treatment providers don’t want this to be an issue. “They may have a verbal consent for EHR,” she said. “That’s my biggest fear, that people who come into treatment won’t know that there’s been a change, that they’ve lost the right to consent to release of their information.”
It’s not patients who want the information shared–and if they do, they can sign consents to have it shared. “I’ve seen very few patients who said ‘I wish it were easier to share my records with everyone,’” Metcalf said. “And I hate to say this, but … there are lots of stories of law enforcement coming into treatment centers to get someone.”
“My treatment happened when I was 17 so I haven’t had any treatment in 30-something years,” continued Metcalf. “But if my doctor today could open up my record, and say, ‘I notice you went to treatment 30 years ago,’ I’d say, ‘That’s none of your business.’”
Faces and Voices represents the 23 million people (at least) in different forms of recovery in the United States, mostly through community organizations. On January 10, it sent out an action alert for people to contact their legislators on confidentiality. “We can mobilize hundreds of thousands of people,” Metcalf told Filter.
She is concerned about people who don’t understand the complexities of this regulation—especially people who are in crisis, but also those who are in recovery and may have become complacent about confidentiality.
“If somebody is ready to reach out for help, they don’t always understand what the treatment system is like,” said Metcalf. “They don’t know where to turn. They won’t know all the ins and outs of privacy laws.” But part of the process of engaging in treatment is privacy, and treatment providers should be involved in that process. Instead, many (not OTPs) are engaged in the opposite.
“I doubt that treatment systems will ever put a note on their websites that say, ‘Contact us for admissions, and by the way, your information will be shared with other providers,’” said Metcalf.
Methadone photo via Coloradoan