Proposed Reforms to 42 CFR Part 2 to Improve Care Coordination and Treatment Proposed Reforms to 42 CFR Part 2 to Improve Care Coordination and Treatment

Proposed Reforms to 42 CFR Part 2 to Improve Care Coordination and Treatment

Rachel V. Rose, JD, MBA

This auditing and compliance “Tip of the Week” was originally published by the National Alliance for Medical Auditing Specialists (NAMAS), a division of DoctorsManagement.

The Substance Abuse and Mental Health Services Administration (SAMHSA) has been busy over the past couple of years. “The 42 CFR part 2 regulations serve to protect patient records created by federally funded programs for the treatment of substance use disorder (SUD).” In January 2017, a major update to 42 CFR Part 2 (hereinafter “Part 2”) was unveiled, marking the first such change since the law’s inception in 1975.2

Then, a subsequent final rule was issued on January 2, 2018. Now, SAMHSA is proposing to revise Part 2 again. While the proposed rule will not alter the fundamental privacy and confidentiality framework and will continue to prohibit law enforcement’s utilization of SUD records in criminal prosecutions against the patient, as well as restricting disclosures of patient records without patient consent and other valid reasons, there are several modifications to a multitude of sections.4


First, as a refresher, let’s review some of the key takeaways from the January 2018 Final Rule, which include the following:

  • Additional disclosures of patient identifying information under the Confidentiality of Alcohol and Drug Abuse Patient Records in order to promote integrated and coordinated care.
  • Reiterated that the January 18, 2017 SAMHSA Final Rule provided for greater flexibility within the healthcare system of disclosing patient identifying information while balancing the need to protect the heightened, sensitive nature of substance abuse records.
    • Alignment with HIPAA and the HITECH Act is being explored.
    • “In response to comments received that the abbreviated notice did not provide an adequate warning against potential misuse of patient identifying information, SAMHSA, in this final rule, has modified the language in the abbreviated notice to more explicitly notify recipients that improper use or disclosure is prohibited under 42 CFR part 2.”
    • Finalized clarifications as proposed in §2.33(b) except for the list of 17 specific types of payment and healthcare operation activities that a covered entity, business associate or legal representative would be allowed to further disclose utilizing the minimum necessary standard.
    • Emphasis on the public policy behind SAMSHA that, “[u]nauthorized disclosure of substance use disorder patient records can lead to a host of negative consequences, including loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration. The purpose of the part 2 regulations is to ensure that a patient is not made more vulnerable.”5
Provision What Is the Proposed Change? Why Is This Being Changed?
Applicability and Re-Disclosure Treatment records created by non-part 2 providers based on their own patient encounter(s) will not be covered by part 2, unless any SUD records previously received from a part 2 program are incorporated into such records. Segmentation or holding apart of any part 2 patient record previously received can be used to ensure that new records created by non-part 2 providers will not become subject to part 2. To facilitate coordination of care activities by non part-2 providers.
Disposition of Records When an SUD patient sends an incidental message to the personal device of an employee of a part 2 program, the employee will be able to fulfill the part 2 requirement for “sanitizing” the device by deleting that message. To ensure that the personal devices of employees will not need to be confiscated or destroyed, in order to sanitize per part 2.
Consent Requirements An SUD patient may consent to disclosure of his part 2 treatment records to an entity (e.g., the Social Security Administration), without naming a specific person as the recipient for the disclosure. To allow patients to apply for benefits and resources more easily, for example, when using online applications that do not identify a specific person as the recipient for a disclosure of part 2 records.
Disclosures Permitted w/ Written Consent Disclosures for the purpose of “payment and health care operations” are permitted with written consent, in connection with an illustrative list of 17 example activities. In order to resolve lingering confusion under part 2 about what activities count  as “payment and health care operations,” the list of examples will be moved into the regular text from the preamble.
Disclosures to Central Registries and PDMPs Non-OTP (opioid treatment program) providers will become eligible to query a central registry, in order to determine whether their patients are already receiving opioid treatment through a member program.

OTPs will be permitted to enroll in a state prescription drug monitoring program (PDMP), and permitted to report data into the PDMP when prescribing or dispensing medications on Schedules II to V, consistent with applicable state law.

The revised central registry and PDMP provisions will help to prevent duplicative enrollments in SUD care, duplicative prescriptions for SUD treatment, and adverse drug events related to SUD treatment.
Medical Emergencies Declared emergencies resulting from natural disasters (e.g., hurricanes) that disrupt treatment facilities and services will meet the definition for a “bona fide medical emergency,” for the purpose of disclosing SUD records without patient consent under part 2. To ensure clinically appropriate communications and access to SUD care, in the context of declared emergencies resulting from natural disasters.
Research Disclosures for research under part 2 will be permitted by a HIPAA covered entity or business associate to individuals and organizations who are neither HIPAA covered entities, nor subject to the Common Rule (re: Research on Human Subjects). To facilitate appropriate disclosures for research, by streamlining overlapping requirements under part 2, the Privacy Rule and the Common Rule.
Audit and Evaluation Part 2 will be revised to clarify that some specific situations fall within the scope of permitted disclosures for audits and/or program evaluation. To resolve current ambiguity under part 2 about what activities are covered by the audit and evaluation provision.
Confidential Communications The standard for court ordered disclosures of SUD records for the purpose of investigating “an extremely serious crime” will be revised, by dropping the phrase “allegedly committed by the patient.” To correct an earlier technical error from the 2017 rule-making, in which this phrase was inadvertently added to regulatory text without notice or public comment.
Undercover Agents and Informants Court-ordered placement of an undercover agent or informant within a part 2 program will be extended to a period of 12 months, and courts will be authorized to further extend the period of placement through a new court order. To address DOJ concerns that the current policy is overly restrictive to some ongoing investigations of part 2 programs.



In conclusion, there are a lot of moving parts and changes to keep up with. Be vigilant for the final rules and keep track of which items in the proposed rules remain the same in the final rule and which ones change. The fundamental item to remember is that SUD records are given heightened privacy protections when compared to regular medical records. Failing to honor these factors and, when necessary, distinguish them from the Health Insurance Portability and Accountability Act (HIPAA) requirements, can lead to adverse legal proceedings and government enforcement actions.



[1] See (Aug. 22, 2019).

[2] 42 CFR Part 2, (last visited Nov. 5, 2019).

[3] 83 Fed. Reg. 239 (Jan. 2, 2018).

[4]Supra, n. 1.

[5] Rachel V. Rose, JD, MBA, SAMSHA Final Rule: What Docs Need to Know (Jan. 25, 2018),

[6] Supra n. 1.This

This week’s Audit Tip Written By:

Rachel V. Rose, JD, MBA

Rachel V. Rose, JD is a Houston-based attorney
advising on federal & state compliance and areas
of liability associated with a variety of healthcare,
legal and regulatory issues.

eek’s Audit Tip Written By:

What to do next…

  1. Contact us to discuss your audit needs by calling (800) 635-4040 or email
  2. Read more: What can you expect from a coding and compliance review?
Here’s why thousands of providers trust DoctorsManagement to help improve their coding and documentation.

Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credential.

Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.

Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.