SHARING
Substance Use Disorder Information
A GUIDE FOR WASHINGTON STATE
HCA 60-0015 (10
/21)
Contents
Disclaimer 3
Introduction Letter – Dr. Fotinos
4
Introduction
5
Executive Summary
6
Scope and Summary of Privacy Laws
9
Laws That Apply to All Types of
Health Information
9
Federal 9
Washington State 10
Laws that Apply to Substance
Use Disorder Information
10
Federal 10
Laws that Apply to Mental
Health Information
11
Washington State 11
Laws that Apply to Sexually
Transmitted Infection Information
11
Washington State 11
Generally Applicable Guidance 13
Minimum Necessary Standard
13
Psychotherapy Notes
14
De-identied Information and
Limited Data Sets
14
De-identied Information 14
Limited Data Sets 16
Who is Subject to 42 CFR Part 2? 17
Am I a program?
17
Am I Federally Assisted?
18
Recipients and Lawful Holders
18
What records are protected?
19
Part 2 program provides only
SUD services
19
Part 2 program provides co-located
SUD and mental health services
19
Disclosures with Consent
21
Consent Requirements
21
Re-disclosure
25
Documenting Disclosures
26
Uses and Disclosures Without Consent
28
Treatment
29
Payment
30
Health Care Operations
33
Medical Emergency
37
Communication within a Part 2 Program
38
Access by Person with SUD
39
Public Health Reporting
40
Research
41
Audit and Evaluation
42
Law Enforcement and Judicial Proceedings
46
Conrming Enrollment
47
1
42 CFR Part 2 Revised Rule 49
Scenarios and Guidance for SUD Data
Exchange
51
Treatment Scenario 1:
Communication within a Part 2 Program
54
Treatment Scenario 2:
Communication between
dierent Part 2 Programs
55
Treatment Scenario 3: Sharing
information with a provider not
subject to Part 2
56
Treatment Scenario 4: Sharing
information with emergency personnel
57
Treatment Scenario 5: Sharing
SUD information through an HIE
58
Treatment Scenario 6: Provider not subject
to Part 2 sharing with Part 2 Program
59
Treatment Scenario 7: Communication
between Part 2 Program and School
60
Payment and Health Care Operations
Scenario 1: Disclosures from a Part 2
Program to Contractors
61
Payment and Health Care Operations
Scenario 2: Disclosures to Third-Party
Payer
62
Appendix 1
Consent Form
63
Appendix 2
Provider Script
68
Appendix 3
Patient Brochure
71
Appendix 4
SUD Consent Management Work Group
Membership and Guidance Reviewers
74
2
Disclaimer
This guidance is designed to clarify the state and federal laws that
limit the use and disclosure of substance use disorder information,
and it is intended to increase the common level of understanding in
Washington’s health care community. However, it is non-binding, is for
informational purposes only and should not be construed as legal advice
from Washington State or the Health Care Authority. Compliance with
and interpretation of health care privacy laws is complex. Readers are
encouraged to consult an attorney prior to operationalizing policies and
procedures that control the use and disclosure of protected information.
The Health Care Authority makes no warranties, express or implied,
regarding errors or omissions and assumes no legal liability or
responsibility for loss or damage resulting from the use of information
included in this document.
3
Twenty years ago most people thought addiction to drugs or alcohol was a
choice, a weakness of character. This thinking led to discrimination and a
law enforcement focused approach to treatment. In order to protect people
from discrimination strict Federal privacy rules were put in place. While
well intended, the rules are complicated and hard to understand. This has
led to barriers in sharing important health information across different
disciplines of care.
Today we know addiction is not a choice. Brain science has helped us
understand the complicated brain changes that occur in people who suffer
from addiction to alcohol or drugs, also called substance use disorders.
Despite this knowledge, people with substance use disorders and their
families continue to carry shame and are afraid to talk about how their
lives are being affected. This is particularly true with the current opioid
epidemic.
The very good news is that there are effective medical treatments
for opioid use disorder. There are also behavioral therapies that can
help people with other substance use disorders. This makes it more
important than ever for health care providers to think about and address
‘whole person’ health. This toolkit is meant to help medical, mental
health, chemical dependency professionals and patients understand
how a person’s information can be safely shared and protected. Better
information sharing across health care disciplines will help assure
medications are prescribed safely, duplicate tests and treatments are
avoided, and that health care providers can work together to help support
their patients. Substance use disorders are medical conditions that are
treatable, perhaps when healthcare providers become better at asking
about substance use and sharing this information with other health related
disciplines, there will be less shame and trying to keep hidden, treatable
conditions.
A word from Dr. Fotinos
Dr. Charissa Fotinos
4
Introduction
have access to complete information and can
provide whole-person care. But a complex set of
privacy laws and regulations apply to Washington
providers that sometimes cause confusion and
prevent appropriate information from being
available. Whether information can be exchanged
may vary based on:
• What type of health information is being
exchanged;
• The setting where care was provided;
• Who is disclosing the information; and
• Who is receiving the information.
Substance use disorder (SUD) information is often
subject to stringent regulations in 42 Code of
Federal Regulations (CFR) Part 2 (sometimes just
referred to as “Part 2”). Not all SUD information is
subject to Part 2; SUD informationis only subject
to Part 2 when created or disclosed by an entity
that is subject to Part 2 (referred to as a "Part 2
Program").
Part 2 is based on legislation passed in the 1970s
that was designed to address the risk of stigma
and discrimination, and encourage people to seek
services. The regulations have been updated
recently, but because they are based on legislation
that is over four decades old they are inconsistent
with other health care privacy laws and do not
movement toward integrated, whole-person care.
Faced with a complex set of privacy laws, providers
may take one of two opposing approaches.
They may overprotect the information and not
share at all, or they may accidentally share more
information than is allowed by law. Neither
There are continued efforts to modify the statutes
and regulations that protect SUD information, but
the Health Care Authority believes it is important
to implement current law as effectively as possible
now without waiting for uncertain future changes.
The goal of this document is to begin to break down
barriers to information exchange and integrated
care with guidance that establishes an accepted
and commonly understood interpretation of when
and how information can be appropriately shared.
• Promoting shared understanding of when
information can be shared with or without
consent;
• Enabling greater consistency in how consent is
requested and provided; and
• Facilitating whole-person care, and promoting
care coordination and patient safety, by allowing
providers more access to comprehensive health
care information.
These resources were created in collaboration
with other state agencies and valuable review
was provided by a wide range of partners in the
health care community. Continued engagement
from those participants and others in the health
care community is essential to ensure we continue
making progress that allows us to better serve
Washington residents.
5
Executive Summary
The rest of this document includes detailed
information about the health care privacy laws that
apply to the exchange of SUD information. This
summary is intended to highlight key points, and
help you navigate the document.
Scope
This document is intended to focus on substance
use disorder information covered by 42 CFR Part
2. However, it is important to recognize that there
are many different statutes and regulations that
establish protections for different types of health
care information. In particular:
• The Health Insurance Portability and
Accountability Act (HIPAA), and its
implementing regulations, establish the
minimum protections for all types of health care
information.
• State law in chapter 70.02 RCW establishes
standards that largely, but not always, mirror
HIPAA .
• State law in chapter 70.02 RCW also establishes
more stringent protections for mental health
and sexually transmitted infection information.
• Federal law in 42 USC 290dd-2, and its
implementing regulations in 42 CFR Part 2,
control the use and disclosure of applicable
substance use disorder information.
More information about these different laws is
provided beginning on page 9.
Generally applicable guidance
Although different laws apply to different types of
information, some basic principles apply broadly
to all types of health care information. These
principles include:
• The minimum necessary standard requires that
in most circumstances, even when information
is allowed to be used, shared, or requested, only
the minimum amount necessary to accomplish
a particular purpose should be used, shared, or
requested.
•
information properly removed is no longer subject
to legal protection.
More information about these topics is provided
beginning on page 12.
Who is subject to 42 CFR Part 2
42 CFR Part 2 only applies to SUD information
created by particular providers, called Part 2
Programs. A provider that provides SUD services
is a Part 2 Program if it holds itself out as offering
SUD services, and is federally assisted. The
broad and will include most providers, unless the
of “holds itself out” is less clear:
•
that it provides SUD services, or is a separate
unit that specializes in SUD services as part of a
larger facility.
• An individual physician can be a Part 2 Program,
but it is unlikely that providing occasional
medication-assisted treatment alone would
make a physician subject to Part 2.
6
7
Even for a Part 2 Program, it is possible some of its
records are not subject to 42 CFR Part 2, such as if
it provides both mental health and SUD treatment.
People or organizations other than the Part 2 Program
can also become subject to Part 2’s restriction. For
example, when SUD information is shared pursuant
to consent, Part 2’s restrictions carry through to the
recipient of the information.
More information about Part 2’s applicability is
provided beginning on page 16.
Disclosures with consent
SUD information can be shared consistent with
a person’s consent. The requirements for a valid
written consent under 42 CFR Part 2 are more
example:
• Consent must describe both who can share
information, and who can receive it;
• Consent can allow sharing with “all treating
providers” through an intermediary, such as a
Health Information Exchange (HIE), but the HIE
attach to how disclosures must be tracked; and
• The information must be accompanied by a
statement to the recipient that the information
remains subject to the restrictions in 42 CFR
Part 2.
More information about sharing SUD information
pursuant to consent is provided beginning on page 20.
Disclosures without consent
42 CFR Part 2 contains far fewer situations than
HIPAA where information can be shared without
consent, but it does include some. For example,
information can be shared:
• In response to a medical emergency,
• For appropriately approved research projects,
• For limited public health purposes, or
•
provide certain administrative functions.
More information about situations where information
can be shared without consent, and the prerequisites
to sharing, is provided beginning on page 27.
Common exchange scenarios
Many people and organizations may be involved
with a person’s care, including different providers,
contractors of those providers, and third-party
payers. This document includes detailed scenarios
that walk through how those different people and
organizations can exchange information beginning
on page 45.
Provider and patient educational
materials
Much of this document is intended to be a resource
for providers to understand when SUD information
can be used, shared, or requested. It also includes
materials that can be used to facilitate gathering
consent, including:
• A template consent form that incorporates
recent changes to 42 CFR Part 2,
• A sample script that could be used by a clinician
at the point of care to explain consent, and
• A patient brochure that describes consent and
the legal protections for SUD information.
These resources begin on page 55.
8
Scope and Summary of Privacy Laws
The Health Insurance Portability and
Accountability Act (HIPAA) sets the minimum
standards for protecting health information.
1
If
other laws establish more stringent protections,
then those more stringent laws apply.
2
For example,
if a Washington statute does not allow information
to be shared in a particular circumstance, then it
cannot be shared even if HIPAA would have allowed
the information to be shared.
There are several types of information that are
subject to heightened protections. SUD information
created or disclosed by Part 2 Providers is
protected by federal law, and mental health and
sexually transmitted infection (STI) information are
protected by state law.
Each privacy law begins with the same basic
assumption: information can never be used or
disclosed without a person’s consent. The laws
then provide lists of exceptions to that general rule.
Much of the complexity and confusion surrounding
the exchange of health information arises from
differences with respect to which exceptions apply
to which types of information.
This guidance is focused on the intersection of
laws that govern SUD information. But some basic
understanding of the laws that apply to other types
of information is helpful. Just as different types
of information are subject to different health care
privacy laws, the types of people or organizations
that are subject to each law varies. For example,
not all organizations subject to HIPAA must comply
with state law in chapter 70.02, and some health
care privacy laws have exemptions for workers’
compensation programs.
3
With the exception of
providing details on who 42 CFR Part 2 applies to,
this guidance is not intended to address which laws
apply to which people or organizations.
Laws That Apply to All Types of Health Information
Federal
HIPAA Privacy Rule
(45 C.F.R. § 164.500 et seq.)
The HIPAA Privacy Rule establishes national standards to protect medical records and other
patient-identifying health information and applies to health plans, healthcare clearinghouses, and
most health care providers.
4
The entities that HIPAA applies to are called “covered entities.” Some
contractors of covered entities, called “business associates,” must also comply with HIPAA.
5
The
Privacy Rule requires appropriate safeguards to protect the privacy of patient-identifying health
information, and sets limits and conditions on the uses and disclosures of information without
consent.
6
Generally, exceptions are allowed for treatment, payment, and healthcare operations.
7
Other exceptions are laid out in the rule as well. The Privacy Rule also gives patients’ rights over their
health information, including rights to access and to request corrections.
1
45 CFR § 160.203.
2
45 CFR § 160.203(b).
3
See, e.g., 45 CFR § 164.514(l).
4
45 CFR § 160.102.
5
45 CFR § 160.102.
6
45 CFR Part 164, Subpart
E.
7
45 CFR § 164.506.
9
HIPAA Security Rule
(45 C.F.R. § 164.300 et seq.)
The HIPAA Security Rule establishes security standards to protect individuals’ electronic patient-
identifying information that is created, received, used, or maintained by a covered entity or its
business associate(s). The Security Rule requires appropriate administrative, physical, and technical
Washington State
Chapter 70.02 RCW
This chapter of Washington law, known as Washington’s Uniform Health Care Information Act,
creates privacy standards for health care providers and third-party payers. Its requirements largely,
but not entirely, mirror national standards in HIPAA, but as described below it also includes enhanced
protections for mental health and sexually transmitted infection information.
Laws that Apply to Substance Use Disorder Information
Federal
42 CFR Part 2
42 CFR Part 2 applies to federally assisted treatment programs that hold themselves out as providing,
and actually provide, substance use disorder diagnosis, treatment, or referral for treatment (Part 2
for substance use disorder treatment services. These regulations apply to information that would
identify a person as having a SUD who is treated by a Part 2 Program and allow very limited
disclosures of information without consent. With the exception of disclosing information in response
to a medical emergency, disclosures outside the program are not allowed for treatment functions
without explicit consent.
8
45 CFR §§ 164.522-528.
9
45 CFR Part 164, Subpart C.
10
42 CFR Part 2, Subpart D.
10
Laws that Apply to Mental Health Information
Washington State
Chapter 70.02 RCW
Chapter 70.02 RCW includes enhanced protections for information related to mental health treatment,
including the fact of admission for treatment provided by a mental health professional.
11
This information
may be shared between providers for legitimate treatment purposes, such as care coordination or referral
from one provider to another.
12
Other disclosures should be examined on a case-by-case basis.
Laws that Apply to Sexually Transmitted Infection Information
Washington State
Chapter 70.02 RCW
Chapter 70.02 RCW includes enhanced protections for information related to tests, test results,
diagnoses, or treatment for sexually transmitted infections.
13
This information may be shared
between providers without written consent for legitimate treatment purposes, such as care
coordination or referral from one provider to another.
14
Other disclosures should be examined on a
case-by-case basis.
11
RCW 70.02.010(22); 70.02.230.
12
RCW 70.02.230(2)(u).
13
RCW 70.02.010(23); 70.02.220
14
RCW 70.02.220(5).
11
12
Generally Applicable Guidance
Although there are many considerations that help
determine whether information may be shared
privacy principles apply broadly to most scenarios.
The concepts below typically apply to all types of
health information, including SUD, mental health,
and STI information.
Minimum Necessary Standard
The minimum necessary standard is both a best
practice and a legal requirement. Under this
standard, even uses or disclosures that are allowed
by law must be limited to the minimum amount of
information necessary to accomplish the intended
purpose. Importantly, it applies regardless of
whether the information is being requested, used,
or disclosed.
In addition to the explicit minimum necessary
standard in HIPAA, the concept is included in both
42 CFR Part 2
15
and chapter 70.02 RCW, which
allows disclosures “to the extent a recipient needs
to know the information.”
16
Although 42 CFR Part 2 and chapter 70.02 RCW
do not include explicit exceptions to the minimum
necessary standard, HIPAA clearly states there
are some scenarios where the standard does not
apply:
17
• Disclosures to or requests by a health provider for
treatment purposes
• Disclosures made to the patient who is the subject
of the record
• Uses or disclosures made pursuant to a valid
patient consent
• Disclosures to the Secretary of the U.S. Department
of Health and Human Services
• Uses or disclosures required by law, such as a
statute that requires reporting suspected abuse
or a court order to share information with an
attorney
15
42 CFR §§ 2.13(a); 2.31(a)(5); 2.51(a).
16
RCW 70.02.050(1).
17
45 CFR § 164.502(b).
13
Each of these exceptions, however, may be subject
to other limitations on uses and disclosures. For
example, a disclosure pursuant to written consent
must comply with the terms of the consent. Similarly,
a disclosure required by law must be tailored to what
the law or court order requires to be disclosed.
Psychotherapy Notes
information that includes notes created by a mental
health professional documenting a conversation
during a counseling session, that are kept separate
from the rest of a person’s medical record and
are subject to different standards for disclosure.
18
These notes may be used for treatment purposes
by the provider who created the notes. In most
other circumstances, the notes cannot be used or
disclosed without patient consent.
19
The consent
notes. Patients may provide consent to share
medical records, while still excluding the sharing of
psychotherapy notes.
De-identied Information and
Limited Data Sets
Information that has identifying information
removed may be used or shared with fewer
information removed. They have had different
amounts of information removed and are subject to
different levels of protection.
De-identied Information
who is the subject of the information cannot
information is not protected by health care
privacy laws. This principle is explicit in
HIPAA,
20
and the concept is also included in 42
CFR Part 2 and chapter 70.02 RCW.
42 CFR Part 2 applies to information created by
Part 2 Providers that could reveal “the identity
of a patient . . . with reasonable accuracy.”
21
The
Substance Abuse and Mental Health Services
Administration (SAMHSA) has indicated that
22
Chapter 70.02 RCW applies to information that
identity of a patient.”
23
small; or
in combination with an absence of actual
knowledge that the information could be used to
re-identify an individual
knowledge of and experience with generally
18
45 CFR § 164.501; RCW 70.02.010(37).
19
45 CFR § 164.508(a)(2); RCW 70.02.230(2)(u)(B)(iii).
20
45 CFR § 164.514(a).
21
42 CFR § 2.11.
22
FR Vol. 82, No.11, p.6064, January 18, 2017.
23
RCW 70.02.010(17).
24
45 CFR § 164.514(b).
14
and methods for rendering information not
The second method is called the safe harbor
method. It cannot be used if there is actual
knowledge that a person could still use the
information to identify a person, and it requires
all of the following information about the
person, relatives, employers, and household
members to be removed:
25
• Names;
• All geographic subdivisions smaller than a State,
including street address, city, county, precinct, zip
code, and their equivalent geocodes, except for the
initial three digits of a zip code if, according to the
current publicly available data from the Bureau of
the Census:
The geographic unit formed by combining
all zip codes with the same three initial
digits contains more than 20,000 people;
and
The initial three digits of a zip code for all
such geographic units containing 20,000
or fewer people is changed to 000.
• All elements of dates (except year) for dates
directly related to an individual, including birth
date, admission date, discharge date, date of death;
and all ages over 89 and all elements of dates
(including year) indicative of such age, except that
such ages and elements may be aggregated into a
single category of age 90 or older;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
•
• Account numbers;
•
•
license plate numbers;
•
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
•
prints;
• Full face photographic images and any comparable
images; and
• Any other unique identifying number,
characteristic, or code.
It’s important to understand that removing
identifying characteristic could be considered an
25
45 CFR § 164.514(b)(2).
15
Limited Data Sets
Fully de-identifying, especially using the safe
loss that will limit the usefulness of the health
information. A limited data set is information
therefore may be more useful. Limited data
sets can be disclosed only for research, public
health, or health care operations purposes
and must be accompanied by a data use
agreement.
26
The following information about
the individual, relatives, employers, and
household members must be removed:
27
• Names
• Street address
• Telephone and fax numbers
• Electronic mail addresses
• Social Security Numbers
• Medical record numbers
•
• Account numbers
•
•
license plate numbers
•
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) addresses
•
prints
• Full face photographic images and any comparable
images
Unlike the safe harbor method, a limited data
set may include some indirectly identifying
information such as dates and geographic
information (except street address). However, a
still considered protected health information.
28
26
45 CFR § 164.514(e)(3-4).
27
45 CFR § 164.514(e)(2).
28
45 CFR § 164.514(e)(3-4). 16
Who is Subject to 42 CFR Part 2?
An entity or provider is subject to 42 CFR Part 2 if
federally assisted.
29
only accept private insurance or self-pay patients
that do not receive federal assistance of any
kind are not subject to 42 CFR Part 2 unless they
are required to comply under state licensing or
Am I a program?
An individual or entity is a “program” if they
provide or make referrals for SUD services,
and “hold themselves out” out as offering SUD
services.
30
An individual or entity “holds itself out”
if they do anything that would lead someone to
reasonably think that they provide SUD diagnosis,
treatment, or referral for treatment. Examples of
activities that could qualify include:
• State or federal government authorization
provide SUD services,
• Advertisements, notices, or other postings or
presentations about SUD services, or
• Offering consultation for non- “program”
practitioners.
A program can be either an individual or an entity,
and can include:
31
• An individual or entity that is not part of a
general medical facility,
•
facility, or
• Individual personnel or staff in a general
medical facility whose primary function is
providing SUD services.
In other words, it is possible for a facility with
multiple provider functions to have certain isolated
providers or groups who are subject to Part 2,
while the facility as a whole is not subject to Part
2. For example, a large facility may have primary
care providers and a separate unit that provides
SUD services. The SUD unit is subject to Part 2, but
the rest of the facility is not. If a patient were to
receive both primary care and SUD treatment, the
SUD providers are still subject to Part 2 and could
not share information with the patient’s primary
care provider without consent.
An individual provider who works in a general
medical facility (not in a standalone SUD
be a Part 2 program, but only if the provider’s
primary function is to provide SUD services. For
example, a primary care physician who provides
29
42 CFR § 2.12(a).
30
42 CFR § 2.11.
31
42 CFR § 2.11.
17
medication-assisted treatment would only meet
the requirement if providing services to persons
with SUD is their primary function. The fact that
the physician sometimes provides SUD services as
part of their practice does not on its own make the
physician a Part 2 program.
Am I Federally Assisted?
practitioners that may not receive federal
assistance of any kind, most SUD treatment
broad, and you should consult with legal counsel
if you are unsure if you are federally assisted.
Examples of federal assistance include:
32
• The program is conducted directly by the federal
government.
•
or registered by the federal government, which
could include:
Participation in the Medicare or Medicaid
program,
Authorization to conduct maintenance
treatment or withdrawal management, or
Registration with the Drug Enforcement
Agency to dispense a controlled substance in
the treatment of substance use disorders.
• The program receives federal funds in any form,
even if the funds do not directly pay for the
substance use disorder services.
• Income tax deductions are allowed for
contributions to the program, or the
contribution is granted tax exempt status.
Recipients and Lawful Holders
Part 2 directly regulates providers who meet the
restrictions also apply to other individuals or
entities who receive protected SUD information
from a Part 2 program pursuant to a properly
completed consent form or under one of the other
limited exceptions that allow disclosure without
consent. The people or entities that receive
information pursuant to consent or another
exception are called lawful holders.
When a recipient like a primary care treating
provider, a third-party payer, or an HIE receives
SUD information pursuant to consent, it must
protect that information to the same extent as
the Part 2 program.
33
When the recipient receives
information under one of Part 2’s exception,
exception allowed the recipient to obtain the
information. For example, a researcher cannot
re-disclose information to anyone other than the
entity that provided the information,
34
and an
auditor may have to sign an agreement limiting its
acceptable uses and disclosures.
35
32
42 CFR § 2.12(b).
33
42 CFR § 2.32.
34
42 CFR § 2.52.
35
42 CFR § 2.53.
18
What records are protected?
The fact that a facility or individual provider is
subject to 42 CFR Part 2 does not mean that all of
the records held by that facility or provider are
subject to the standard in Part 2. Only information
that would directly or indirectly identify a person
as having an SUD is protected.
36
The examples
below show how Part 2 applicability for particular
records may vary depending on the setting where
services are provided.
Part 2 program
provides only SUD services
If a facility only provides SUD services, then
all of its patient records will be subject to 42
CFR Part 2. This is true even if some of those
or diagnosis information. The reason is that
even those records, in combination with the
fact that the facility provides only SUD services,
reveals that a person receiving treatment is
being treated for an SUD.
Part 2 program provides
co-located SUD and mental
health services
When a facility does not solely provide SUD
services, then Part 2 applicability will depend
For this type of facility, Part 2 will apply to
records about patients receiving SUD services.
This includes records that show treatment
for co-occurring mental health and substance
use disorders. But Part 2 will not apply to
information about people receiving only mental
health services.
to different standards. But it is important to
recognize that mental health information is not
subject to the standards in 42 CFR Part 2 and
can be shared without consent for treatment
purposes, including care coordination, as
allowed under HIPAA.
37
36
42 CFR § 2.12(a)(1).
37
RCW 70.02.230(2)(u).
19
Subject to
42 CFR Part 2
Subject to
42 CFR Part 2
Subject to
42 CFR Part 2
Not subject to
42 CFR Part 2
Not subject to
42 CFR Part 2
Not subject to
42 CFR Part 2
Not subject to
42 CFR Part 2
Am I a Part 2 Program?
Am I federally
assisted?
Am I a provider in a
general medical
facility?
Am I a provider
that holds itself out
as providing SUD
treatment services
and provide those
services?
Does the facility
have a SUD
treatment program?
Do personnel within
the facility provide
SUD treatment?
Does the facility
hold itself out as
providing SUD
treatment services
and provide those
services?
Is SUD treatment
the provider’s
primary purpose?
YES
YESYES
YES
YES
YES YES
NO
NO
NO
NO
NO
NO
Not subject to
42 CFR Part 2
NO
20
Disclosures with Consent
Health care privacy laws focus primarily on uses
and disclosures without patient consent. But they
also give patients control over their information
and allow a wide range of uses and disclosures
consent is required for SUD information to be
disclosed for treatment, payment, or health care
operations purposes.
The consent must be documented in writing
and important restrictions apply to how the
information may be re-disclosed after the initial
disclosure.
Consent Requirements
A written consent for the disclosure of SUD
38
Many of these elements are straightforward
and need little explanation. Others have been
complicated by recent changes to 42 CFR Part
2, but when properly implemented allow for
when information can be shared.
A consent form that meets these requirements will
also satisfy the requirements in HIPAA and chapter
70.02 RCW.
The name of the patient
The consent must identify whose information may
be disclosed.
Who may make the disclosure
This requirement is commonly referred to as the
“from whom” element of consent. It explains who
is allowed to disclose information. This element
designation.
who may disclose the information. This type of
designation minimizes how information is shared
and allows patient control. It also comes with some
practical limitations. For example, if the intent
is for reciprocal sharing between two programs,
care must be taken to ensure the consent allows
both programs to disclose information. And if the
disclosing program changes its name following a
merger or restructuring, the consent will no longer
be valid.
Alternatively, the consent may include a general
designation of who may disclose information, such
as “any drug or alcohol treatment program.”
The appropriate designation depends on the
intended purpose of the consent. If the intent is to
facilitate sharing between Part 2 programs or to
facilitate sharing information via an intermediary,
such as an HIE, then a general designation will
for information exchange that supports care
coordination. If the purpose is more focused, such
as to release information to a third-party payer
more appropriate.
38
42 CFR § 2.31(a).
21
What information may be disclosed
The consent must explain how much and what kind of information may
be disclosed, including an explicit description of the SUD information
that may be disclosed. For example, it may explain that all SUD treatment
history may be disclosed, including medications, lab test results, diagnoses,
and clinical notes. Or it may specify that only claims data may be
transmitted. To ensure that the consent can be followed, it is important
information is actually maintained and how it can be divided.
Who can receive the information
This requirement is commonly referred to as the “to whom” element of
consent. As with the “from whom” requirement, this information can be
general designations have been introduced in recent changes to allow
greater sharing for treatment purposes, particularly in the context of HIE.
However, these changes have also added complexity.
In general, determining whether a consent form is valid requires
considering:
• Whether there is a treating provider relationship with the recipient,
• Whether the recipient is a third-party payer,
• Whether the consent designates an individual or an entity, and
• Whether the information is shared with an intermediary (such as an
HIE).
The level of detail required for different scenarios is shown on the next
page.
22
Intermediary
Relationship
with patient
To whom
requirements
Explanation
None
Any, may or may not
be a provider
of individual or
entity
Information can always be shared
individual or entity.
None Treating provider
of entity
When the recipient is a treating
provider, identifying the entity is
None Third-party payer
of entity
When the recipient is a third-party
payer, identifying the entity is
Intermediary HIE Any
of individual and
intermediary entity
individual through an intermediary
should identify the intermediary
entity. The intermediary does not
Part 2 program.
Intermediary HIE
Single treating
provider
of entity and
intermediary entity
through an intermediary should
identify the intermediary entity.
The intermediary does not have to
service organization of the Part 2
program.
Intermediary HIE
Multiple treating
providers
General designation
of individuals or
entities with a
treating provider
relationship and
of intermediary
entity
Consent to share through an
intermediary can include a general
designation to allow sharing with
a broader group of recipients, such
as all treating providers. This is a
recent change aimed at increased
information.
The intermediary needs to be
Part 2 program.
23
In addition, a consent that includes a general
designation must also include a statement
indicating that the patient understands that
they may request and receive a list of entities
that have received information pursuant to the
general designation. More information about
this requirement is included in the “Documenting
Disclosures” section later in this document.
Why the information is being disclosed
The consent must include the purpose of the
disclosure. Any disclosures pursuant to the
consent must be tailored to the minimum amount
For example, if a third-party payer is authorized to
receive information to process a claim for payment,
it would typically not be necessary to share all SUD
information.
An explanation of the right to revoke consent
The consent must explain that the patient may
revoke consent at any time prior to its expiration,
39
and explain how to revoke consent. Consent
pursuant to 42 CFR Part 2 can be revoked orally,
but SAMHSA recommends obtaining revocation
in writing or documenting an oral revocation in a
person’s record.
Consent cannot be revoked to the extent it has
already been acted upon. For example:
• If treatment is provided in reliance on written
consent that allows disclosure to receive
payment from a third-party payer, then consent
cannot be revoked to prevent a provider from
submitting a claim for payment;
40
and
• Revoking consent does not have any impact on
information that has already been appropriately
shared pursuant to the consent.
When the consent expires
it is valid until revoked. Instead, it must include
Consent that expires “one year from the date of my
signature” would be valid, as would consent that
expires “upon my death.”
41
The patient’s signature
The consent must include the patient’s signature,
or the signature of a person authorized to act on
behalf of the patient. The signature may be an
electronic signature.
42
39
42 CFR § 2.31(a)(6).
40
42 CFR § 2.31(a)(6).
41
FR Vol. 82, No. 11, p.27.
42
The requirements for a valid electronic signature in
Washington are beyond the scope of this guidance.
24
If the consent is signed by someone other than
the patient, it should include an explanation of
the relationship between the person signing and
the patient. If the person receiving services has
been determined by a court to be incompetent,
then a court-appointed guardian or other legally
authorized person can sign.
If the patient is a minor, then whether the minor
can provide consent depends on whether they
could consent to receive treatment without
parental consent. If the minor cannot receive
treatment without consent from a parent or
guardian, then both the minor and the minor’s
parent or guardian must provide consent.
43
In Washington, a minor under the age of 13 cannot
receive SUD treatment without parental consent.
Whether a minor who is 13 or older may consent
to receive services depends on a variety of factors,
including whether the services are inpatient or
outpatient, whether the minor is emancipated,
whether minor is capable of making a rational
choice to receive treatment, and whether the
Department of Social and Health Services has
determined the minor is a child in need of services.
When a parent or guardian signs on behalf of a
person receiving services, the relationship should
The date the written consent is signed
The consent must include the date it is signed.
This establishes when information can begin to be
disclosed.
Re-disclosure
Under HIPAA and chapter 70.02 RCW, legal
protections for information do not automatically
attach when the information is shared. For
instance, if a HIPAA-covered entity shares health
information (and the entity sharing information
is not a Part 2 program) with another covered
entity pursuant to consent, the information is still
protected by HIPAA because the recipient is subject
to HIPAA. But if the consent allows disclosure to
a person who is not subject to HIPAA, then the
recipient is not required to follow HIPAA when
further sharing the information.
42 CFR Part 2 operates differently. SUD
information received pursuant to consent cannot
be re-disclosed unless:
The consent allows the additional disclosure,
Separate written consent is obtained that
allows the additional disclosure, or
The additional disclosure is otherwise
allowed by 42 CFR Part 2 without consent.
43
42 CFR §§ 2.31(a)(8); 2.14(b).
25
To put the recipient of SUD information on notice of
this limitation, each disclosure pursuant to consent
must include one of these two statements:
44
Documenting Disclosures
Even when made pursuant to consent, some
disclosures must be documented so that a list
of disclosures can be provided at the patient’s
request. This requirement only applies to
disclosures pursuant to a consent that uses a
requirement to document and provide a list of
disclosures applies when:
45
• The disclosures are made by an intermediary,
such as an HIE; and
• The disclosures are pursuant to a general “to
whom” designation, such as “all individuals
or entities that have a treating provider
relationship” with the patient.
A patient’s request for a list of disclosures must
be in writing and is limited to disclosures within
the last two years. The information that must be
provided in response includes:
• The names of the recipients;
• The date of the disclosures; and
• A brief description of the information disclosed.
This record which has been disclosed to you
(42 CFR part 2). The federal rules prohibit
you from making any further disclosure
of this record unless further disclosure is
expressly permitted by the written consent
of the individual whose information is being
disclosed in this record or, is otherwise
permitted by 42 CFR part 2. A general
authorization for the release of medical or
purpose (see §2.31). The federal rules restrict
any use of the information to investigate or
prosecute with regard to a crime any patient
with a substance use disorder, except as
provided at §§2.12(c)(5) and 2.65.
- or -
42 CFR part 2 prohibits unauthorized
disclosure of these records.
44
42 CFR § 2.32.
45
42 CFR §§ 2.13(d); 2.31(a)(4).
26
The list must be provided within 30 days of
receiving the written request.
46
This requirement
is separate and distinct from the “accounting of
disclosures” process in HIPAA. The accounting of
disclosures requirement has different timelines
and requires documentation of different types of
disclosures. For example, disclosures pursuant
to consent are explicitly excluded from the HIPAA
accounting of disclosures process.
Sample Consent
HCA recognizes that providers, payers, and other
organizations have created and implemented
consent gathering processes and forms. However,
there are also occasional questions about whether
particular forms meet all of the requirements in 42
CFR Part 2, and many organizations’ forms have not
been updated to incorporate recent changes to 42
CFR Part 2.
Appendix 1 includes a sample consent form
that incorporates recent changes to 42 CFR
Part 2 and is focused on gathering consent to
facilitate care coordination. Organizations are
not required to use the form, but it is intended to
provider or HIE. An organization may also choose
elements into the organization’s existing templates.
43
42 CFR §§ 2.31(a)(8); 2.14(b).
27
Uses and Disclosures Without Consent
There are many circumstances where consent is required to share SUD information, even though sharing
would otherwise be allowed by HIPAA and other health care privacy laws. But consent is not required for
all uses and disclosures. This section includes summaries of some of the most common exceptions where
information can be used or disclosed without consent.
The exceptions are grouped into familiar categories, such as treatment, payment, health care operations,
public health reporting, and research. Each situation includes a summary of the conditions for use or
disclosure under 42 CFR Part 2, and a comparison to the requirements in HIPAA and chapter 70.02 RCW.
Even though consent is not required for these disclosures, there may be other complicated requirements that
apply. This information is only a summary and is not a substitute for careful consideration of the applicable
regulatory provisions or legal advice.
Qualied Service Organization Agreements
appropriate behavioral health information sharing. This includes substance use information between a part
HIPAA generally permits protected health information disclosure without patient consent for treatment,
payment or health care operations. 42 CFR Part 2 is not as permissive and requires patient consent for
such disclosure. However, restrictions on disclosures under 42 CFR Part 2 do not apply to communications
Provides services to a part 2 program, and
Has entered into a written agreement with a part 2 program under which that person:
Acknowledges that in receiving, storing, processing or otherwise dealing with any patient records
from the programs, it is fully bound by 42 CFR Part 2; and
If necessary, will resist in judicial proceedings any efforts to obtain access to patient records
except as permitted by these regulations.
laboratory analyses, professional services, or services to prevent or treat child abuse or neglect, including
training on nutrition and child care and individual and group therapy.
28
as mechanisms that allow for disclosure of information between a part 2 program and an organization that
provides services to the program, including HIEs.
from which the information originated. For additional information, see Number 10 of the 2010 Frequently
• Acknowledgement that receiving, storing, processing or otherwise dealing with any patient records from the
part 2 program is fully bound by the regulations in 42 CFR Part 2; and
• Agreement to resist in judicial proceedings any efforts to obtain access to patient identifying information
related to substance use disorder diagnosis, treatment or referral for treatment except as permitted by 42 CFR
Part 2.
for business associates under HIPAA.
Treatment
Information that is subject to 42 CFR Part 2 cannot normally be shared for treatment purposes without
information can be shared in response to a medical emergency, and can be shared between providers in the
same Part 2 program. The second situation is important because it allows sharing between providers who
are treating co-occurring mental health and substance use disorders within the same Part 2 program.
Exception Part 2 Requirements
HIPAA and Chapter 70.02 RCW
Requirements
Examples of
permissible
treatment
activities
“Treatment” means the care of a patient
suffering from a substance use disorder, a
caused by the substance use disorder, or both,
in order to reduce or eliminate the adverse
effects upon the patient.
42 CFR § 2.11
“Treatment” generally means the provision,
coordination, or management of health
care and related services among health care
providers or by a health care provider with a
third party, consultation between health care
providers regarding a patient, or the referral
of a patient from one health care provider to
another.
45 CFR § 164.501
29
Payment (consent typically required)
Information that is subject to 42 CFR Part 2 cannot normally be shared for payment purposes without
consent. However, information can be shared within a Part 2 program, or an entity that has direct
administrative control over the Part 2 program, among personnel having a need for the information in
connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment
claims management, or requesting prior authorization. Even submitting a claim for payment requires
consent.
Exception Part 2 Requirements
HIPAA and Chapter
70.02 RCW
Requirements
Disclosures
from Part 2
program to
contractors
Information can be shared with a contractor that provides
payment-related services to a part 2 program, such as data
processing or bill collecting.
Conditions for use or disclosure:
•
includes:
Acknowledgement that the contractor is fully bound by
42 CFR Part 2
inappropriate efforts to obtain SUD information
Tips:
• A contractor that meets these requirements is referred to as a
•
related services, including care coordination
42 CFR §§ 2.11; 2.12(c)(4).
Information can be
shared with contractors
that provide services to
or on behalf of a covered
entity. These contractors
are referred to as
“business associates”
and must sign a business
associate agreement
(BAA). HIPAA includes
for business associate
agreements. If a Part
2 program is also a
covered entity, then it
BAA with the contractor.
The requirements for
be combined into one
agreement.
45 CFR § 164.504(e).
30
Exception Part 2 Requirements
HIPAA and Chapter
70.02 RCW
Requirements
Disclosures from
lawful holder to
contractors
An organization that receives information under a written consent
to disclose for payment purposes, such as a third-party payer, can
further disclose information to its contractors to perform payment
functions.
Conditions for use or disclosure:
• The contractor must sign an agreement that limits its uses of
the information to uses necessary to carry out the purposes
42 CFR §§ 2.33(b); 2.13(a).
The restrictions on a
lawful holder’s ability to
share information with
contractors depends
on whether the lawful
holder is subject to
HIPAA. If a third-party
payer is a covered entity
under HIPAA, then
contractors that provide
services to the third-
payer payer are business
associates and a BAA is
required.
45 CFR § 164.504(e).
Disclosures
related to
incapacitated
or incompetent
person
Information can be disclosed without consent to obtain payment
when a person has a medical condition that prevents the person
from acting on their own behalf.
Conditions for use or disclosure:
• Scope of consent must be solely to obtain payment for services
• Person must be unable to effectively act on their own
• Part 2 program director must act on the person’s behalf to
consent to disclosure
Tips:
• This exception does not apply to minors or people who have
already been determined to be incompetent by a court
42 CFR § 2.15(a)(2).
Information can be
used and disclosed for
legitimate payment
purposes without
written consent. 42 CFR
Part 2 is more restrictive.
45 CFR § 164.506(c);
RCW 70.02.050(1).
31
Exception Part 2 Requirements
HIPAA and Chapter
70.02 RCW
Requirements
Examples of
permissible
payment and
health care
operations
activities (this
is list is non-
exhaustive—
other activities
may also be
permissible)
Billing, claims management, collections activities, obtaining
or related health care data processing;
Clinical professional support services (e.g., quality assessment
and improvement initiatives; utilization review and
management services);
Patient safety activities;
Activities pertaining to:
i. The training of student trainees and health care
professionals;
ii. The assessment of practitioner competencies;
iii. The assessment of provider or health plan performance;
iv. Training of non-health care professionals;
activities;
Underwriting, enrollment, premium rating, and other
activities related to the creation, renewal, or replacement of a
securing, or placing a contract for reinsurance of risk relating
to claims for health care;
Third-party liability coverage;
Conducting or arranging for medical review, legal services,
Business planning and development, such as conducting
cost management and planning-related analyses related to
managing and operating, including formulary development
and administration, development or improvement of methods
of payment or coverage policies;
Business management and general administrative activities,
including management activities relating to implementation of
and compliance with the requirements of this or other statutes
or regulations;
“Payment” encompasses
the various activities of
health care providers
to obtain payment or
be reimbursed for their
services and of a health
plan to obtain premiums,
responsibilities and
the plan, and to obtain or
provide reimbursement
for the provision
of health care. In
addition to the general
Rule provides examples
of common payment
activities which include,
but are not limited to:
• Determining
eligibility or coverage
under a plan and
adjudicating claims;
• Risk adjustments;
• Billing and collection
activities;
• Reviewing health care
services for medical
necessity, coverage,
charges, and the like;
• Utilization review
activities; and
32
Exception Part 2 Requirements
HIPAA and Chapter
70.02 RCW
Requirements
Customer services, including the provision of data analyses for
policy holders, plan sponsors, or other customers;
Resolution of internal grievances;
The sale, transfer, merger, consolidation, or dissolution of an
organization;
Determinations of eligibility or coverage (e.g., coordination
claims;
Risk adjusting amounts due based on enrollee health status
and demographic characteristics;
Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of
prohibited in this provision.
42 CFR § 2.33(b)
• Disclosures to
consumer reporting
agencies (limited to
information about
the individual, his or
her payment history,
and identifying
informationabout the
covered entity).
45 CFR § 164.501
Health Care Operations
Information that is subject to 42 CFR Part 2 cannot normally be shared for health care operations purposes
without consent. However, information can be shared within a Part 2 program, or an entity that has direct
administrative control over the Part 2 program, among personnel having a need for the information in connection
with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients.
Health care operations include a broad range of provider activities that do not involve treatment or payment
activities. Examples include quality improvement, provider performance review, fraud and abuse detection, or
receiving legal services. Information can be shared with contractors to perform health care operations functions
on behalf of the Part 2 program.
33
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Disclosures from
Part 2 program
to contractors
Information can be shared with a contractor that provides
health care operations services to a part 2 program, such
as legal or accounting services, or population health
management
Conditions for use or disclosure:
• The contractor must sign an agreement called a
care operations functions and includes:
Acknowledgement that the contractor is fully
bound by 42 CFR Part 2
inappropriate efforts to obtain SUD information
Tips:
• A contractor that meets these requirements is referred
•
treatment-related services, including care coordination
42 CFR §§ 2.11; 2.12(c)(4).
Information can be shared
with contractors that provide
services to or on behalf
of a covered entity. These
contractors are referred to
as “business associates” and
must sign a business associate
agreement (BAA). HIPAA
for business associate
agreements. If a Part 2 program
is also a covered entity, then
BAA with the contractor. The
BAAs can be combined into one
agreement.
45 CFR § 164.504(e).
Disclosures from
lawful holder to
contractors
An organization that receives information under a written
consent to disclose for health care operations purposes can
further disclose information to its contractors subject to
contractor’s purposes.
Conditions for use or disclosure:
• The contractor must sign an agreement that limits its
written consent
42 CFR §§ 2.33(b); 2.13(a).
The restrictions on a lawful
holder’s ability to share
information with contractors
depends on whether the lawful
holder is subject to HIPAA. If
the entity is a covered entity
under HIPAA, then contractors
that provide services to the
third-payer payer are business
associates and a BAA is
required.
45 CFR § 164.504(e).
34
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Examples of
permissible
payment and
health care
operations
activities (this
is list is non-
exhaustive—
other activities
may also be
permissible)
Billing, claims management, collections activities,
obtaining payment under a contract for reinsurance,
Clinical professional support services (e.g., quality
assessment and improvement initiatives; utilization
review and management services);
Patient safety activities;
Activities pertaining to:
i. The training of student trainees and health care
professionals;
ii. The assessment of practitioner competencies;
iii. The assessment of provider or health plan
iv. Training of non-health care professionals;
activities;
Underwriting, enrollment, premium rating, and
other activities related to the creation, renewal, or
replacement of a contract of health insurance or health
for reinsurance of risk relating to claims for health care;
Third-party liability coverage;
abuse;
Conducting or arranging for medical review, legal
Business planning and development, such as
conducting cost management and planning-related
analyses related to managing and operating,
including formulary development and administration,
development or improvement of methods of payment
or coverage policies;
Business management and general administrative
activities, including management activities relating
to implementation of and compliance with the
requirements of this or other statutes or regulations;
• “Health care operations”
are certain administrative,
improvement activities of
a covered entity that are
necessary to run its business
and to support the core
functions of treatment and
payment. These activities,
which are limited to the
activities listed in the
operations” at 45 CFR
164.501, include:
• Conducting quality
assessment and
improvement activities,
population-based activities
relating to improving health
or reducing health care costs,
and case management and
care coordination;
• Reviewing the competence
care professionals, evaluating
provider and health plan
performance, training health
care and non-health care
professionals, accreditation,
credentialing activities;
• Underwriting and other
activities relating to the
creation, renewal, or
replacement of a contract
of health insurance or
securing, or placing a
contract for reinsurance of
risk relating to health care
claims
35
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Customer services, including the provision of data
analyses for policy holders, plan sponsors, or other
customers;
Resolution of internal grievances;
The sale, transfer, merger, consolidation, or dissolution
of an organization;
Determinations of eligibility or coverage (e.g.,
of cost sharing amounts), and adjudication or
Risk adjusting amounts due based on enrollee health
status and demographic characteristics;
Review of health care services with respect to
medical necessity, coverage under a health plan,
expressly prohibited in this provision.
42 CFR § 2.33(b)
• Conducting or arranging for
medical review, legal, and
auditing services, including
fraud and abuse detection
and compliance programs;
• Business planning and
development, such
as conducting cost-
management and planning
analyses related to managing
and operating the entity; and
• Business management
and general administrative
activities, including those
related to implementing and
complying with the Privacy
Rule and other Administrative
customer service, resolution
of internal grievances, sale or
transfer of assets, creating de-
or a limited data set, and
the covered entity. General
Provisions at 45 CFR 164.506.
45 CFR § 164.501
36
Medical Emergency
Information that is subject to 42 CFR Part 2 can be shared in response to a medical emergency, and can
be shared between providers in the same Part 2 Program. This allows sharing between providers who are
treating co-occurring mental health and substance use disorders within the same Part 2 program.
Exception Part 2 Requirements
HIPAA
and Chapter 70.02 RCW
Requirements
Medical
emergencies
Information can be shared in response
to a medical emergency.
Conditions for use or disclosure:
• Disclosure must be necessary
emergency
• Only applies when informed consent
cannot be obtained
• The Part 2 program must document
who made the disclosure, who
received the information, when
information was disclosed, and the
reason information was disclosed
42 CFR § 2.51.
Information can be used and disclosed for
legitimate treatment purposes without written
consent. 42 CFR Part 2 is more restrictive.
Additionally, information can be used and disclosed
when, consistent with applicable law and standards
of ethical conduct, such use is necessary (in the
good faith belief of the covered entity):
• To prevent or lessen a serious and imminent
threat to the health or safety of a person or the
public; and the use is to a person reasonably
able to prevent or lessen the threat.
• For law enforcement authorities to identify or
apprehend an individual.
45 CFR § 164.501506(c); 45 CFR § 164.512(j);
RCW 70.02.050(1).
37
Communication within a Part 2 Program
Information sharing is allowed between providers who are treating co-occurring mental health and
substance use disorders within the same Part 2 program. Information can also be shared within a Part 2
program to perform payment and health care operations functions.
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Communication
within a Part
2 program for
treatment,
payment, or
operations
Information can be shared within a Part 2 program for
legitimate treatment, payment, or health care operations
purposes without written consent.
Conditions for use or disclosure:
• Need for sharing must arise from providing diagnosis,
treatment, referral for treatment, payment functions, or
health care operations functions
• Disclosure only allowed to personnel of Part 2 program
or entity with direct administrative control over the
program
Tips:
• A Part 2 program may be located within a facility that
has other functions that are not considered part of the
Part 2 program and are not covered by this exception
42 CFR § 2.12(c)(3).
Information can be used
and disclosed for legitimate
treatment purposes without
written consent. 42 CFR Part 2
is more restrictive.
45 CFR § 164.506(c); RCW
70.02.050(1).
38
Access by Person with SUD
As with other health care information, a person has the ability to view and receive their own information.
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Access to a
person’s own
information
A competent adult with SUD can view and receive their
own information.
Conditions for use or disclosure:
• A request to review and receive information can
be made by the person with SUD or their personal
representative.
• The right to view and receive information about a
person who has been determined by a court to be
incompetent is controlled by their legal guardian or
other legally authorized representative.
• More complicated rules apply for records about minors,
depending on the minor’s age and whether the services
are inpatient or outpatient
42 CFR §§ 2.23(a); 2.14.
Under HIPAA and chapter 70.02
RCW a person has the right to
access their own information.
Who can exercise that right
is dependent on whether the
person has been determined to
be incompetent, the person’s
age, and the types of services
provided.
45 CFR § 164.502(g);
45 CFR § 164.524(a);
RCW 70.02.080;
RCW 70.02.130.
39
Public Health Reporting
Although there is no blanket exception that allows SUD information to be used or disclosed for public health
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Reporting vital
statistics
Information about cause of death can be released
consistent with laws that require the collection of death or
other vital statistics.
Conditions for use or disclosure:
• The release must be consistent with law that requires
collection of the information
42 CFR § 2.15(b)(1).
Under HIPAA and Washington
law, information can be released
to appropriate authorities for
a wide range of public health
purposes that include reporting
and investigating deaths.
45 CFR § 164.512(b);
RCW 70.02.050(2).
Investigating
cause of death
Information can be released consistent with laws that
allow investigation into cause of death.
Conditions for use or disclosure:
• The release must be consistent with the law that allows
the investigation
42 CFR § 2.15(b)(1).
Under HIPAA and Washington
law, information can be released
to appropriate authorities for
a wide range of public health
purposes that include reporting
and investigating deaths.
45 CFR § 164.512(b);
RCW 70.02.050(2).
Reporting child
abuse and
neglect
Reports of suspected child abuse and neglect can be
reported to appropriate authorities.
Conditions for use or disclosure:
• Reports should be consistent with permitted or
mandatory disclosures under state law
Tips:
• The original information held by the Part 2 program
is still protected, and restrictions on disclosure still
apply to any requested disclosure for civil or criminal
proceedings that arise out of the report of abuse or
neglect
42 CFR § 2.12(c)(6).
Under HIPAA and Washington
law, information can be released
to appropriate authorities for
a wide range of public health
purposes that include reporting
child abuse or neglect.
45 CFR § 164.512(b);
RCW 70.02.200.
40
Research
incorporate the requirements in the HIPAA Privacy Rule.
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Providing
information to
researcher
Information can be disclosed to a researcher so long as
the research project meets the research requirements in
the HIPAA Privacy Rule or the Health and Human Services
regulations regarding the protection of human subjects, as
applicable.
Conditions for use or disclosure:
•
apply
• Appropriate waiver of consent must be obtained from
institutional review board or privacy board
•
anyone other than who the information originally came
from.
Tips:
• Research can also be conducted with explicit consent
from the research subjects
42 CFR § 2.52.
Information can be disclosed
to research so long as the
research projects the research
requirements in the HIPAA
Privacy Rule, which will require
approval and waiver of consent
from an institutional review
board or privacy board.
45 CFR § 164.512(i);
RCW 70.02.210.
41
Audit and Evaluation
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Audit or
evaluation
that does not
require copying
or removing
records
If records are not copied or removed, then in limited
circumstances a Part 2 program may allow an audit or
evaluation on its premises.
Conditions for use or disclosure:
• Auditor or evaluator must agree in writing that
Not be disclosed to anyone
Only be used to carry out the purpose of the audit
or evaluation
• Auditor or evaluator must be one of:
A governmental agency authorized to regulate
the Part 2 program
assistance to the Part 2 program
A third-party payer that covers people treated by
the Part 2 program
A quality improvement organization performing a
utilization or quality control review
• Part 2 program must:
42 CFR § 2.53(a).
Under HIPAA and chapter 70.02
RCW an audit or evaluation
could be completed as part
of the entity’s health care
operations.
45 CFR § 164.506;
RCW 70.02.010;
RCW 70.02.050;
RCW 70.02.200.
42
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Audit or
evaluation that
requires copying
or removing
records
If records will be removed, additional restrictions apply to
allow an audit or evaluation.
Conditions for use or disclosure:
• Auditor or evaluator must agree in writing that
Not be disclosed to anyone
Only be used to carry out the purpose of the audit
or evaluation
Be maintained and destroyed consistent 42 CFR
Part 2 security requirements
Be retained as required by any applicable records
retention laws
• Auditor or evaluator must be one of:
A governmental agency authorized to regulate the
Part 2 program
assistance to the Part 2 program
A third-party payer that covers people treated by
the Part 2 program
A quality improvement organization performing a
utilization or quality control review
Tips:
• Removing records includes anything that would lead
to information leaving the Part 2 program, including
copying, downloading, or forwarding information
42 CFR § 2.53(b).
Under HIPAA and chapter 70.02
RCW an audit or evaluation
could be completed as part
of the entity’s health care
operations.
45 CFR § 164.506;
RCW 70.02.010;
RCW 70.02.050;
RCW 70.02.200.
Audits and
evaluations
mandated
by statute or
regulation
Patient identifying information may be disclosed to
federal, state, or local government agencies, and the
contractors, subcontractors, and legal representatives
of such agencies, in the course of conducting audits
or evaluations mandated by statute or regulation, if
those audits or evaluations cannot be carried out using
42 CFR 2.53(g)
Under HIPAA and chapter
70.02 RCW an audit or
evaluation could be completed
as part of the entity’s health
care operations.
43
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Activities
included in
Audits and
Evaluations
Audits and evaluations may include, but are not limited
to :
Activities undertaken by a federal, state, or local
governmental agency, or a third-party payer entity, in
order to:
i. Identify actions the agency or third-party payer
entity can make, such as changes to its policies
or procedures, to improve care and outcomes
for patients with SUDs who are treated by part 2
programs;
ii. Ensure that resources are managed effectively to
care for patients; or
iii. Determine the need for adjustments to payment
policies to enhance care or coverage for patients
with SUD.
Reviews of appropriateness of medical care, medical
necessity, and utilization of services.
42 CFR 2.53(c)
Under HIPAA and chapter
70.02 RCW an audit or
evaluation could be completed
as part of the entity’s health
care operations.
44
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
Medicare,
Medicaid, or
Children’s
Health
Insurance
Program
(CHIP) audit or
evaluation
Information can be disclosed as part of a Medicare,
Medicaid, or CHIP audit or evaluation, including an audit
or evaluation necessary to meet the requirements for
a Centers for Medicare & Medicaid Services-regulated
accountable care organization or similar CMS-regulated
organization.
Conditions for use or disclosure:
• Auditor or evaluator must agree in writing that
Not be disclosed to anyone
Only be used to carry out the purpose of the audit
or evaluation
Be maintained and destroyed consistent 42 CFR
Part 2 security requirements
Be retained as required by any applicable records
retention laws
• Audit or evaluation can be any civil or administrative
investigation by a federal, state, or local government
agency with oversight responsibilities for Medicare,
Medicaid, or CHIP
Tips:
• Additional administrative requirements apply for audits
or evaluations necessary to meet the requirements for a
CMS-regulated accountable care organization or similar
CMS-regulated organization.
42 CFR § 2.53(c).
Under HIPAA and chapter 70.02
RCW an audit or evaluation
could be completed as part
of the entity’s health care
operations.
45 CFR § 164.506;
RCW 70.02.010;
RCW 70.02.050;
RCW 70.02.200.
45
Law Enforcement and Judicial Proceedings
In limited circumstances information can be disclosed to law enforcement or during judicial proceedings.
The summary below describes the circumstances when information can be disclosed to law enforcement to
report a crime.
Other provisions allow information to be shared for noncriminal judicial proceedings, or to investigate
or prosecute criminal activity, pursuant to a properly obtained court order. Keep in mind that a court
order authorizing or requiring disclosure is not the same as a mere subpoena or discovery request. The
requirements for those disclosures in 42 CFR Part 2, HIPAA, and chapter 70.02 RCW are complicated and
beyond the scope of this document.
Exception Part 2 Requirements
HIPAA
and Chapter 70.02 RCW
Requirements
Reporting a
crime
Limited information can be disclosed to law
enforcement to report a crime.
Conditions for use or disclosure:
• The crime must occur at the program, or against
the program’s staff
• The only information that can be disclosed is:
The factual circumstances of the incident,
The fact that the person is receiving
services,
The person’s name and address, and
The person’s last know whereabouts
Tips:
• A threat to commit a crime at the program or
against the program’s staff meets the criteria
above
42 CFR § 2.12(c)(5).
HIPAA and chapter 70.02 RCW allow
disclosures to law enforcement to report
a crime that occurs on the premises of
the entity, as well as in several other
circumstances. If the crime did not occur
on premises, 42 CFR Part 2, HIPAA,
and chapter 70.02 RCW should all be
considered before making a disclosure.
Information can also be used and
disclosed when providing emergency
if such disclosure is necessary to alert
law enforcements to:
(a) the commission and nature of a
crime;
(b) the location of such crime or of the
victim of the crime; and
(c) the identity, description, and location
of the perpetrator of the crime.
45 CFR § 164.512(f); 45 CFR § 164.506(c); RCW
70.02.050(1); RCW 70.02.200.
46
Conrming Enrollment
Exception Part 2 Requirements
HIPAA
and Chapter 70.02
RCW Requirements
presence in a
facility
facility if the fact that the person has a substance use
disorder is not revealed.
Conditions for use or disclosure:
• The facility cannot solely provide SUD services
•
SUD
• No additional information may be disclosed
Tips:
• Carefully consider your response; stating that 42 CFR
Part 2 restricts the disclosure of a person’s information
reveals that the person has an SUD
•
person’s presence would require that person’s consent.
42 CFR § 2.13(c).
A provider can maintain a
directory that includes a
person’s name, location in the
facility, and general description
of the person’s condition. But
the person an opportunity to
object. 42 CFR Part 2 is more
restrictive.
45 CFR § 164.510(a);
RCW 70.02.010;
RCW 70.02.200.
47
42 CFR Part 2 Revised Rule
(eective August 14, 2020)
What Has Not Changed Under the New Part 2 Rule: The revised rule does not alter the basic framework
SUD treatment programs. Part 2 continues to prohibit law enforcement’s use of SUD patient records in
criminal prosecutions against patients, absent a court order. Part 2 also continues to restrict the disclosure of
SUD treatment records without patient consent, other than as statutorily authorized in the context of a bona
an appropriate court order.
What Has Changed Under the New Part 2 Rule:
as follows:
Applicability and Re-Disclosure
What changed?
Treatment records created by non-Part 2 providers based on their own patient encounter(s) are explicitly
not covered by Part 2, unless any SUD records previously received from a Part 2 program are incorporated
into such records. Segmentation or holding a part of any Part 2 patient record previously received can be
used to ensure that new records created by non-Part 2 providers will not become subject to Part 2.
Why was this changed?
To facilitate coordination of care activities by non-part-2 providers.
Disposition of Records
What changed?
When an SUD patient sends an incidental message to the personal device of an employee of a Part 2 program,
message.
Why was this changed?
sanitize in compliance with Part 2.
48
Consent Requirements
What changed?
An SUD patient may consent to disclosure of the
patient’s Part 2 treatment records to an entity (e.g.,
the Social Security Administration), without naming a
Why was this changed?
more easily, for example, when using online
the recipient for a disclosure of Part 2 records.
Disclosures Permitted w/ Written
Consent
Disclosures for the purpose of “payment and health
care operations” are permitted with written consent,
in connection with an illustrative list of 18 activities
that constitute payment and health care operations
Why was this changed?
In order to resolve lingering confusion under Part 2
about what activities count as “payment and health
care operations,” the list of examples has been
moved into the regulation text from the preamble,
and expanded to include care coordination and case
management activities. Note that this list is non-
exhaustive—other activities may also be allowable.
Disclosures to Central Registries and
PDMPs
What changed?
Non-OTP (opioid treatment program) and non-central
registry treating providers are now eligible to query
a central registry, in order to determine whether
their patients are already receiving opioid treatment
through a member program.
OTPs are permitted to enroll in a state prescription
drug monitoring program (PDMP), and permitted
to report data into the PDMP when prescribing or
dispensing medications on Schedules II to V, consistent
with applicable state law.
Why was this changed?
To prevent duplicative enrollments in SUD care,
duplicative prescriptions for SUD treatment, and
adverse drug events related to SUD treatment.
Medical Emergencies
What changed?
Declared emergencies resulting from natural disasters
(e.g., hurricanes) that disrupt treatment facilities
emergency,” for the purpose of disclosing SUD records
without patient consent under Part 2.
Why was this changed?
To ensure clinically appropriate communications
and access to SUD care, in the context of declared
emergencies resulting from natural disasters.
49
Research
What changed?
Disclosures for research under Part 2 are permitted
by a HIPAA-covered entity or business associate to
individuals and organizations who are neither HIPAA
covered entities, nor subject to the Common Rule (re:
Research on Human Subjects).
Why was this changed?
To facilitate appropriate disclosures for research, by
streamlining overlapping requirements under Part 2,
the HIPAA Privacy Rule and the Common Rule.
Audit and Evaluation
What changed?
evaluation purposes.
Why was this changed?
To resolve current ambiguity under Part 2 about what
activities are covered by the audit and evaluation
provision.
Undercover Agents and Informants
What changed?
Court-ordered placement of an undercover agent or
informant within a Part 2 program is extended to a period
of 12 months, and courts are authorized to further extend
the period of placement through a new court order.
Why was this changed?
To address law enforcement concerns that the
current policy is overly restrictive to some ongoing
investigations of Part 2 programs.
50
Scenarios and Guidance
for SUD Data Exchange
information is the patient. In order to provide
the best care for the whole person, health care
professionals and other entities who provide
services to people with SUD need to collaborate
and communicate. This approach puts the
individual at the center of care coordination.
This graphic shows examples of the types of people
and entities that may be involved in a person’s
care, and the following scenarios show when
information can be shared amongst these people
and entities. The scenarios are grouped into the
categories of (1) treatment, and (2) payment and
health care operations.
51
Potential Touchpoints for Persons with SUD
Primary Care
Physician
School
SUD Facility within
Other Entity
Emergency Room
Personnel
Hospitals
Non Part 2
Program
SUD Provider
(Outpatient)
Community Based
Organizations
Standalone SUD
Facility
Person with SUD Contractor
Hospital
Third-party
Payers
52
Quicklinks to the scenarios below:
Treatment Scenarios
• Scenario 1
Communication within a Part 2 Program
• Scenario 2
Communication between different Part 2 Programs
• Scenario 3
Sharing information with a provider not subject to Part 2
• Scenario 4
Sharing information with emergency personnel
• Scenario 5
Sharing SUD information through an HIE
• Scenario 6
Provider not subject to Part 2 sharing with Part 2 Program
• Scenario 7
Communication between Part 2 Program and School
Payment and Health Care Operations Scenarios
• Scenario 1
Disclosures from a Part 2 Program to Contractors
• Scenario 2
Disclosures to Third-Party Payer
53
Treatment Scenario 1:
Communication within a Part 2 Program
Key take away: Information can be shared within a Part 2 program
for legitimate treatment purposes without written consent
Scenario Description:
• Providers within the same
Part 2 program want to share
information with each other to
coordinate care.
Remember:
• A Part 2 program may be
located within a facility that
has other functions that are
not considered part of the Part
2 program.
• Sharing the same physical
location does not mean that all
providers are within the Part 2
program.
42 CFR Part 2 Conditions
for Use or Disclosure of
SUD Information:
• Need for sharing must arise
from providing diagnosis,
treatment, or referral for
treatment.
• Disclosure only allowed
to personnel of a Part 2
program or entity with direct
administrative control over the
program.
• See Payment Scenario 1
and Health Care Operations
around disclosures within a
Part 2 program for payment or
health care operations.
HIPAA and Chapter
70.02 RCW Requirements:
• Information can be used
and disclosed for legitimate
treatment, payment, and
health operations purposes
without written consent. 42
CFR Part 2 is more restrictive.
Providers are
in the same
Part 2 Program
Patient records
updated
Patient treated by SUD
provider in Part 2 Program
Other providers within Part
2 Program are able to review
information
54
Treatment Scenario 2:
Communication between dierent Part 2 Programs
Key take away: Information shared between different Part 2 programs
requires valid written consent
SUD information can
be shared in multiple
formats: verbal, direct
exchange, EHR
Patient treated by
SUD provider in Part 2
Program
Patient treated by SUD
provider in separate Part 2
Program
Scenario Description:
• Separate part 2 programs want
to share SUD information with
each other.
Remember:
• To share information back and
forth, the written consent must
indicate that information can
be shared both to and from
provider.
42 CFR Part 2 Conditions
for Use or Disclosure of
SUD Information:
• Valid written consent.
• Information shared must be
tailored to the written consent.
HIPAA and Chapter
70.02 RCW Requirements:
• Information can be used
and disclosed for legitimate
treatment purposes without
written consent. 42 CFR Part 2
is more restrictive.
55
Treatment Scenario 3:
Sharing information with a provider not subject to Part 2
Key take away: Information shared from Part 2 program to other
treating provider requires valid written consent
SUD information can
be shared in multiple
formats: verbal, direct
exchange, EHR
Patient treated by
SUD provider in Part 2
obtains proper consent
Primary care physician
consent
Scenario Description:
• Part 2 program wants to share
information with primary care
physician.
Remember:
• The requirements for
vary depending on whether
designation.
• The requirement for written
consent does not prevent
the primary care physician
from sharing with the Part
2 program. See Treatment
Scenario 6 for more
information.
42 CFR Part 2 Conditions
for Use or Disclosure of
SUD Information:
• Valid written consent.
• Information shared must be
tailored to the written consent.
HIPAA and Chapter
70.02 RCW Requirements:
• Information can be used
and disclosed for legitimate
treatment purposes without
written consent. 42 CFR Part 2
is more restrictive.
56
Treatment Scenario 4:
Sharing information with emergency personnel
Key take away: Part 2 information can be shared without consent with
emergency personnel when responding to a legitimate emergency
Emergency room
personnel request
SUD information
from Part 2 Program
SUD information can
be shared from Part
2 program to ER in
multiple formats: verbal,
direct exchange, EHR
Patient treated SUD provider in
Part 2 Program
documents
disclosure
Patient arrives at
emergency room
Scenario Description:
• A person who is experiencing
a medical emergency arrives
at an emergency facility. The
treating provider is aware that
the person has previously been
treated for SUD by a Part 2
provider, but it is not possible
to obtain consent to receive
SUD information.
Remember:
• A Part 2 program may be
located within a facility that
has other functions that are
not considered part of the Part
2 program.
• Sharing the same physical
location does not mean that all
providers are within the Part 2
program.
42 CFR Part 2 Conditions
for Use or Disclosure of
SUD Information:
• Disclosure must be necessary
to respond to a legitimate
emergency.
• Only applies when informed
consent cannot be obtained.
• The Part 2 program that makes
the disclosure must document
who made the disclosure, why
it was made, and when it was
made.
HIPAA and Chapter
70.02 RCW Requirements:
• Information can be used
and disclosed for legitimate
treatment purposes without
written consent. 42 CFR Part 2
is more restrictive.
57
Treatment Scenario 5:
Sharing SUD information through an HIE
Key take away: Part 2 information can be shared via an HIE. Conditions
for sharing depend upon terms of consent and recipient’s use of data
Patient treated by
SUD provider in
Part 2 Program, who
proper consent
• Part 2 program wants to share
provider through HIE.
Part 2 Conditions:
• Valid written consent that
treating provider can be either
individual provider or the
provider entity.
•
organization of the Part 2
program, the consent only
treating provider.
Emergency Personnel
• Emergency personnel wants to
access information in response
to legitimate emergency and
it is not possible to obtain
consent.
Part 2 Conditions:
• Requirements in Treatment
•
organization of the Part 2
documenting the disclosure.
General Designation
• Part 2 program wants to share
information with all treating
providers through HIE.
Part 2 Conditions:
• Valid written consent that
designation of all treating
providers.
• Consent must specify HIE,
regardless of whether the
organization of the Part 2
program.
• Upon request from the person
with SUD, the HIE must
provide a list of the entities
that received information, the
date information was shared,
and brief description of what
was shared.
HIE manages disclosures
consistent with terms of
consent and recipient’s
use of data
Designation
Primary care
physician
Emergency
Personnel
Emergency
room personnel
General
Designation
All treating
providers
58
Treatment Scenario 6:
Provider not subject to Part 2 sharing with Part 2 Program
Key take away: Information shared by non-Part 2 provider is
governed by HIPAA and consent is not required
Records can be
shared in multiple
formats: verbal, direct
exchange, EHR
Information about physical
health care requested by
Part 2 Program
Part 2 Program receives
information
Scenario Description:
• Part 2 program wants to
receive physical health care
records from non-Part 2
provider
Remember:
• The restrictions in 42 CFR
Part 2 do not apply to
information being sent to a
Part 2 program, but Part 2
program should take care
when requesting information
to not inappropriately reveal
that person is being treated for
SUD.
42 CFR Part 2 Conditions
for Use or Disclosure of
SUD Information:
• 42 CFR Part 2 does not control
disclosures from a non-Part 2
program to a Part 2 program.
HIPAA and Chapter
70.02 RCW Requirements:
• Information can be used
and disclosed for legitimate
treatment purposes without
written consent.
59
Treatment Scenario 7:
Communication between Part 2 Program and School
Key take away: Information can be shared between a Part 2 program
and student’s school with written consent.
Scenario Description:
• School requires SUD
assessment and treatment
recommendation.
•
from SUD provider.
Remember:
• The school should only receive
has been an assessment and
recommendation.
• If the information is shared
with a multidisciplinary team
that includes people other
than school employees, all
recipients should be listed on
the consent.
Conditions for Use
or Disclosure of SUD
Information:
• Valid written consent.
• Information shared must be
tailored to the written consent.
• School becomes a lawful
holder and must protect
records from further
disclosure.
HIPAA and Chapter
70.02 RCW Requirements:
• Information should only be
shared with consent.
School requires
student to receive
SUD assessment
Student is seen
by SUD provider
or obtains consent
SUD provider shares
information with school
if consent has been given
60
Payment and Health Care Operations
Scenario 1:
Disclosures from a Part 2 Program to Contractors
Key take away: If proper agreements are in place, information can
be shared with a contractor that provides payment-related services
to a Part 2 program, such as submitting claims or bill collecting
SUD information can be
shared in multiple formats:
verbal, direct exchange, EHR
Part 2 Program enters contract
for payment or health care
operations services
Scenario Description:
• Part 2 program wants to hire
a third-party contractor to
perform payment functions,
such as submitting claims or
bill collecting.
Remember:
• A contractor that meets these
requirements is referred
organization.”
• A Part 2 program can also
share information with its own
staff to perform these types of
payment functions.
• Just like Part 2 programs,
lawful holders can use
contractors to perform these
types of payment functions.
•
does not apply to treatment-
related services, including care
coordination.
42 CFR Part 2 Conditions
for Use or Disclosure of
SUD Information:
• The contractor must sign
an agreement that limits its
uses of the information to the
• The agreement must include
an acknowledgement by the
contractor that it is fully bound
by 42 CFR Part 2.
• The agreement must require
the contractor to resist
inappropriate efforts to obtain
SUD information.
HIPAA and Chapter
70.02 RCW Requirements:
• Information can be shared
with contractors that provide
services to or on behalf of
a covered entity. These
contractors are referred to
as “business associates” and
must sign a business associate
agreement. HIPAA includes
business associate agreements
that should also be included
service organization.
61
Payment and Health Care Operations
Scenario 2:
Disclosures to Third-Party Payer
Key take away: Written consent must be obtained before submitting
a claim for payment to a third-party payer
Scenario Description:
• Part 2 program wants to
submit a claim for payment to
a third-party payer.
Remember:
• If a person revokes consent
before a claim can be
submitted, the Part 2 program
can still submit the claim if
it relied on the fact that the
consent had been signed when
it provided treatment.
• If a person is unable to
effectively act on their own,
a Part 2 program director can
consent to disclosure for the
sole purpose of obtaining
payment.
42 CFR Part 2 Conditions
for Use or Disclosure of
SUD Information:
• Valid written consent.
• Disclosure must be tailored to
the written consent.
HIPAA and Chapter
70.02 RCW Requirements:
• Information can be used
and disclosed for legitimate
payment purposes without
written consent. 42 CFR Part 2
is more restrictive.
Provider
obtains consent
SUD information can
be shared in multiple
formats: verbal,
direct exchange, EHR
Part 2 Program
submits claim
for payment
Third-party Payer
receives information to
make payment
62
Appendix 1 – Consent Form
This sample form is intended to support gathering consent to facilitate care
coordination between providers. It is consistent with changes to 42 CFR
Part 2 that allow disclosures to all treating providers. The form can be used
should be reviewed to ensure consistency with the requirements in Part 2
and consultation with legal counsel is encouraged.
When disclosing information pursuant to consent, one of the following
statements must be sent along with the records:
Although the sample consent form includes this language, it is important
that this statement be communicated to a recipient separately if the
completed consent form itself is not sent with the records.
- or -
63
Consent to Coordinate Care and Treatment
Completion Instructions for Form
Purpose of this form:
Our goal is to provide you with the best care
possible. To do this, your health care providers may
need to communicate and work together.
Federal laws require that we get your permission
to share your substance use disorder treatment
records to coordinate your care. However, you do not
need to sign this form to receive care or services.
Your treatment records are strictly protected –
There are requirements in federal law (42 CFR Part 2)
that encourage you to seek treatment for substance
use disorder without fear of consequences. These
requirements protect the privacy of your treatment
records and, in most instances, prohibit sharing your
records without your permission.
Who will my information be shared with? –
You are in control of who has access to your treatment
records. You can provide a general approval, such
as “I give my permission to share my substance use
disorder treatment information with all individual(s)
or organization(s) with whom I have a past, current,
or future treating provider relationship.” Or, you can
with only the individuals or entities that you clearly
name, such as “Dr. Jane Smith at ABC Clinic.” You can
choose how long you want to share your information
and you have the ability to change your mind later.
Treating provider – A treating provider includes
anyone who has provided you diagnoses, evaluation,
treatment, or consultation, for any condition,
or anyone you have agreed or legally required
to receive diagnoses, evaluation, treatment, or
consultation from.
Health Information Exchange – A secure
electronic system that sends your treatment medical
information and allows doctors, mental health
providers, nurses, pharmacists, and other health
care providers to appropriately access and securely
share this information—improving the speed,
quality, safety and cost of your care.
HCA 60-0018 (4/19)
Personal information
Note: Patient identi cation label may be a xed here in lieu of completing this section.
First name
Middle
initial Last name
Date of Birth
ZIP Code
SECTION 1: What information am I agreeing to share?
I give my permission to share the following information (please select one or both):
Option 1: Substance Use Disorder (SUD) treatment records maintained by my providers
(including, but not limited to, medications and dosages, lab test results, clinic visits, diagnostic
information, discharge summary etc.)
Option 2: Claims data related to Substance Use Disorder (SUD) treatment, which include only a
summary of my diagnoses and services received
Option 3 “I select both Option 1 and Option 2”
SECTION 2: Who may share my Substance Use Disorder (SUD) information?
Please select one or both of the following options:
Option 1: “I give permission for all of my past, current, or future treating providers to share
my substance use disorder treatment information.”
Option 2:
substance use disorder treatment information.”
or healthcare organization(s) with
whom I have (or had) a treating
provider relationship:
Enter their contact information:
Phone City State ZIP Code
Option 3: “I select both Option 1 and Option 2”
SECTION 3: Who do I want to share my information with?
I give my permission to share the following information (please select one or both):
Option 1: Providers may choose to send and receive patient treatment information through
a secure electronic system called a Health Information Exchange (HIE). Doctors, mental health
providers, nurses, pharmacists, and other health care providers are only allowed to receive and
share your information from an HIE if they have the right permissions to do so.
“I understand that my past or current treating providers may currently use, or plan to use, the following
HIE to manage my information: _____________________________________________________________________________________.
I agree to share my information through the HIE with all individual(s) or organization(s) that I have a past,
current or future treating provider relationship with.”
Option 2: “I give my permission to share my substance use disorder treatment information
or healthcare organization(s) with
whom I have (or had) a treating
provider relationship:
Enter their contact information:
Phone City State ZIP Code
Option 3: “I select both Option 1 and Option 2”
Note to receiving provider or entity: 42 CFR part 2 prohibits unauthorized disclosure of these records.
SECTION 4: Consent Expiration
I understand that my permission will end: (please select one only)
On this date:
One year from the date of my signature, or
Upon my death.
I understand that I can take back or cancel my permission to share my information at any time. When I take
back or cancel my permission, I understand that going forward, my information will no longer be shared.
I understand that any information that may have already been shared before I cancelled my permission
cannot be taken back.
To take back or cancel your permission to share your information, please contact:
SECTION 5: Signature
I have read this form or have had it read to me in a language I can understand. I have had my questions about
this form answered. I understand that I do not need to sign this form to receive care or services.
Print the name of person giving consent or legal representative
Signature of person giving consent or legal representative
Relationship to Individual
Self Parent Guardian Authorized
Representative
Appendix 2 – Provider Script
This script (pages 63 - 64) is meant as a consent aid for providers. The focus
of the script is providing a safe, trusting environment for the provider and
script is not meant to replace the ability of providers to use their professional
judgement and established relationships to customize conversational needs.
You know the people in your care and the best way to approach sensitive
conversations.
68
Provider Script
When introducing patients to the concept of
consent management and its purpose, the
following three discussion components are
recommended:
Providing a patient consent conference
in a non-judgmental environment.
Setting the clear intention for improved
patient care experience.
Supporting the patient in self-directed
decision making around consent and being
in control of that decision.
Below are sample discussion points to facilitate the
introduction and request for consent to share SUD
information. While positioned from a PCP point of
view, the key points are applicable to Behavioral
Initiating the patient consent
conference
Welcome
• Thanks for coming in today. I really appreciate
you doing that. I know it’s hard sometimes to get to
a place where you’re able to come in and thank you
for sharing your story with me.
This is a safe place
• I want to be sure you understand and know that
this is a safe place. I appreciate that you’ve
been honest with me and shared your struggle
with opiate use disorder with me and I know
it’s hard to do
•
manage that. And it’s at your pace and your
time. But this is something that is a chronic
condition. It’s not because you want this, not
because you have a moral weakness, it’s a
chronic medical condition and so we’re going to
work together to address that.
Setting a clear intention for
improved patient care experience
Asking for information from other
providers
• One of the things that will be really helpful for
diagnoses and medications you have received,
from other providers that you’ve seen but not
counselors, or what kind of group sessions you
were in.
HCA 60-0019 (4/19)
• If you want to share something with me, that’s
fantastic. But that’s not necessary to my taking
care of you. What is helpful for me to know is
if they have some sort of diagnoses that you
if those may or may not still be present, but more
any medications.
Your privacy is protected
• When you give me permission to talk to
your other providers, you are giving me
permission to ask for and share health care
information about you.
• You are only giving me permission to look
at this. If the police or someone else were to
say “hey, so and so, I think they have a chemical
dependency problem or have they been to a
methadone clinic, can you send me all the records
on that?” the answer is “no.” You have legal
protections and I cannot share this privileged
information that you are agreeing to let me
have with anybody else. That is illegal. So that
protection is built in as well.
• This information will not be shared with your
employer or family.
Supporting self-directed decision
making about consent and being in
control of their consent
Your permission is voluntary
• I will take care of you no matter what you tell
me.
• By giving me permission, you’re not giving
everybody who might ask for something from
me your permission as well. You tell me who’s
okay to have this information and who’s not.
• This is your information. And yes, it might be
helpful to me, but if it makes you feel unsafe or
worried maybe it’s not the right time to do that
right now.
• It’s important for us to protect the privacy of
everything that everybody tells us. Your medical
condition, what meds you’re on, what you come in
for today, if you have a history of a substance use
disorder, if you have a history of a mental health
disorder, it is all equally important for us to protect
and let you share what you want with people. It is
not about what we want to share. We will only
share what we feel we need to. That helps to
we need your permission.
• You decide how long this information can be
shared. Once you give permission, we can’t take
back information already shared, but we can stop
any additional information from being shared.
If someone is not sure about their
other providers or not able to share
that information
Do you have a case manager in your program?
How would it be or how would it be with you that I
talk to your case manager? That way they may give
me information that you don’t think is important,
but it might be helpful to me. And that if they are
worried about you they can give me a call and get
through if you’re not able to and I found that working
as a team helps people better. Is that ok?
What You Should Know
About Substance Use Disorder
Information Sharing
How long will my information
be shared?
You choose! If you agree to share, you
can choose when your consent to share
information should end. Even after choosing
a date, you can take back or cancel your
permission at any time.
Of course, information may have already been
shared with providers before you cancel or
take back your permission.
How do I give my permission?
A short form is all that is needed to consent to
share information. We can walk you through it.
HCA 82-0182 (4/19)
Why are we asking for this?
Our goal is to provide you with the best and
safest care possible.
We are asking for your Substance Use
Disorder (SUD) information to be shared
with providers with the same level of
information.
Sharing this information allows your
providers to see you as a whole person. For
example, sharing this information:
Allows your SUD treatment provider to better
coordinate with your diabetes doctor.
Allows the doctor treating your high blood
pressure to understand what medications you
are receiving from your SUD provider.
Who will my information
be shared with?
You are in control of who has access
to your treatment records. You have
the following options:
• You can choose to provide
a general approval to all
individuals and entities that
you have/might have received
treatment from.
• You can choose to be very
information with only
entities.
Will this information
be shared with my family,
landlord or employer?
No, your information will not be
shared without your permission.
How do I know my treatment
information won’t be shared
without my permission?
Sharing your information is voluntary. Your
treatment records are strictly protected under
federal law and, in most instances, will not be
shared without your permission.
Under Federal Law 42 CFR Part 2:
You are entitled to seek treatment without
fear of legal or social consequences.
records prevents their sharing without your
permission.
Appendix 3 – Brochure
This brochure is intended as a consent aid for
people receiving services. It is structured similar
to brochures aimed at educating patients on HIPAA
regulations or research studies. These brochures
can be made available in public spaces in a clinic
and are highly encouraged to be used while
clinic to place their contact information. Along
with a copy of the consent, the person should be
encouraged to take a brochure home with them to
ensure they know who to contact if they decide to
cancel their consent or have additional questions.
71
What You Should Know
About Substance Use Disorder
Information Sharing
How long will my information
be shared?
You choose! If you agree to share, you
can choose when your consent to share
information should end. Even after choosing
a date, you can take back or cancel your
permission at any time.
Of course, information may have already been
shared with providers before you cancel or
take back your permission.
How do I give my permission?
A short form is all that is needed to consent to
share information. We can walk you through it.
HCA 82-0182 (4/19)
Why are we asking for this?
Our goal is to provide you with the best and
safest care possible.
We are asking for your Substance Use
Disorder (SUD) information to be shared
with providers with the same level of
information.
Sharing this information allows your
providers to see you as a whole person. For
example, sharing this information:
Allows your SUD treatment provider to better
coordinate with your diabetes doctor.
Allows the doctor treating your high blood
pressure to understand what medications you
are receiving from your SUD provider.
Who will my information
be shared with?
You are in control of who has access
to your treatment records. You have
the following options:
• You can choose to provide
a general approval to all
individuals and entities that
you have/might have received
treatment from.
• You can choose to be very
information with only
entities.
Will this information
be shared with my family,
landlord or employer?
No, your information will not be
shared without your permission.
How do I know my treatment
information won’t be shared
without my permission?
Sharing your information is voluntary. Your
treatment records are strictly protected under
federal law and, in most instances, will not be
shared without your permission.
Under Federal Law 42 CFR Part 2:
You are entitled to seek treatment without
fear of legal or social consequences.
records prevents their sharing without your
permission.
Appendix 4 – Acknowledgments
This document would not have been possible
without collaboration from the state agencies
that participated in an SUD Consent Management
Workgroup and shared information through
interviews, discussion, and review. In addition
to HCA, staff from the following state agencies
participated and helped develop this guidance:
Department of Children, Youth, and Families
Department of Corrections
Department of Health
Department of Labor & Industries
Department of Social and Health Services
Oce of Financial Management
HCA also received invaluable feedback providers
and other partners, including accountable
communities of health, behavioral health
organizations, managed care organizations,
physical and behavioral health providers,
professional associations, and recovery advocacy
groups. The time and dedication of everyone who
contributed to this work is deeply appreciated.
Finally, HCA was able to draw from excellent
resources already created by others, including the
State Health Information Guidance published by
Integrity.
74
