Part 2 Rule Update Modernizes SUD Record Disclosure Regulations

On January 3, 2018 the Substance Use and Mental Health Services Administration (SAMHSA) published a final rule implementing new changes to the Confidentiality of Substance Use Disorder Patient Records, 42 C.F.R. part 2 (Part 2).

The Part 2 privacy regulations govern the confidentiality of substance use disorder (SUD) patient records which are maintained in connection with the performance of any federally assisted substance use disorder program (Part 2 Records). The final rule becomes effective February 2, 2018.

While the new rule maintains the fundamental prohibition on disclosure of Part 2 patient records without patient consent, it expands the ways in which Part 2 patient records may be shared and modernizes notice requirements to align with current healthcare information technology practices.

  • Disclosures of Part 2 records to subcontractors are now permitted for payment and healthcare operations with patient consent: When a patient consents to the disclosure of their Part 2 Records for purposes of payment or healthcare operations, the recipient listed on the consent form (Lawful Holder) may further disclose the Part 2 Records to the Lawful Holder’s contractors, subcontractors, or legal representatives (Contractors) as necessary to carry out the payment or health care operations purpose for the disclosure. Under this new rule, Lawful Holders are required to have a written contract in place by February 2, 2020, with certain provisions obligating the Contractors to be bound by, and in compliance with Part 2.
    • Although the new rule authorizes disclosures to Contractors for payment and healthcare operations, SAMHSA confirmed that disclosures to Contractors for other purposes, such as diagnosis, treatment, or referral for treatment are not permitted, including care coordination and case management purposes.
  • Abbreviated notice of Part 2 prohibition on re-disclosure now permitted to assist users of electronic health record systems (EHRs): When making a disclosure under Part 2, the disclosing party must provide the recipient with notice of the prohibition on re-disclosure. Part 2 prescribes specific language for the notice of the prohibition on re-disclosure that must accompany each disclosure of Part 2 Records. Because many EHRs have a standard maximum character limit of 80 characters in the free text space that may be used to transmit this notice, the new rule provides disclosing parties with the option to use the following abbreviated notice of the prohibition on re-disclosure: “42 CFR part 2 prohibits unauthorized disclosure of these records.”
  • Disclosures of Part 2 records to subcontractors for audit and evaluation purposes: Subject to certain limitations, the new rule expands the scope of disclosure of Part 2 Records for purposes of audits and evaluations performed on behalf of federal, state, and local governments providing financial assistance to, or regulating the activities of both P art 2 programs as well as Lawful Holders. In addition, if disclosures are made for a Medicare, Medicaid, or CHIP audit /evaluation, including a civil investigation or administrative remedy, further disclosures may be made to contractors, subcontractors, or legal representatives to carry out the audit or evaluation.

SAMHSA announced that it will hold a public meeting on January 31, 2018 to solicit information and feedback from the public concerning the effect of Part 2 on patient care, health outcomes, and patient privacy, as required by Section 110002 of the 21st Century Cures Act.

Entities that are subject to Part 2 must assess the impact of the new regulation on operations and update policies and procedures to align with the new requirements. If you have questions about the changes to Part 2 or general questions regarding Part 2 compliance, please contact Elana Zana or Anthony Halbeisen.

Healthcare Mobile Device Encryption: Is It Required?

Encryption of mobile device technology has become essential in the eyes of the OCR.  Although HIPAA treats encryption as an “addressable” safeguard –as opposed to a “required” safeguard— under the Security Rule, the following OCR settlements involving unencrypted mobile devices indicate that encryption is obligatory for HIPAA compliance.

As new technologies emerge and the use of mobile technology in healthcare expands, Covered Entities and Business Associates must ensure that they are monitoring administrative and security measures to keep pace with evolving risks. In each case, below, the sanctioned party failed to properly implement a risk management plan and deploy encryption to protect the data stored on mobile technology.

Stolen USB results in $2.2 million settlement

On January 18, 2017, OCR announced a HIPAA settlement with MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) after a USB data storage device containing electronic protected health information (ePHI) of 2,209 individuals was stolen from MAPFRE’s IT department.

In September 2011, MAPFRE filed a breach report after a USB data storage device was stolen from the IT department where it was left without safeguards overnight; the device included complete names, dates of birth, and Social Security numbers of the affected individuals. OCR’s investigation revealed that MAPFRE failed to conduct a risk assessment and implement security measures sufficient to reduce risk to a reasonable and appropriate level. MAPFRE also failed to implement policies and procedures, workforce training for security awareness, and did not deploy encryption or an equivalent alternative measure on its laptops and removable storage media.

In addition to paying $2.2 million, MAPFRE agreed to conduct a risk analysis, implement a risk management plan, develop policies and procedures, conduct workforce training, and provide ongoing reports to OCR.

Lost mobile phone and laptop results in $3.2 million civil money penalty

On February 1, 2017, OCR issued a Notice of Final Determination including a civil money penalty for HIPAA violations against Children’s Medical Center of Dallas (Children’s) after two impermissible disclosures of the unsecured ePHI of over 6,200 individuals stored on mobile technology devices. Children’s is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric health care provider in the nation.

Children’s filed a breach report in January 2010, reporting the loss of an unencrypted, non-password protected Blackberry device containing ePHI of 3,800 individuals at the Dallas/Fort Worth International Airport. Then in July 2013, Children’s filed a separate breach report indicating an unencrypted laptop containing ePHI of 2,462 individuals was stolen from its premises.  OCR’s investigation revealed that Children’s failed to implement a risk management plan even with prior recommendations to do so, as well as a failure to deploy encryption on its laptops, work stations, mobile devices, and removable storage media. Despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed workforce members to continue using unencrypted laptops and other devices until 2013.

Laptop stolen from workforce member’s car costs wireless health services provider $2.5 million

On April 24, 2017, OCR announced a $2.5 million settlement with CardioNet after the unsecured ePHI of 1,391 individuals was impermissibly disclosed when a workforce member’s laptop was stolen from a vehicle parked outside the employee’s home. The laptop was unencrypted.  CardioNet is a Pennsylvania based wireless health services provider, offering remote mobile monitoring and rapid response to patients at risk for cardiac arrhythmias.

OCR’s investigation revealed that CardioNet failed to conduct a risk assessment and finalize and implement policies and procedures for compliance with the HIPAA Security Rule. OCR also cited gaps in policies governing the receipt and removal of hardware and electronic media into and out of its facilities, the encryption of such media, and the movement of mobile devices within its facilities.

According to the Corrective Action Plan, CardioNet agreed to conduct a risk assessment, develop and implement a risk management plan, implement secure device and media controls, review and revise its HIPAA training program, and produce ongoing reports for HHS.

For additional information about the use of encryption technology for HIPAA compliance, see HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Also, see The Office of the National Coordinator for Health Information Technology’s guidance regarding Mobile Device Privacy and Security.

Please contact Anthony Halbeisen or Elana Zana if you have any questions about securing health data on mobile devices.

 

Failure to Provide Communication Aid Costs Hospital $20K

John Dempsey Hospital agreed to pay $20,000 as compensation to a patient after failing to provide auxiliary communication aids during an emergency department visit. The patient, who is deaf and uses American Sign Language for communication, had to rely on a companion for all treatment communications.  In addition to paying compensation to the patient, the hospital is required to undergo a comprehensive review of its corporate policies and procedures to implement changes to enhance access, address intake and grievance procedures, adjust technology capabilities and institute staff training to ensure compliance with Section 1557.

Despite requesting interpreter services upon arrival at the hospital’s emergency department, the patient was not provided an interpreter or video remote interpreting services and had to rely on a companion to interpret throughout the hospital visit. After receiving a complaint about the incident, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), in partnership with the U.S. Attorney’s Office of the District of Connecticut conducted a compliance review of the hospital’s policies and procedures to determine compliance with the nondiscrimination provisions found in Section 1557 of the Patient Protection and Affordable Care Act (ACA). This is the first OCR settlement agreement under Section 1557 which provides for monetary damages specifically to a patient.

In general, Section 1557 expands upon existing federal non-discrimination rules and regulations to prohibit discrimination based on race, color, national origin, sex, age or disability in health programs or activities that receive federal financial assistance. The law applies to most hospitals, skilled nursing facilities, ambulatory surgical centers, home health agencies, hospices, federally qualified health centers, rural health clinics, physician practices, laboratories, pharmacies, outpatient rehabilitation facilities, ESRD dialysis centers, state Medicaid agencies as well as insurers that participate in the ACA’s Health Insurance Marketplace.

HHS issued the final rule implementing Section 1557 in 2016 and as of October 2016, entities subject to the rule must post notices regarding the entity’s nondiscrimination practices and taglines in at least the top 15 non-English languages spoken in the state that alert individuals with limited English proficiency of the availability of language assistance services. See sample notice and tagline documents here.  In addition, entities subject to the rule with 15 or more employees must designate a compliance coordinator and adopt a grievance procedure.  Section 1557 requires health care entities to ensure effective accessible communications with individuals who need interpreters, including individuals with disabilities as well as individuals with limited English proficiency.

The final rule requires health care entities to take appropriate steps to ensure that communications with individuals with disabilities are as effective as communications with others using appropriate auxiliary aids and services, such as alternative formats, sign language interpreters, and remote video interpreters. Health care entities are also required to make all programs and activities provided through electronic and information technology equally accessible. In addition, the final rule requires health care entities to take reasonable steps to provide meaningful access for individuals with limited English proficiency by providing qualified oral interpretation and written translation services. See HHS’s limited English proficiency resources for effective communications for additional guidance.

Where noncompliance of Section 1557 cannot be corrected by informal means, enforcement can include suspension of, termination of, or refusal to grant/continue federal financial assistance, referral to the Department of Justice and any other means authorized by law. Section 1557 authorizes a private right of action to challenge Section 1557 violations and receive compensatory damages. Affected entities are encouraged to develop and implement a language access plan to ensure they are prepared to take reasonable steps to provide meaningful access to each individual.

HHS has created several resources regarding ACA Section 1557 compliance: see general information and FAQs.

For further information or if you have any questions about ACA Section 1557 please contact Anthony Halbeisen.