Many think HIPAA is the final arbiter of patient privacy in regard to health data.
But a lesser-known federal regulation, now some three decades old, has long provided stricter protection for people receiving treatment for drug and alcohol abuse problems.
Now, amid the fast-changing landscape of medical records sharing, the rule -- known as 42 CFR Part 2, "Confidentiality of Alcohol and Drug Abuse Patient Records" -- appears ripe for reform, but in a counterintuitive way some observers might not expect. Instead of becoming more stringent, the regulation pendulum may swing in the looser direction.
The HHS Substance Abuse and Mental Health Services Administration (SAMHSA) recently held a daylong "listening session" on proposed changes to the rule. The session was sort of a prelude to expected new rulemaking or rulemaking hearings, but SAMHSA isn't yet saying how definitive any moves might be or when they may happen. In any event, the testimony from the session will likely be published next month, according to SAMHSA.
For some behavioral health data sources, updating the regulations makes sense because the rules date to a bygone era when substance abuse services were provided mainly by specialists, healthcare systems lacked digital information sharing, and new data-driven entities such as health information exchanges and accountable care organizations did not exist.
Even so, changes this long in coming are bound to upset some players, particularly privacy advocates, said Brad Rostolsky, head of the privacy and HIPAA practice at the Philadelphia office of the ReedSmith global law firm.
Traditionally, privacy activists have argued that fewer controls on the release of substance abusers' information would dissuade people from seeking treatment. The federal rule, as it stands, requires patients to give express written consent to any disclosure of their treatment history.
"Any time you get proposed changes within a regulatory scheme that have been in the making for a significant time, it's going to cause folks who are only working in that world to become concerned and feel uncomfortable," Rostolsky said. "All that being said … there shouldn't be any impediment to other providers who are doing alcohol and drug treatment to getting information."
For provider CIOs, other challenges to watch that are quite likely to arise in this process may turn out to be technical.
Nancy Davis, privacy officer at Ministry Health Care, a 13-hospital system based in Milwaukee, said the Wisconsin provider has recently grappled some of the same issues after passage of a new state law that allows healthcare providers to integrate all medical records or keep the most sensitive ones separate.
On top of federal and state compliance rules, hospital officials have to weigh three interest groups -- behavioral health specialists, primary care physicians and patients -- and also figure out how to get technology vendors to incorporate data transportability and security features.
"It's not a very easy process," Davis said.
But Davis said the modernization effort on the national level is much needed and will be worth the effort.
"I'm very pleased they're looking at this. It's going to be a balance," she said. "The vendors will have to watch carefully so they can give options."
Davis compared the situation to the difficulties a bank might encounter if it tried to segment a couple's specific spending transactions by listing all of one spouse's spending on a specific item, such as furniture, for example. It is much smoother to simply commingle all the expenses, she noted.
"The reality is if Chapter 42 is allowed to integrate [data] and not segregate, it will be easier," Davis added. "If they open it up for coordination of care, it's wonderful. For privacy it will continue to be a problem."