Substance Use Disorder Vendor Agreements
42 CFR Part 2 provides protections for medical records relating to substance abuse disorder and contract provisions were due by February 2nd of this year. The Substance Abuse and Mental Health Services Administration (SAMHSA) of the Department of Health and Human Services (HHS) issued final regulations in 2018 to strengthen the protections provided by HIPAA. To be clear, we treat SUD information as a more-constrained subset of protected health information (PHI).
Broadly speaking SUD records protected by SAMHSA / HHS are those whose programs or treatment are paid with federal funds. Healthcare professionals who work with SUD information must receive patient approval for all SUD protected information sharing, with VERY limited exceptions NOT consistent with HIPAA regulations. The new contract provisions must require third party vendors to also comply with 42 CFR Part 2; note that SAMHSA doesn't specify the term Business Associate, but keep in mind that we consider them such under HIPAA. These third party vendors need to implement safeguards to to prevent unauthorized uses and disclosures, consistent with 42 CFR Part 2.
42 CFR Part 2 is its own healthcare information regulation with SIGNIFICANT limitations for sharing patient data. Those working with SUD information should consult legal assistance to ensure their obligations are understood correctly. Reach out here if you need help connecting with lawyers who understand this federal regulation.
Stay (HIPAA) safe,