42 CFR Part 2 Regulation: Guidance for IRIS Organizations
Conversations about data privacy often arise as part of the IRIS onboarding process. This tool is designed to help organizations handling substance use data consider best practices when using the IRIS platform. IRIS seeks to maintain the privacy and security of personal information, including compliance with administrative, technical, and physical controls to safeguard personal information from unauthorized access, use, or disclosure. However, it is the responsibility of all IRIS organizations to develop referral policies and procedures that align with applicable data-sharing rules and regulations.
This guidance is for information purposes only and is not intended as legal advice. Specific questions regarding compliance with federal law should be referred to your legal counsel. State laws may also apply.
An Overview of 42 CFR Part 2
42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records is a federal regulation that concerns the disclosure of information that “would identify a patient as an alcohol or drug abuser…” (42 CFR §2.12(a) (1)). The information protected by this regulation is any information disclosed by a covered program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem or as a participant in a covered program.
The federal government created the privacy provisions in 42 CFR Part 2 due to the recognition that stigma and fear of prosecution might dissuade persons with substance use disorders from seeking treatment. To ensure that patients pursue care, there is an additional layer of protection on records containing substance use information that outline under what conditions an organization may disclose information about a patient’s treatment, with and without the patient’s consent.
42 CFR Part 2 applies to any federally-assisted individual that provides alcohol or drug abuse diagnosis, treatment, or referral for treatment (42 CFR § 2.11). With limited exceptions, 42 CFR Part 2 requires patient consent for disclosing protected health information even for treatment, payment, or health care operations. Consent for disclosure must be in writing and include specific elements outlined here.
Considerations for Substance Use Data in IRIS
IRIS is a HIPAA-compliant referral platform that transfers and stores family referral information between various service providers. Sending a referral through IRIS may serve as a disclosure of that individual's substance use when the sending organization is a substance use disorder treatment provider. Consider your organization’s current referral workflow to identify any specific areas of concern. Based on potential barriers identified and the applicable data sharing rules in this tool, your organization and network should discuss how and what information should be shared in IRIS.
In creating your data regulations and standards, consider developing policies on client consent, what information is shared during a referral, and any deviations from typical IRIS referral processes required for specific disclosures.
- Client Consent and Patient Information: To protect your client’s privacy, it is important to use a consent form that clearly outlines the information that will be shared – including any information that may be sent between IRIS partners during the referral process. Providers may upload consent forms with referrals as well as add unauthorized disclosure language, when necessary. As part of the IRIS referral network, your organization may be asked to share the following during a referral:
- Personally Identifiable Information (PII), including demographic information, contact details, and other information needed to assess patient eligibility and support the delivery of services.
- Behavioral Health Information, which might include mental health information and/or SUD treatment information subject to 42 CFR Part 2 consent requirements.
The collection and sharing of personally identifiable information and protected health information on the IRIS network must comply with local, state, and federal laws and regulations. To protect client privacy, physical and behavioral health information should only be shared on the IRIS network if critical to delivering specific services or supports to the client.
Completing a Referral: Determine if there is information and/or specific instances in which your organization cannot share information as part of responding to a referral. Share this information with your IRIS network to inform Community Standards. Standards may indicate when your organization needs to opt to complete incoming referrals using the “Other” status, indicating that the outcome of the referral cannot be disclosed without consent.
Workflows: Organizations may choose to only receive referrals in IRIS. Typically, this is documented in the Community Standards and the organization maintains a red Capacity Bar, informing partners they do not receive referrals through IRIS. In some instances, the organization also provides information on how they may receive referrals. Organizations should work with their local IRIS leadership to ensure their referral workflow needs are reflected in Community Standards.
In this section, you will find resources that describe the 42 CFR Part 2 regulation and how to implement these procedures into your daily workflows.
- Federal Register, Confidentiality of Substance Use Disorder Patient Records
- The original government regulations for 42 CFR Part 2.
- Federal Register, 42 CFR Part 2 Rule Changes
- The federal register’s summary of the rule changes for substance use patient records.
- 42 CFR Part 2 and Perceived Impacts on Coordination and Integration of Care
- This article offers a qualitative analysis on the efficacy of integrating federal substance use privacy laws.
- Legal Action Center: Fundamentals of 42 CFR Part 2
- This online FAQ provides an overview of 42 CFR Part 2 and describes the importance of securing substance use patient data.
- SAMHSA: Fact Sheets Regarding the Substance Abuse
- Confidentiality Regulations This site offers two fact sheets regarding the regulation and the sharing of confidential client information.