February 2024 Changes to 42 CFR Part 2

Recently, the U.S. Department of Health and Human Services released an update to 42 CFR Part 2. A fact sheet was made available on 2/8/24 and the full regulation text was published on 2/16/24. CalMHSA spent time reviewing this update to determine how this may impact the statewide EHR project. This paper is meant to clarify the impact, or lack thereof, of these regulatory changes.

Summary of Changes

In the past, 42 CFR Part 2 programs were not allowed to disclose treatment information unless a client authorized it. This required the authorization to identify the specific person the information would be disclosed to. Later, authorizations to treatment providers no longer required the specific person to be identified, rather an agency name was enough. Now, under February 2024 changes, the type of provider is enough. This means a client can sign a disclosure authorization to release information to “healthcare providers”, which would allow disclosure to any provider or agency that falls under that category.

Also, redisclosure of information received from 42 CFR Part 2 programs was strictly prohibited and had severe consequences. Now, under February 2024 changes, the consequences mirror HIPAA regulations.

CDAG

The Clinical Data Access Group, or CDAG, concept was created in order to segregate 42 CFR Part 2 program treatment information from non-Part 2 program information. A CDAG is a group of SmartCare programs that can share information without requiring an authorization from the client. Mental health programs, which are not Part 2 programs, must abide by HIPAA regulations. This allows them to share treatment information for coordination of care without a specific authorization from the client. Substance use disorder programs, which are Part 2 programs, must abide by the more stringent 42 CFR regulations, which requires an authorization by the client before sharing information with another provider. Since a provider (e.g. legal entity/agency) often has multiple SmartCare programs they document to, each SUDS legal entity had their own CDAG.

February 2024 changes to 42 CFR do not change this. A client must still authorize disclosure of information from Part 2 programs.

Inquiry Screen and Part 2 Access Programs

The Inquiry Screen is where requests for services are documented. Some counties hold their access lines out as Part 2 programs, since they provide referrals to SUD treatment services. Some counties have multiple access lines, having one line that must abide by HIPAA and one SUD-specific line that must abide by 42 CFR Part 2 requirements.

CalMHSA was working with Streamline to develop a way to limit viewing of the Inquiry screen based on the program that received the request.

February 2024 changes to 42 CFR do not change this. If a county holds that their access line is a Part 2 program, CDAG rules should apply. CalMHSA recently received county feedback, and confirmed with law firm Manatt, on this topic. Development will move forward to address this issue.

Coordination Care Consent and Release of Information Changes

Some counties provided CalMHSA with feedback regarding the Coordinated Care Consent and the Release of Information documents in SmartCare. CalMHSA worked with a liaison group of county counsels, led by Ventura County, on making changes to these documents. Changes had been designed and vetted by this liaison group and the proposed changes were out for review by all counties when the 42 CFR changes were announced. Development for these proposed changes was put on hold until analysis of 42 CFR changes were completed.

There will be some additional minor language changes to these forms in response to the 42 CFR Part 2 changes. CalMHSA will be sending out updates to the proposed changes within the next few weeks for county review. The regulatory changes for allowing “type of provider” rather than the specific agency or person’s name, may assuage some of the concerns already remedied with proposed changes.

Release of Information Documents Completed in Part 2 Programs

A Release of Information document can be completed within SmartCare. Unlike other documents, however, it is visible on the “Release of Information Log” tab of the “Client Information” screen. This screen is visible to all SmartCare users and is not protected by CDAG rules.

Since documents must be signed by a staff user before the client signs, and all documents have a designated author, not having a document protected by CDAG could result in a breach of information. If the author is a known Part 2 provider, the user can infer that the client is therefore receiving treatment in a Part 2 program.

February 2024 changes to 42 CFR do not change this. CalMHSA is pursuing development to protect ROI documents using CDAG rules.

Do not Redisclose Statement on Part 2 Program Documentation

CalMHSA has been working to add a “do not redisclose” statement in the footer of all documents that originate from a SUD program.

February 2024 changes to 42 CFR do not change the need for this statement. This logic-based footer will still be required, as re-disclosure of Part 2 program documents is still not allowed.

However, documents that originate from a non-Part 2 program (e.g. a mental health program) that include information received from a Part 2 program as part of an authorized disclosure, are not subject to the same requirements. An example of this is the Problem List. When creating a CalAIM Assessment for a mental health program when the client has signed the Coordinated Care Consent, the mental health clinician can see all of the client’s problems added from all programs, including those entered by Part 2 programs. When they sign the CalAIM Assessment, that information is saved as part of the mental health document record. Since the document was created under a mental health program, the information provided within is not subject to Part 2 regulations. However, if this same mental health clinician viewed the client’s ASAM Assessment document that was created under a Part 2 program and then shared this information with a 3rd party, this would be considered a breach under redisclosure regulations.

Updated 4/4/24