In early 2024, the U.S. Department of Health and Human Services released an update to 42 CFR Part 2. A fact sheet was made available on 2/8/24 and the full regulation text was published on 2/16/24. CalMHSA spent time reviewing this update to determine how this may impact the statewide EHR project. This paper is meant to clarify the impact, or lack thereof, of these regulatory changes.
Summary of Changes
In the past, 42 CFR Part 2 programs were not allowed to disclose treatment information unless a client authorized it. This required the authorization to identify the specific person the information would be disclosed to. Later, authorizations to treatment providers no longer required the specific person to be identified, rather an agency name was enough. Now, under February 2024 changes, the type of provider is enough. This means a client can sign a disclosure authorization to release information to “healthcare providers”, which would allow disclosure to any provider or agency that falls under that category.
Also, redisclosure of information received from 42 CFR Part 2 programs was strictly prohibited and had severe consequences. Now, under February 2024 changes, the consequences mirror HIPAA regulations.
CDAG
The Clinical Data Access Group, or CDAG, concept was created in order to segregate 42 CFR Part 2 program treatment information from non-Part 2 program information. A CDAG is a group of SmartCare programs that can share information without requiring an authorization from the client. Mental health programs, which are not Part 2 programs, must abide by HIPAA regulations. This allows them to share treatment information for coordination of care without a specific authorization from the client. Substance use disorder programs, which are Part 2 programs, must abide by the more stringent 42 CFR regulations, which requires an authorization by the client before sharing information with another provider. Since a provider (e.g. legal entity/agency) often has multiple SmartCare programs they document to, each SUDS legal entity had their own CDAG.
February 2024 changes to 42 CFR do not impact this. A client must still authorize disclosure of information from Part 2 programs.
Inquiry Screen and Part 2 Access Programs
The Inquiry Screen is where requests for services are documented. Some counties hold their access lines out as Part 2 programs, since they provide referrals to SUD treatment services. Some counties have multiple access lines, having one line that must abide by HIPAA and one SUD-specific line that must abide by 42 CFR Part 2 requirements.
By default, Inquiries will require the user to select the program that received the inquiry and CDAG the inquiries by this method. If counties do not want inquiries behind CDAG rules, see How to Remove CDAG Protections from Inquiries.
February 2024 changes to 42 CFR do not impact this. If a county holds that their access line is a Part 2 program, CDAG rules should apply.
Coordination Care Consent and Release of Information Changes
Some counties provided CalMHSA with feedback regarding the Coordinated Care Consent and the Release of Information documents in SmartCare. CalMHSA worked with a liaison group of county counsels, led by Ventura County, on making changes to these documents. Changes had been designed and vetted by this liaison group and the proposed changes were out for review by all counties when the 42 CFR changes were announced. Development for these proposed changes was put on hold until analysis of 42 CFR changes was completed.
Some additional minor language changes to the Coordinated Care Consent were included in response to the 42 CFR Part 2 changes. CalMHSA sent out updates to the proposed changes for county review and implemented the changes in late 2024 after receiving no negative feedback.
Release of Information Documents Completed in Part 2 Programs
A Release of Information document can be completed within SmartCare. Unlike other documents, however, it is visible on the “Release of Information Log” tab of the “Client Information” screen. While this screen is visible to all SmartCare users, CalMHSA made changes so that the ROI Log tab is protected by CDAG rules.
February 2024 changes to 42 CFR do not impact this.
Do not Redisclose Statement on Part 2 Program Documentation
CalMHSA has been working to add a “do not redisclose” statement in the footer of all documents that originate from a SUD program. This footer exists on some documents, but not all, as some SmartCare documents are created by Streamline and we are unable to edit them.
February 2024 changes to 42 CFR do not change the need for this statement. This logic-based footer will still be required, as re-disclosure of Part 2 program documents is still not allowed.
However, documents that originate from a non-Part 2 program (e.g. a mental health program) that include information received from a Part 2 program as part of an authorized disclosure, are not subject to the same requirements. An example of this is the Problem List. When creating a CalAIM Assessment for a mental health program when the client has signed the Coordinated Care Consent, the mental health clinician can see all of the client’s problems added from all programs, including those entered by Part 2 programs. When they sign the CalAIM Assessment, that information is saved as part of the mental health document record. Since the document was created under a mental health program, the information provided within is not subject to Part 2 regulations. However, if this same mental health clinician viewed the client’s ASAM Assessment document that was created under a Part 2 program and then shared this information with a 3rd party, this would be considered a breach under redisclosure regulations.