CalMHSA Learn (LMS System)
Live Chat Support
EHR Bulletin
Check/Update Existing Issues

MENU

ePrescribing under 42 CFR Part 2

Summary

On November 22, 2024, CalMHSA held a County Shared Decision Making meeting regarding ePrescribing under 42 CFR Part 2 programs. The following guidance was provided:

  1. Any data viewed in ePrescribing software should not be considered a breach of confidentiality
  2. Staff in Part 2 programs should ensure that they have a client authorization before entering prescriptions or other information into the ePrescribing software. This authorization should include disclosures and redisclosures for treatment, payment, and operations.
  3. Staff should be cautious and thoughtful about what data they pull into their own records from ePrescribing software records. Once the data becomes part of their program’s records, it becomes visible to staff who do not have access to the ePrescribing software.
  4. All records (documents) in SmartCare, including those that incorporate information pulled from the ePrescribing software, are associated with a program, which allows the system to limit who can view the record.

Background

The new Psych/Medical Note was released. It includes the client’s current list of medications. When assigning permissions, a question arose:​

Should all SmartCare users be allowed to view the Psych/Medical Note, considering that it contains information that is not behind CDAG protections?

This led CalMHSA to explore the issue with law firm Manatt.

Firstly, we explored the issue of privacy versus care coordination. The following statements were established as fact:

  • HIPAA allows for sharing of information for coordination between providers without authorization from the client. 42 CFR Part 2 requires authorization from the client. ​
  • Treatment information includes prescriptions.​
  • There is no 42 CFR Part 2 carve-out for prescribers that allows sharing without authorization.​

Then, we explored how ePrescribing, or eRx, software functions. There are three main actions taken:

  1. Prescriptions are entered into the eRx. ​
  2. eRx transmits prescription data to the pharmacy, thereby sharing treatment data with that pharmacy.​
    This is considered an initial disclosure.​
  3. When pharmacy fills the prescription, the eRx transmits data back to the prescriber AND adds this information to the client’s medication history in national databases. ​
    This is considered a re-disclosure.

We explored how counties are currently using eRx systems, and how that use impacts the EHR in general. This included reviewing the contract with DrFirst to best understand the eRx relationship with any legal entity and a corresponding EHR. The following points were found:

  • Currently, all of a county’s prescribers are entering their prescriptions into the same eRx, allowing the eRx to check these prescriptions against each other for negative interactions or contraindications.​
    • All prescribers can see all medications for a client across a county’s SmartCare instance, regardless of SUD v. MH affiliation.​
  • CalMHSA has explored with eRx providers (SmartCare and DrFirst) the possibility of being able distinguish between medications from a Part 2 program from others and the potential to hide that information when a client authorization does not exist. (e.g. bring CDAG to eRx)​
    • We have been told that this would be a very complicated, large, and expensive development item that would take a long time to build. It may be a solution, but it is not a quick solution. ​
    • It would also mean prescribers would not automatically see contraindications.​
  • CalMHSA has prioritized client safety over confidentiality for eRx. ​
    • Other confidentiality stipulations (e.g. mandating reporting laws) make the same prioritization.
  • Only prescribers and their associated staff should access the eRx module.
  • CalMHSA created a separate add-on user role to allow access to the eRx module. Anyone with this user role can see all medication information for a client.
  • Some eRx information is pulled back into SmartCare.
    • CalMHSA has limited access to these screens to only those user roles that can already access the information via the eRx. (e.g. Medications widget).
  • There are some documents, including the new Psych/Medical Note, that pull information from the eRx.

So the question remains: Should all SmartCare users be allowed to view the Psych/Medical Note, considering that it contains information that is not behind CDAG protections?

Discoveries, Conclusions, and Recommendations

After reviewing all of this, we determined there were 5 major points of PHI exchange:

  1. Inputting data into eRx​
    1. Entering prescriptions
    2. Entering allergies, failed trials, etc.
    3. Entering medications the provider is not directly prescribing
  2. Transmitting data through eRx
    1. Sending a prescription to a pharmacy​
  3. Redisclosures of data by the eRx​
    1. Pharmacies sending the status of a prescription back to the eRx
  4. Gathering data from eRx​
    1. Viewing a client’s medication history
    2. Viewing a client’s current prescriptions
    3. Viewing a client’s allergies, failed trials, etc.
  5. Redisclosing data received from eRx​
    1. Adding a client’s medications or prescriptions to “active prescriptions” in a provider’s instance of the eRx where others may see it
    2. Adding information gained via the eRx to a provider’s progress note or assessment

The first 3 represent a disclosure by the county, or a redisclosure of information initially disclosed by the county. The last 2 represent a receipt of PHI by the county. HIPAA allows these types of disclosures (1-3) without a client authorization, as this would be done as part of treatment, payment, and operations (TPO). 42 CFR still requires client authorization for any disclosure, including those done as part of TPO.

This means that programs that are not beholden to 42 CFR Part 2 may input data into an eRx system without authorization but Part 2 programs must get client authorization before inputting any data into an eRx system. With new 42 CFR Part 2 rules, a single authorization may cover all these disclosures and redisclosures.

CalMHSA’s Coordinated Care Consent is an authorization from the client to disclose and redisclose treatment information within SmartCare. CalMHSA is making a slight adjustment to the language to also include medication databases. This means that if a client signs the Coordinated Care Consent, the client is authorizing Part 2 programs to enter information into an eRx system.

If the client refuses to sign the Coordinated Care Consent, then a standard authorization to release information (otherwise known as a Release of Information, or ROI) should be used to cover eRx disclosures and redisclosures. If a client refuses to sign an ROI, the county must determine the next steps based on their unique situation.

With respect to receiving information from the eRx system, we can assume that any authorization for disclosure or redisclosure was provided by the client prior to the data being entered into the system. Receiving that information is not considered a breach of information. Often, the only staff with access to the eRx system who can see a client’s medical history are prescribers themselves. They need this information to determine what medications they should or should not prescribe, as some may have contraindications or have already been prescribed elsewhere.

When a provider pulls the information they can see into their own records, including into their instance of the eRx software, they are making this information available to anyone with access to the eRx software. So while a medical assistant may not have access to view the client’s medical history via the eRx software, once the prescriber pulls that information into the client’s eRx chart from the eRx database, that information is now viewable by the medical assistant. Since all of a county’s staff can see the same information in the eRx software, this means that if a Part 2 program prescriber pulls relevant information into their record, the medical assistance in a non-Part 2 program will also be able to see this information. Prescribers should therefore be cautious and thoughtful about what information they pull into their own records.

Lastly, the EHR will often pull information from the eRx software into progress notes, assessments, and other documents. This is not considered a breach, as any information entered into the eRx software can be assumed to have the required authorization for disclosure and redisclosure. Like all records in the EHR, these documents, even those with eRx information, are associated with a specific program, and therefore protected behind CDAG.

To review the original question and provide a clear answer:

Q: Should all SmartCare users be allowed to view the Psych/Medical Note, considering that it contains information that is not behind CDAG protections?

A: Any data in the Psych/Medical Note will only include data that may be shared. The data in the Psych/Medical Note is considered treatment data associated with the note’s program. Since CDAG uses program to protect treatment records, any viewing of a Psych/Medical Note is no different than the viewing of any other treatment record for that program.

Consent to View Medication History

ePrescribing software generally requires a provider to document that a client has given consent for the provider to view the client’s medication history. Since all data within the eRx system can be considered as authorized for disclosure and redisclosure, there shouldn’t be a need to document this consent separately. To address this eRx specific requirement, CalMHSA is adding a short paragraph in the Consent to Treat that covers this item.

Updated 1/2/25