Manchin, Capito, Merkley, Klobuchar, Collins Recommend Bipartisan Improvements to Legacy Act Proposed Rule

Washington, DC – Today, U.S. Senators Joe Manchin (D-WV), Shelley Moore Capito (R-WV), Jeff Merkley (D-OR), Amy Klobuchar (D-MN) and Susan Collins (R-ME) provided U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra with recommended bipartisan improvements on implementing the HHS proposed rule on the “Confidentiality of Substance Use Disorder (SUD) Patient Records.” The proposed rule is aimed at enacting the Protecting Jessica Grubb’s Legacy Act (Legacy Act), which was signed into law in March of 2020 and will change existing privacy regulations surrounding medical records for those struggling with substance use disorder to ensure medical providers do not accidentally give opioids to individuals in recovery.

 

“Since the passage of the Legacy Act, the COVID-19 pandemic has continued to exacerbate the substance use crisis in the United States. According to recently published data, drug overdose deaths reached record levels in 2021; totaling nearly 107,000 people,” the Senators said in part. “The Legacy Act was enacted to reduce the burdens associated with accessing treatment, and better align the rule governing privacy records for patients with substance use disorder… Now, more than two years since the passage of the Legacy Act, it is important that we finalize this rule. This will allow us to improve care coordination, while protecting patient privacy, in order to ensure we are addressing the drug epidemic to our fullest potential.”

 

In November of 2022, HHS announced proposed changes to the Confidentiality of SUD Patient Records under 42 CFR part 2 (“Part 2”), which protects patient privacy and records concerning treatment related to substance use challenges from unauthorized disclosures. This Notice of Proposed Rulemaking (NPRM) would implement provisions of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that require HHS to bring Part 2 into greater alignment with certain aspects of Health Insurance Portability and Accountability Act of 1996 (HIPAA). Today’s letter recommends improvements to those proposed changes to ensure HHS is fully implementing the Legacy Act as Congressionally intended.

 

“While we are pleased to see alignment with HIPAA on issues such as the definition of business associate, covered entity, breach and health care operations, we have concerns regarding ensuring there is clarity to reduce administrative burden and prevent unnecessary data segmentation,” the Senators continued. “We hope that with some additional clarity, we will be able to meet the goals of reducing administrative burdens and ensuring certain providers will be able to share information confidently.

 

The Legacy Act is named after Jessica Grubbs, a West Virginian who died from substance use disorder after a medical provider prescribed her opioid pills following a surgery. After battling substance use disorder for seven years, Jessie was sober and focused on making a life for herself in Michigan. She was training to run in a marathon and had to undergo surgery for a running related injury. Her parents told her doctors and hospital personnel that she was recovering from substance use disorder; however, after Jessie’s surgery, the discharging doctor, who said he didn’t know she was recovering from substance use disorder, sent her home with a prescription for 50 oxycodone pills. The goal of the legislation is to save lives by ensuring that medical providers do not unknowingly give opioids to individuals in recovery, like in the case of Jessie.

 

Dear Secretary Becerra,

 

We appreciate the opportunity to comment on the U.S. Department of Health and Human Services’ (HHS) proposed rule on the “Confidentiality of Substance Use Disorder (SUD) Patient Records” through the Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration (SAMHSA). We understand the proposed rule is aimed at implementing the Protecting Jessica Grubb’s Legacy Act (Legacy Act), which became federal law after it was included in the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (PL 116-136). As the sponsors and cosponsors of this law, we are pleased the proposed rule strives to reduce burdens to accessing care and enable more interoperability to share privacy records with the ultimate goal of reducing substance use disorder-related deaths.

 

Since the passage of the Legacy Act, the COVID-19 pandemic has continued to exacerbate the substance use crisis in the United States. According to recently published data, drug overdose deaths reached record levels in 2021; totaling nearly 107,000 people and reversing the progress that was made as recently as 2019. As you know, the Legacy Act was enacted to reduce the burdens associated with accessing treatment, and better align the rule governing privacy records for patients with substance use disorder, known as 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act (HIPAA). Now, more than two years since the passage of the Legacy Act, it is important that we finalize this rule. This will allow us to improve care coordination, while protecting patient privacy, in order to ensure we are addressing the drug epidemic to our fullest potential.

 

While we are pleased to see alignment with HIPAA on issues such as the definition of business associate, covered entity, breach and health care operations, we have concerns regarding ensuring there is clarity to reduce administrative burden and prevent unnecessary data segmentation. Please see our specific comments below.

 

In our September 23, 2022 letter to the Office of Management and Budget Director Shalanda Young, we requested that this rule should “Specify that once Part 2 data is transmitted or retransmitted with patient consent, there is no requirement to segregate a patient’s Part 2 data from the rest of a HIPAA database.” This proposed rule does not clearly eliminate the need to segment Part 2 data from HIPAA. The Legacy Act required a one-time initial written consent from the patient for information to be shared for purposes of treatment, payment, and health care operations (TPO).

 

The Notice of Proposed Rule Making (NPRM) states that “expanded ability to use and disclose Part 2 records would facilitate greater integration of SUD treatment information with other protected health information (PHI).” However, it is unclear how the proposed rule will help integrate Part 2 data with other systems and enable subsequent treatment providers access. It is important that once Part 2 data consent is received and transmitted to a covered entity or business associate, that there be no additional requirements for the data to be retained in a separate database.

To ensure patient privacy protections, the Legacy Act required both a one-time initial written consent, and the ability for patients to revoke that consent. In our September 23, 2022 letter we clarified that this revocation must be in effect “only from the point of revocation going forward.”  We appreciate that the NPRM notes specially that revocation would be applied only from the point of revocation going forward. However, we would ask that HHS include intermediaries to be included in the list of entities where revocation of consent only affects additional disclosure. We believe this change would further clarify the intent of revocation. We also encourage HHS, OCR, and SAMHSA to offer subsequent guidance on the best way to flag a revocation within electronic health records that can help make this more seamless.

The NPRM proposes a definition for intermediary as “a person who has received records under a designation of general written patient consent to be disclosed to one or more of its member participants with a treating provider relationship with the patient.”  This definition could include health information exchanges (HIEs), and researchers. The proposed rule also suggests distinct and separate limits on redisclosures based on prior consent for intermediaries. In our September 23, 2022 letter we specifically requested that the NPRM “include specific language directing covered entities and business associates to disclose and redisclose data in accordance with HIPAA.” We are concerned that providing a definition of intermediary may cause confusion on disclosure and redisclosure as it relates to a business association or an intermediary. Therefore, we suggest either not specifying “intermediaries” under your definition, or clarifying that an “intermediary” is an individual or entity, not otherwise covered by the definition of “business associate.”

The NPRM states that the compliance date of the regulations would be 22 months after the effective date and 24 months after publication. While we understand that implementation of this rule will require impacted stakeholders adequate time to become familiar with these new changes, we would recommend robust technical assistance (TA) to help entities implement the rule sooner rather than later. Several stakeholders have noted as short a timeline as 10 months after the effective date. However, we understand the concerns with ensuring full compliance and implementing this NPRM.

Therefore, we encourage you to undertake technical assistance which could include, but is not limited to collaborations to create multiple learning modalities, including webinars, written sub-regulatory guidance, sample wording, and public awareness campaigns. We also encourage the tracking, monitoring, and sharing of lessons learned and best practices through implementing these Part 2 rule modifications so that all entities can continue to learn how to carry out these provisions best and enhance treatment delivery.