FAQ: How can health centers comply with both 42 CFR Part 2 and the Information Blocking Rule?
July 2023
What are the HIPAA guidelines related to PHI and PII?
What is 42 CFR Part 2?
What is the Information Blocking Rule?
How can my health center comply with both 42 CFR Part 2 and the Information Blocking Rule?
How can my health center safeguard EHI on the patient portal following 42 CFR Part 2?
How can I find out if 42 CFR Part 2 applies to my health center?
Where can I find sample Information Blocking policies, procedures, and templates?
What are the HIPAA guidelines related to PHI and PII?
According to the Health Insurance Portability and Accountability Act (HIPAA) guidelines (Summary of the HIPAA Privacy Rule|HHS.gov), Protected Health Information (PHI), is personal information regarding a patient’s health. A patient has the right to determine if information regarding their health can be shared. Patient consent is required before Personal Identifiable Information (PII) about their medical information can be disclosed to anyone, including family members, other healthcare providers, and law enforcement agencies. Exceptions to this requirement are limited and must comply with strict standards, such as in response to a court order.
What is 42 CFR Part 2?
42 CFR refers to the Code of Federal Regulations Title 42, which contains regulations related to public health. 42 CFR Part 2: Confidentiality of Substance Use Disorder Patient Records (Substance Abuse Confidentiality Regulations|SAMHSA) establishes strict confidentiality requirements for disclosure of information associated with treatment for substance use disorders (SUD). It applies to all federally assisted programs that provide diagnosis, treatment, or referral for SUDs, including mental health programs that also provide SUD treatment. Specifically, regulations defined in 42 CFR Part 2 provide protection for patients receiving treatment for SUD. Provisions in the regulation prohibit disclosure of any information that would identify a person as receiving treatment for an SUD, unless that person provides written consent. Part 2 specifies a set of requirements for consent forms, and associated penalties for failing to implement them. View more resources on Substance Use Regulations here.
What is the Information Blocking Rule?
The 21st Century Cures Act, signed into law in 2016, includes provisions related to health information technology (health IT) and electronic health records (EHRs). Part of this law, known as the Information Blocking Rule, requires healthcare providers to offer patients timely and easy access to their electronic health information through a patient portal or other electronic means. The Cures Act defines information blocking as business, technical, and organizational practices that prevent or materially discourage access, exchange, or use of electronic health information (EHI) or any practice that could interfere with access, exchange, or use of EHI while not violating any existing regulations.1 The Information Blocking Rule applies to all healthcare providers, including behavioral health providers, and is enforced by the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS). This rule applies to any entity or individual that meets the definitions outlined in 45 CFR 171.102 for “health IT developer of certified health IT,” “health care provider,” or a part of a “health information network or health information exchange.”
Many healthcare providers, including health centers, are concerned about reconciling the need to protect patient privacy under HIPAA and 42 CFR Part 2 while avoiding interference with electronic health information sharing and violating Information Blocking regulations.
How can my health center comply with both 42 CFR Part 2 and the Information Blocking Rule?
Sharing behavioral health information can be complex and requires compliance with various regulations, including the 42 CFR Part 2 additional protections for SUD information. The HITEQ center provides guidance and resources to health centers to navigate regulations and ensure compliance while sharing information. For more information, refer to Sharing Behavioral Health Data over a Health Information Exchange and Behavioral Health Consent Guidelines.
To ensure compliance, providers must:
- Understand the definition of information blocking and ensure their policies and procedures comply with the law.
- Implement appropriate technical and organizational safeguards to protect EHI (from unauthorized access, use, or disclosure.
- Develop clear policies and procedures that outline how EHI will be shared and accessed, including under what circumstances sharing is required or permitted by law.
- Provide training and education to their staff on information blocking and how to comply with the law.
- Obtain patient consents before sharing patient information.
- Establish the necessary Qualified Service Organization Agreement (QSOA) or Business Associate Agreements (BAA) with any participating Health information Exchange (HIE).
- Ensure to only share necessary treatment information permitted by law with the appropriate patient consents and authorizations. Some best practices include:
- Encryption of messaging and exchange platforms.
- Establishing and maintaining user access roles and responsibilities for accessing or transmitting EHI.
- Implementing relevant business agreements for patient and clinical data sharing.
- Clearly communicating with patients and staff that withholding information not permitted by law (e.g., 42 CFR Part 2) is NOT a violation of information blocking.
How can my health center safeguard EHI on the patient portal following 42 CFR Part 2?
The Information Blocking Rule aims to improve patient access to their health data and promote interoperability between healthcare providers. It requires healthcare providers to provide patients with a timely and accessible means to their EHI through a patient portal or other electronic means. Providers must offer patients the ability to access, view, and download their EHI, and to transmit it to a third party of their choice, such as another healthcare provider or a mobile application.
In order to safeguard EHI on the patient portal, providers must obtain written consent and inform the patient of the nature and extent of the information to be disclosed, the specific purpose of the disclosure, and the identity of the person or entity to whom the disclosure will be made.
How can I find out if 42 CFR Part 2 applies to my health center?
To find out if 42 CFR Part 2 applies to your health center, follow the Decision Tree from the Legal Action Center.
Where can I find sample Information Blocking policies, procedures, and templates?
Visit the HITEQ Center: Sample Information Blocking policies, procedures, and templates
The HITEQ Center is a HRSA-funded National Training and Technical Assistance Partner operated by JSI Research & Training, Inc. and Westat.This project is supported by the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) as part of awards totaling $693,000 with 0% financed with non-governmental sources. The contents are those of the author(s) and do not necessarily represent the official views of, nor an endorsement, by HRSA, HHS, or the U.S. Government. For more information, please visit HRSA.gov.
References
1 “What is Information Blocking?,” American Medical Association, 2021, https://www.ama-assn.org/system/files/2021-01/information-blocking-part-1.pdf.
6412