Sarah C. (fictional name) has battled an addiction to opioids for almost five years. She was prescribed medication for severe pain after back surgery, and due to complications the back pain continued and even increased in severity for several months. The pain abated after a second surgery, but by then Sarah had developed an addiction to the pain med. She sought treatment at a county-operated addiction treatment facility, making good progress. Sarah also had several co-occurring disorders – asthma, diabetes and a heart dysrhythmia – for which she sought treatment intermittently from a local urgent care center operated by a regional hospital system.

Sarah and her children relocated to another state to be closer to relatives, where she hoped to continue her addiction treatment and get ongoing treatment for her chronic illnesses. She sought care from an integrated care provider, which was part of an Accountable Care Organization (ACO). During her evaluation visit to the new provider, she was asked to sign a consent form authorizing the transfer of her medical records. But when she mentioned that she would also like to continue her substance use disorder (SUD) treatment, the care coordinator told her that would involve a complicated, time-consuming process and that it would be in Sarah’s best interest to seek SUD treatment elsewhere. Unhappy and confused, Sarah left the facility to search anew, but she delayed her efforts and relapsed into the opioid addiction. Her asthma also worsened, and she was eventually hospitalized for several weeks, and is still recovering.

This was a fictional story, but the “complicated process” mentioned was first established decades ago with well-intentioned federal privacy regulations designed to protect the medical records of persons with a history of addiction treatment from being shared without their consent.

The Substance Abuse and Mental Health Services Administration (SAMHSA) published a Final Rule in an effort to update these regulations (commonly referred to as 42 CFR Part 2). Netsmart was heavily engaged in this process, including submitting comments to the initial SAMHSA public “listening session,” in-person meetings with SAMHSA and the Office of Management and Budget (OMB), and filing comments during the public comment period for the Notice of Proposed Rulemaking.

Our most recent comment filing was in connection with the Supplemental Notice of Proposed Rulemaking (SNPRM) published by SAMHSA along with the Final Rule.

Two key points we made in that filing were to:

  • Support a proposed abbreviated notice related to access to Part 2 information by health care providers. The current lengthy notice will cause confusion for providers receiving health information, even with the patient’s consent — and discourage the flow of critical health information otherwise allowed under the Final Rule.
  • Encourage SAMHSA to revisit the re-disclosure prohibition related to treatment. The proposed regulatory revision allows the patient’s SUD treatment information to be re-disclosed by payors, health plans, and other entities for health care operations or payment purposes, but not disclosed by a physician or health care provider that received the information for treatment purposes. Health care providers are almost universally considered “covered entities” under HIPAA, and there is a long-established mechanism under the HIPAA Privacy Rule that addresses not only payment and health care operations, but also treatment, including the recipients’ ability to disclose protected health information for those purposes. This enables providers to diagnose and treat based on full information about the patient, including a complete medical history.

Why is Netsmart involved in this effort? Because we believe that enabling persons to share information with their treating providers with appropriate but updated privacy safeguards is key to successful treatment and recovery. Simplified disclosure rules will also help improve the quality and breadth of SUD treatment, especially in integrated care settings like ACOs, Medicare Health Homes and Health Information Exchanges. It can also mitigate the negative impact of co-occurring conditions, significantly enhance patient safety and reduce the stigma associated with SUD.

Does it make a difference? Yes. For example, SAMHSA agreed with Netsmart’s position and chose not to adopt more stringent “From Whom” provisions in the Final Rule. Put simply, this allows for disclosure to and among the participants in an intermediary, such as an HIE, ACO, Health Home or other care coordination entity. Retaining the existing “From Whom” regulations allows for multi-party bi-directional consent to facilitate the exchange of a patient’s information among multiple treating providers. It also allows for re-disclosure between and among treating providers in a care coordination entity.

To achieve true coordinated, “whole-person” care, the ultimate goal of consent should be that any person – whether suffering from mental illness, diabetes, a SUD or multiple co-occurring conditions – be able to share his or her health data with their healthcare providers, utilizing today’s technology, with equal simplicity, regardless of their diagnosis, if they so desire. If someone does not wish to do so, they should have the clear option to either opt-out or choose not to opt-in to sharing that information.

We’ll continue to engage on this issue on behalf of our clients…and theirs…both in the regulatory arena and for statutory changes by Congress.

Provider perspectives and conversations with your legislators can make a difference. Visit for more information. To lend your voice to our key policy advocacy efforts, contact Dave Kishler, Director, Industry Relations at