Skip to Content
Health Information and Data SharingSubstance Use Prevention and Harm Reduction

Public Health Agencies and What Woulda-Coulda-Mighta Helped Them Access SUD Records

May 30, 2023


Public health agencies often find access to substance use disorder (SUD) data records especially challenging. Through the CARES Act, Congress harmonizes certain provisions of HIPAA and 42 CFR Part 2 — both of which govern disclosure of SUD records — and require that HHS continue these efforts through rulemaking.

A complex legal landscape governs data collection and sharing, including for public health purposes. This is because: (1) data sharing is governed by multiple laws that may be at federal, tribal, state, and local levels; (2) applicable laws depend on type of data, from whom it is being requested, and how it is being used; and (3) multiple laws may apply to each type or source of data, and these laws differ in permissible and prohibited disclosures and data sharing conditions and limitations.

Public health agencies find access to substance use disorder (SUD) records especially challenging. Disclosure of SUD records is usually governed by both the HIPAA Privacy Rule and enhanced and stringent privacy protections established by 42 U.S.C. 290dd-2, as amended by the CARES Act, and implemented by 42 CFR Part 2 (Part 2). Part 2 applies to any federally-assisted substance use disorder program (“Part 2 program”). Examples are treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, and private practitioners that hold themselves out as providing substance use disorder diagnosis, treatment, or referral for treatment. A general medical facility (such as an emergency department or community health center) is usually not a Part 2 program, although a general medical facility might include an identified unit or specific personnel that are an SUD program.

The HIPAA Privacy Rule recognizes and continues public health’s historic role in conducting public health surveillance, investigation, and intervention by permitting health care providers and other HIPAA-covered entities to disclose data without an individual’s consent, including identifiable data, to a public health agency that is authorized to collect such information for public health purposes. However, Part 2 does not permit such disclosures. Generally, Part 2 programs would need a patient’s consent to disclose substance use disorder data that identifies a patient to a public health agency, including identifying information that is relevant to a public health emergency or is mandated by a public health reporting law.

In Section 3221 of the CARES Act, Congress harmonizes certain provisions of HIPAA and Part 2 and requires that the U.S. Department of Health and Human Services (HHS) continue these efforts through rulemaking. On November 28, 2022, HHS issued a Notice of Proposed Rulemaking that would make many changes to Part 2, including changes related to consent and data disclosure and re-disclosure.

It appears that Part 2 might have (prior to CARES’ amendment) permitted providers to disclose SUD data to public health agencies if “patient identifying information” is removed. In this regard, a Part 2 program is prohibited from disclosing information that would identify a patient as having or having had an SUD, either directly, by reference to publicly available information, or through verification of such identification by another person. “Patient identifying information” is defined as “the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information.” In contrast, HIPAA’s restrictions on disclosure do not apply to “de-identified information,” which is information that satisfies either HIPAA’s safe harbor or expert determination methods for de-identification.

The CARES Act eliminated any question about whether de-identified SUD records could be disclosed to public health, explicitly permitting such disclosures. Additionally, CARES harmonized disclosure under Part 2 and HIPAA by specifically adopting HIPAA’s provisions regarding de-identification, permitting disclosure of SUD information to public health that meets HIPAA’s safe harbor or expert determination standards.

Disappointedly, the CARES Act amendment and changes to Part 2 do not include “limited data sets.” Under HIPAA, in addition to disclosure of identifiable health information for public health purposes, the Privacy Rule permits disclosure of a limited data set for public health purposes. A limited dataset includes geographic, demographic, and temporal (date) data elements that help with identifying trends, measuring health disparities, and evaluating interventions in specific populations and during specific time periods. While these details do not directly identify an individual, they can increase the risk of identification, especially for small geographic areas, small or disaggregated populations, or populations identified with multiple or unique characteristics. Recognizing the increased risk and benefits, HIPAA requires that providers and recipients of limited data sets sign a limited data set agreement that restricts use and disclosure and requires data safeguards.  

In short, the proposed changes to the Part 2 Rule would do little to expand a health department’s access to SUD information to carry out public health surveillance, investigation, and intervention, but would at least align the de-identification standards under HIPAA and Part 2. By not extending the Part 2 Rule to allow some HIPAA identifiers, or at least limited data sets, to be available for public health purposes, the government agencies proposing these changes to the Part 2 Rule have missed an important opportunity to facilitate data sharing for the good of the public’s health. 

You can read the related Network publication for a detailed review of the significant proposed changes to the Part 2 Rule here.

This post was written by Chris Alibrandi, J.D., Deputy Director and Denise Chrysler, J.D., Mid-States Region Office, Network for Public Health Law.

The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.

Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.