SAMHSA Final Rule on Confidentiality for Patients in Treatment for Substance Use Disorders

Q: I’m a dentist in private practice. I received information about an individual from a substance use disorder (“SUD”) treatment facility along with a notice that says re-disclosure of any information that would identify the patient as having an SUD is prohibited unless the individual authorizes the re-disclosure. Is this a new requirement? What are my obligations concerning this information?

A: A final rule1 went into effect Feb. 17, 2017 that changes the confidentiality requirements for “Patient Identifying Information,” which is information that meets both of the following criteria:

  1. The information was disclosed by a SUD treatment facilities that is a “Part 2 Program,” and
  2. The information would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a SUD (i.e., through a name, address, social security number, fingerprints, photographs, or similar information by which the patient’s identity can be determined with reasonable accuracy).

The final rule imposes obligations on both Part 2 Programs and on “other lawful holders” of Patient Identifying Information, including dentists who receive Patient Identifying Information from a Part 2 Program. Violations can result in fines.

Note that Patient Identifying Information does not encompass all information that identifies, or could be used to identify, the patient — just information that meets both criteria above. A dentist’s use or disclosure of information about the patient that does not meet these two criteria would be protected by other applicable law, such as HIPAA and state law.

Here is some information intended to help dentists comply with the final rule:

  1. Notice Prohibiting Re-disclosure

    In general, the final rule requires that each disclosure of Patient Identifying Information by a Part 2 Program be:

    1. Made with the patient’s written consent, and
    2. Accompanied by a written statement prohibiting re-disclosure..

    A dentist may only re-disclose the Patient Identifying Information received from a Part 2 Program if permitted by:

    • the final rule
    • other applicable law (e.g., HIPAA and state law), and
    • the patient’s consent form.

    In addition, the dentist must include the notice prohibiting further re-disclosure whenever re-disclosing the Patient Identifying Information.

  1. Data Security

    A dentist who receives Patient Identifying Information from a Part 2 Program must have specific formal policies and procedures addressing security for such information in paper and electronic records.

  2. Consent Form

    With very limited exceptions (e.g., for medical emergencies and certain audits and research), a Part 2 Program must obtain a patient’s written consent before disclosing Patient Identifying Information. The consent form must specify, for example:

    • To whom the information may be disclosed
    • The information that may be disclosed
    • Any expiration date

    When dentists request Patient Identifying Information from a Part 2 Program — and, if possible, when receiving Patient Identifying Information from such a Program — it would be prudent for the dentist to require the Part 2 Program to obtain a consent form that specifically names the dentist in the “To whom” field, along with any other individuals or entities to which the dentist must re-disclose the information (e.g., dental plan, specialist). Otherwise, the Part 2 Program might release the Patient Information pursuant to a “general” consent form, which does not specifically identify the recipient(s) (e.g., “to my treating providers”). When Part 2 Programs release Patient Identifying Information pursuant to a general consent form, the patient has the right to obtain a list of entities to whom their Patient Identifying Information has been disclosed in the prior two years. The list must be provided within 30 days of the request, and must include the disclosure date and a brief description of the information disclosed. A dentist who obtains Patient Identifying Information under a general consent should be prepared to provide such a list upon request. Unlike the HIPAA “accounting of disclosures,” all disclosures must be listed, including disclosures for treatment, payment, and health care operations.

  3. HIPAA and State Law

    Although HIPAA does not require a dentist to obtain authorization before disclosing patient information for certain purposes, such as treatment, payment, or healthcare operations, the final rule prohibits re-disclosure of Patient Identifying Information for any purpose unless the patient has signed a consent form containing certain required information. Thus, before re-disclosing Patient Identifying Information received from a Part 2 Program (e.g., to a dental plan or to a specialist), make sure the patient has signed a consent form that would permit the intended re-disclosure. If necessary, contact the Part 2 Program or the patient for any necessary additional consent.

    Applicable laws such as HIPAA and state medical confidentiality laws still apply to Patient Identifying Information, although the final rule imposes requirements that may be more stringent than HIPAA. Before re-disclosing Patient Identifying Information, make sure the re-disclosure is permissible under the final rule, the consent form, and under other applicable laws, such as HIPAA and state law.

    For example, the final rule may be more stringent than HIPAA on disclosures in the context of legal proceedings or criminal investigations. A dentist who receives a request involving the disclosure of Patient Identifying Information from a Part 2 Program would be prudent to promptly seek the advice of experienced legal counsel before responding.

    A dentist’s HIPAA policies and procedures are not, by themselves, likely to be sufficient when dealing with Patient Identifying Information. See, for example, the notice that must accompany re-disclosure of Patient Identifying Information, and the security safeguards required by the final rule.

  4. Disclosures for Audit and Evaluation or for Research

    The final rule does not require patient consent for disclosing Patient Identifying Information to an individual for purposes of certain audits and evaluations (such as Medicaid or CHIP audits) as long as the individual agrees to comply with specific limitations on re-disclosure. The final rule also provides for disclosures for certain research purposes without patient consent. A dentist would be prudent to see the advice of experienced legal counsel before disclosing Patient Identifying Information received from a Part 2 Program for such purposes.

  5. Screening, Brief Intervention and Referral to Treatment (SBIRT)

    Providing SBIRT would not, by itself, make a dental practice a Part 2 Program, even if the practice receives federal funding. For more information on SBIRT, see SAMHSA, SBIRT: Screening, Brief Intervention, and Referral to Treatment, and Denisco et al., Prevention of prescription opioid abuse, JADA, July 2011.


1Substance Abuse and Mental Health Services Administration (“SAMHSA”), Confidentiality of Substance Use Disorder Patient Records, published Jan. 18, 2017, effective Feb. 17, 2017. For more information, see SAMHSA, Substance Abuse Confidentiality Regulations

2“Part 2 Programs” are certain individuals and entities that provide SUD treatment, hold themselves out as providing SUD treatment, and receive federal assistance.