In a prior post, I mentioned that fraud, waste, and abuse enforcement is likely to uptick and that vendors should get ready to be responsive to subpoenas and warrants for data exports of their customers’ records, particularly in response to billing fraud. Since then, Attorney General Pam Bondi has continued to drive home the point that they are coming after fraud; however, in the context of substance abuse records, vendors need to be wary of producing too quickly. In that case, 42 CFR Part 2, or just Part 2, may apply depending on the provider and their revenue stream. Then, heightened process requirements apply, and the investigation agency needs to seek a judicial order that complies with specific requirements.
Part 2 imposes a host of heightened privacy restrictions on the disclosure of PHI relating to substance abuse. In the context of a subpoena, vendors usually have to worry about ensuring law enforcement has provided them with proper process prior to responding to that subpoena. The level of sophistication with this area of privacy law varies tremendously just within the Department of Justice, much less state entities – both of whom are subject to its restrictions. Almost always they come armed with a subpoena, but no order.
In that case, you will want to do a few things. First, confirm you are actually dealing with a customer who is in a “Part 2 program.” That means they need to take federal support for substance abuse disorders. Treatment centers or methadone clinics that receive federal grants are prime examples. Under some theories, this may extend to simply obtaining a relevant federal certification, and some theories would even extend that to cover anybody who merely takes Medicaid or Medicare. Here, look at 1) what conditions the customer treats, and 2) its revenue streams visa-vi its claims data.
Next, to be covered by Part 2, the provider has to hold themselves out as offering substance abuse services. So, go and look at their website. Hire somebody to walk into their business and grab their marketing collateral for review. Check their social media accounts. See if they advertise services for addicts, and if they do, they are probably covered. In addition, if your research shows they are probably not covered by Part 2 and you think production is likely safe, still seek a written statement from law enforcement that they are not a Part 2 program prior to offering any data. This matters because in addition to civil penalties, a violation of Part 2 can also carry criminal fines.
If the customer is covered, what comes next depends on your counterpart at the Department of Justice, Office of Inspector General, or the relevant state agency. You will need to impress on them the applicability of the statute to the data they are asking for, both verbally (first) and in writing (to cover yourself). You will then reach a fork in the road. The agency will either: (1) stare at you blankly and plead ignorance, (2) acknowledge the point and come back with a conforming order, or 3) fight you.
In the case of (2), great – you’re almost done. In the case of (1), give them a template Part 2 order for fraud, which is what they are usually investigating. My next post will be a copy of the template I use. They are almost always receptive to that, and will generally constructively engage the vendor when that sort of assistance is on the table. I have only encountered (3) on two occasions in my career. In the first instance, we got by through offering a redacted and limited production. This contained 99% of all the data in the overall set, and yet, law enforcement agency still howled about how they were entitled to all of it. We stood our ground and told them to seek a motion to compel. They went away. In the second case, I had to go far as retaining local counsel to prepare a motion to quash. When the motion to quash was threatened by a local trial attorney, the agency relented and produced the order. The federal government is any healthcare company’s biggest customer. Partnering with law enforcement is important for your company’s risk profile, and there is no single customer or account that is worth their concentrated ire. However, privacy law and patients still come first.
Image by https://unsplash.com/@halacious
eHealth Law Blog 