New SAMHSA Requirements May Necessitate Changes to Business Associate Agreements

Back to Posts

New SAMHSA Requirements May Necessitate Changes to Business Associate Agreements

February 26, 2020

Employers that sponsor group health plans subject to HIPAA privacy and security requirements may need to review and update their business associate agreements (BAAs) as the result of changes to federal regulations governing the confidentiality of substance use disorder patient records. Specifically, if an employer-sponsored group health plan receives certain types of substance use disorder patient records and discloses these records to a vendor for purpose of payment or healthcare operations, the relevant BAA will need to contain language requiring the business associate to comply with these regulations.


42 C.F.R. Part 2 (“Part 2”) addresses the protection of substance use disorder patient records, which are records held by substance use disorder treatment programs that receive federal financial assistance (e.g., from Medicare or Medicaid). The Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued final regulations concerning the confidentiality of these records. The regulations provide that when a patient consents to a disclosure of their substance use disorder records for payment or healthcare operations, a treatment program may share them with a “lawful holder,” who may then share them with a third-party vendor or subcontractor. As part of this disclosure, the lawful holder must have specific language incorporated into its contract with the third-party vendor that references Part 2 compliance.


For employers sponsoring group health plans subject to HIPAA, these new requirements may impact the BAAs they have in place with vendors such as third-party administrators (TPAs). Employer group health plans might be considered “lawful holders” if they receive these records from a substance use treatment program that receives federal financial assistance. And if a lawful holder shares these records with a business associate such as a TPA for purposes of payment or healthcare operations, there must be specific language in the BAA that obligates the business associate to comply with the requirements of Part 2 in safeguarding the information.

From a practical standpoint, most TPAs will receive this type of information directly from a treatment program for purposes of payment or healthcare operations. The plan sponsor generally will not act as an intermediary. However, the result is the same, since the TPA is operating on the plan’s behalf.

The regulations do not provide specific contract language that must be included in an agreement, although they do outline specific items that should be addressed, such as requiring the third party to implement safeguards to prevent unauthorized uses and disclosures. Existing BAAs should already address the elements required by Part 2; therefore, we do not think it is necessary for BAAs to be amended to include these specific provisions. Instead, BAAs should be updated to include language that directly references compliance with Part 2 requirements. This may be as simple as adding a sentence in the portion of the BAA that discusses compliance with applicable laws and regulations that specifically provides that the business associate is required to comply with Part 2.  

In addition to the contract requirement, disclosures of patient records under these rules must be accompanied by a statement that 42 CFR Part 2 prohibits unauthorized disclosure of the records. Again, since these disclosures will usually occur directly between the treatment program and the TPA or a health insurance carrier, this notice requirement will generally fall upon the provider, not on the employer-sponsored plan.


Employers sponsoring group health plans should review their BAAs to see whether language addressing Part 2 requirements is already included. If it isn’t, then the plan sponsor should consider amending the BAA to bring it into compliance with these requirements. Although the requirements apply only to plans actually receiving substance use disorder records from a treatment program that receives federal financial assistance, it may be administratively easiest to simply amend all current BAAs to include the required language, and to ensure that this language is incorporated into any BAAs going forward.




While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.