Since publishing this post, I’ve updated my understanding of the regulations. It’s important that you read the follow-up post.
In the case of the missing substance use data, CMS has fingered a culprit. It’s those pesky regulations: specifically, regulations in Part 2 of Volume 42 of the Code of Federal Regulations. The Substance Abuse and Mental Health Services Administration (SAMHSA), a separate agency within HHS that issued the rules and oversees compliance with them, has apparently told CMS that those rules require the agency to scrub its patient-identified Medicare and Medicaid claims data of substance use claims.
I’m here to exonerate the rules. They do not say what SAMHSA thinks they say. In fact, they say the opposite.
Where? In 42 C.F.R. §2.52, which says that “[p]atient identifying information may be disclosed for the purpose of conducting scientific research.” And yes, the regulations define “patient identifying information” to include “the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed.”
For obvious reasons, the rules set stringent conditions on that disclosure. First and foremost, the researchers can’t disclose the information (except to CMS itself). And not just anyone can get the data; there must be a clear and articulated need and the benefits of the proposed research must outweigh any potential harms. In addition, the researchers must adopt a research protocol requiring them to adhere to various security requirements and certify that an outside panel of researchers has vetted that protocol. CMS also has the latitude to refuse to disclose patient identified data where it lacks confidence in the researchers who have requested it.
But SAMHSA is dead wrong to say that its rules categorically prohibit the disclosure of patient-identified information. To the contrary, the agency’s rules have allowed for the disclosure of such information since 1976, when they were first adopted. At the time, the agency openly wrestled with the privacy implications of its rules and concluded that it was important, even necessary, to permit disclosure of patient identifying information. I quote only in part:
While th[e] possibility of harm could be reduced by requiring consent to every review of clinical records for research purposes, a similar result can be achieved by the less restrictive method of limiting further disclosure of identifying information by the researcher. Given the applicability of this alternative, equally effective means for protecting a patient or subject from the possibility of a harmful public disclosure, it is unreasonable to insist upon informed consent to every review of clinical records for the purposes of conducting legitimate research, particularly since such insistence could lead to the ultimate absurdity of prohibiting efforts to identify the nature and source of an unknown plague simply because the patients or researcher lacked the clairvoyance to have consent forms signed prior to the onset of the affliction. …
[T]he authorizing legislation expressly provides that patient consent is not required with respect to disclosures for research, audit, and evaluation, nor does it prohibit individual patient identification in connection with such disclosures. While it is entirely appropriate to impose safeguards and procedures in connection with these activities, it would be wholly inappropriate to use the rulemaking process to impose an absolute requirement of patient consent with respect to activities which by statute may be conducted without it. [40 Fed. Reg. 20536-37 ).
How could SAMHSA misread its own rules so badly? It happens on occasion in big, unwieldy bureaucracies. Someone forms a misimpression of what a rule requires, and over time other people at the agency come to believe in that misimpression. Soon, agency officials start saying that the misimpression is the rule—even when the rule says the opposite.
But that’s not the way government is supposed to work. Rules mean what they say, not what the agency mistakenly believes they say. And if SAMHSA wants to change its rules, the Administrative Procedure Act (APA) requires the agency to amend them through another round of notice and comment. That way, the agency can get input on whether the rule change strikes the right balance between privacy and research. Here, however, SAMHSA has thrown its regulations into the wastebasket without so much as giving the public a chance to object.
Whatever the government chooses to do, SAMHSA should stop saying that its rules require it to omit patient identifying information from Medicare and Medicaid claims relating to substance use. They don’t.
* An earlier version of this post said that CMS had misinterpreted its own rules. A CMS spokesperson corrected me: these are SAMHSA’s rules. CMS is apparently adhering to SAMHSA’s interpretation of those rules.