The number of people living with substance use disorder (SUD) (including opioids) is large, widespread, and serious cause for concern. Many researchers and organizations are looking for ways to understand the scope of the problem and thereby develop interventions. However, sharing of SUD information, including health insurance claims, is governed by different federal rules than other health care data, and is not readily accessible.

Part two of item 42 in the Code of Federal Regulations (CFR) details the rules surrounding the confidentiality of information related to SUDs. Similar to HIPAA, which addresses the release and use of personal health information and allows for use of this data in specific instances, 42 CFR (Part 2) has criteria for the release of SUD information. Compared to HIPAA, however, the circumstances that allow for sharing SUD data are very narrow.

CFR Part 2 is designed to protect patients from the stigma associated with living with a SUD. Simply put, programs who treat SUD and who are federally funded, are not allowed to share any information SUD diagnosis or treatment without the patient’s written consent– except in very specific instances.

A “program” is defined as an “individual, entity (other than a general medical facility), or an identified unit in a general medical facility, that “holds itself out” as providing and provides diagnosis, treatment, or referral for treatment for a SUD. Medical personnel or other staff in a general medical facility who are identified as providers whose primary function is to provide diagnosis, treatment, or referral for treatment for a SUD are also Programs. “Holds itself out” means any activity that would lead one to reasonably conclude that the individual or entity provides substance use disorder diagnosis, treatment, or referral for treatment.

The circumstances in which a program can release patient SUD information protect the safety of the patient and those around them:

  • They can share the information with medical personnel in the event of a medical emergency involving the patient.
  • Law enforcement can be apprised of a patient’s SUD if there is an immediate threat to the health and safety of the patient or to the staff of a treatment program.
  • There is an immediate threat to the health and safety of the patient or an individual if the information is not disclosed.
  • If there are reports of child abuse or neglect involving the patient.
  • Court-ordered release of information.

Submitting claims to the Colorado All Payer Claims Database (CO APCD) does not meet the above criteria for release, and as a result, CIVHC does not request payers to submit data that is subject to Part 2. However, the criteria for submitting substance use data was updated with the passing of the CARES Act in early 2020. As of this post, CIVHC has not yet provided guidance to payers regarding submitting claims based on the changes in the CARES Act. As we learn more about the new regulations, we will inform payers when and how these claims should be submitted and update this post regarding the new guidelines.

The criteria limiting the release of SUD information impacts the number of claims that get submitted to the CO APCD. SUD claims provided through programs and facilities not federally funded can be submitted, resulting in a limited number of SUD claims in the database. As of March 2020, there were nearly two million SUD claims in the CO APCD, representing approximately 5% of all behavioral health-related claims in the database. Through the CO APCD data release process, organizations and researchers may access SUD information as long as there is a direct benefit to Colorado and the data delivered and the way it is used follows all federal privacy laws. If you have a specific project that might benefit from the use of SUD claims, please contact to discuss how CIVHC can support your work.