Back to News and Insights

Long-awaited Proposed Updates to Align Federal Protections for Substance Use Records with HIPAA

Insights Default Featured Image

In a notice of Proposed Rulemaking released November 28, 2022, the Office for Civil Rights (OCR) in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA) (both agencies within the U.S. Health & Human Services Department (HHS)), proposed revisions to the federal Confidentiality of Substance Use Disorder (SUD) Patient Records regulations, commonly known as 42 CFR Part 2 (or Part 2), to better align the requirements for such SUD records with those in effect under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  This Proposed Rule would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) passed by Congress in 2020 that, among other things, required HHS to bring Part 2 into greater alignment with certain aspects of HIPAA’s Privacy, Breach Notification, and Enforcement Rules, improving the ability to use, disclose, and redisclose SUD records, while also creating new breach reporting requirements and penalties.  (Our prior alert on the CARES Act amendments can be accessed here.)

Currently, Part 2[1] imposes more stringent requirements than HIPAA for the disclosure and use of SUD records, which many believe can delay treatment and inhibit coordination of care as well as information-sharing by patients and among health care providers.  In addition, the differences between the two privacy rules often create dual obligations and compliance challenges for health care providers who may receive or disclose information protected by Part 2.  According to HHS, the proposed changes are designed to (i) facilitate greater integration of SUD treatment information within other protected health information; (ii) improve communication and care coordination between patients, providers and payers; (iii) enhance the ability to comprehensively diagnose and treat the whole patient; and (iv) facilitate the exchange of Part 2 records between Part 2 programs.

HHS is encouraging stakeholders to submit comments on the Proposed Rule, which are due by January 31, 2023. 

Below follows key takeaways from the Proposed Rule:[2]

Patient Consent and Redisclosure of Part 2 Records.  HHS proposes to streamline requirements to obtain patient consent to disclose Part 2 records. Under the Proposed Rule, a Part 2 program would be authorized to use and disclose Part 2 records for the purposes of all future treatment, payment or health care operations (TPO) based on a single patient written consent, rather than obtaining consent upon each disclosure (patients would have the right to revoke this consent in writing and such use would not be allowed for civil, criminal, administrative, and legislative proceedings against the patient).  This will allow patients and providers greater flexibility in seeking and providing much needed medical care. Once the written consent is obtained, Part 2 programs, covered entities, and business associates that receive Part 2 records pursuant to a written consent for TPO purposes may redisclose the records in any manner permitted by the HIPAA Privacy Rule, except in legal proceedings without a valid court order or patient consent. Other lawful holders that are not a covered entity, business associate, or Part 2 program could redisclose Part 2 records for payment and health care operations to their contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent, again subject to the limitations regarding uses and disclosures of Part 2 records in legal proceedings.  However, a lawful holder under this provision would not be permitted to redisclose Part 2 records it receives for treatment purposes before obtaining an additional written consent from the patient. The proposed rule would include additional changes to the consent requirement to more closely align with authorization requirements under HIPAA.

New Patient Rights.

  •  Accounting of Disclosures. Under the Proposed Rule, patients will be entitled to an accounting of disclosures for up to six years prior to the date the accounting is requested from Part 2 programs, using a standard that mirrors the HIPAA Privacy Rule. The Proposed Rule would also incorporate the requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act that disclosures for TPO purposes be included in the accounting only where such disclosures are made through an electronic health record, but only for the prior three years. Notably, the compliance date for the Part 2 accounting requirements, however, would be tolled until the effective date of any finalized regulatory modifications by HHS to the accounting of disclosures requirements mandated by the HITECH Act. While the current rules provide patients with the right to request a list of disclosures made by an “intermediary” (e.g. a health information exchange or a care management organization), for up to two years prior, the Proposed Rule would extend the period, as well as align with the new right to an accounting of disclosures for TPO by Part 2 programs.
  • Request Restrictions on Permitted Disclosures. Similar to HIPAA, the Proposed Rule would require Part 2 programs to permit patients to request restrictions on the use or disclosure of Part 2 information to carry out TPO, including when the patient has signed a written consent for such disclosures. Part 2 programs will not be required to agree to these restrictions, except in limited circumstances further discussed in the Proposed Rule. Patients would also have the right to obtain restrictions on disclosures to health plans if the disclosure is for payment or health care operations and not otherwise required by law, and pertains to services for which the patient has paid in full.

Notices of Privacy Practices.  The CARES Act directed HHS to modify the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Privacy Rule’s requirements regarding covered entities’ Notice of Privacy Practices (NPP), and specify new requirements for covered entities and Part 2 programs with respect to Part 2 records that also constitute protected health information.  Under the Proposed Rule, the Patient Notice would address the same key elements as the HIPAA NPP, including a description of the permitted uses and disclosures of Part 2 records (and when separate consent is required). The Patient Notice would also need to inform patients of the complaint process and the patient’s right to revoke their consent for the Part 2 program to disclose records in certain circumstances.  Of note, certain covered entities that are not Part 2 programs but receive and maintain Part 2 records (and are thus subject to Part 2 requirements for those records), would need to make certain additional modifications to their existing NPP.  Conforming changes are also proposed to the HIPAA Privacy Rule, at 45 CFR § 164.520.

Complaints of Violations. Instead of the current Part 2 rules, which mandate that complaints of Part 2 violations be sent to either the U.S. Attorney for the judicial district in which the violation occurs and/or SAMHSA, the Proposed Rule would require Part 2 programs to establish a process to receive complaints regarding Part 2 violations as well as a prohibition against intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against a patient for filing a complaint or otherwise exercising a right provided for under Part 2. Further, the Proposed Rule would prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services. These requirements are generally similar to those found in the HIPAA Privacy Rule.

Breaches. Under the Proposed Rule, Part 2 violations will be subject to the HITECH Act breach notification provisions currently implemented in the HIPAA Breach Notification Rule. This change would require Part 2 programs to establish and implement policies and procedures to notify HHS, affected patients, and in some cases media outlets, of a breach of unsecured Part 2 records consistent with the HIPAA Breach Notification Rule.  Since the majority of Part 2 programs are also covered entities that will already be familiar with these requirements, these proposed changes are more likely to impact only a small number of Part 2 programs that are not currently used to a proactive breach notification requirement.  However, even for covered entities, this change is notable, since there may be instances where use or disclosure of Part 2 records may not be permissible under Part 2 and potentially trigger breach notification requirements, but would not have triggered breach notification under HIPAA; for example, disclosures of Part 2 records outside of the Part 2 Program for payment purposes, without a written consent.

Enforcement and Penalties. Part 2 only currently provides for criminal penalties for violations of the rules.  The Proposed Rule would extend enforcement mechanisms created and implemented through HIPAA and the HITECH Act to Part 2 violations. Specifically, HHS would have enforcement authority to impose civil monetary penalties and criminal penalties for Part 2 violations pursuant to 42 U.S.C. §§ 1320d-5 and 1320d-6 and the HIPAA Enforcement Rule (45 C.F.R. Part 160, Subparts C, D, and E). The Proposed Rule also adds various provisions regarding the liability of investigative agencies that may receive Part 2 records while investigating or prosecuting a Part 2 program or other person holding Part 2 records. These include a proposed safe harbor for investigative agencies that unknowingly receive Part 2 records without first obtaining a required court order, provided that certain conditions are met (including engaging in “reasonable diligence” in determining whether Part 2 applies before making an investigative demand).  Finally, the Proposed Rule would require disclosures to the Secretary of HHS to investigate or determine a person’s compliance with Part 2.

SUD Counseling Notes. Finally, HHS is considering whether to create a new definition and protections specific to the notes of SUD counseling sessions by a Part 2 program professional, similar to the HIPAA Privacy Rule’s definition and heightened requirements for psychotherapy notes. Such notes would be Part 2 records, but could only be disclosed with a separate written consent that is not combined with any other consent from the patient, including the initial consent for any TPO. HHS is seeking comments on the benefits and burdens of creating such additional privacy protection for SUD counseling notes.

[1] Part 2 is intended to protect records that relate to “the identity, diagnosis, prognosis, or treatment of any patient” maintained by federally-assisted programs that involve SUD education, prevention, training, treatment, rehabilitation, or research. Part 2’s heightened protections for SUD records are aimed at ensuring that individuals do not fear prosecution or stigmatization, and are not deterred from entering SUD treatment.

[2] The Proposed Rule would modify practically every provision of the current Part 2 regulations, and while some of those changes are clarifying, many have significant import.  This article does not address all proposed substantive changes, and readers are encouraged to review the Proposed Rule in full.

For more information, please contact Alicia Macklin in Los Angeles, Amy Joseph in Boston, Andrea Frey or Paul Smith in San Francisco, Monica Massaro in Washington, D.C., or your regular Hooper, Lundy & Bookman contact.