Old Rule, New Tricks: HHS Finalizes Most Substantial Changes to Substance Use Disorder Confidentiality Rule in Decades
The long-anticipated final rule addressing substance use disorder (SUD) records at 42 C.F.R. Part 2, commonly referred to as Part 2, is here. The final rule is a joint undertaking by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration (SAMHSA). The rule attempts to align Part 2 with the Health Insurance Portability and Accountability Act of 1996 and its Privacy, Breach Notification, and Enforcement Regulations (collectively "HIPAA").
The final rule adopts many of the provisions introduced in the Notice of Proposed Rulemaking (NPRM) that HHS published on December 2, 2022, but also makes modifications to the proposed rule in response to the comments received by HHS. The final rule becomes effective on April 16, 2024, and entities subject to the rule must come into compliance by February 16, 2026.
By aligning Part 2's consent requirements and other compliance obligations for Part 2 records with HIPAA, HHS states that the final rule will serve to decrease burdens on patients and providers, improve coordination of care and access to care and treatment, and protect the confidentiality of treatment records. Although certain changes, such as those to consent requirements, will be helpful, overall the final rule may significantly increase risk to organizations that create or receive certain SUD records due to new enforcement mechanisms.
Background and Proposed Rule
HHS first promulgated Part 2 regulations implementing statutory SUD confidentiality provisions in 1975. Part 2 imposes confidentiality protections to reduce barriers related to stigma of receiving SUD diagnoses and treatment and applies to federally assisted programs (part 2 programs) that include: (1) an individual or entity (other than a general medical facility) that holds itself out as providing, and provides, SUD services (diagnosis, treatment or referral for treatment), such as a facility dedicated to behavioral health services; (2) an identified unit within a general medical facility that holds itself out as providing, and provides, SUD services, such as an addiction treatment unit or a behavioral health department; and (3) medical personnel or other staff in a general medical facility whose primary function is the provision of SUD services, such as staff in an emergency department who primarily assess or treat patients for SUDs. "Federally assisted" broadly includes organizations that receive reimbursement from Medicare, Medicaid, or other federal programs; that are tax-exempt; that have any federal license, certification, or registration (including registration to dispense controlled substances); or otherwise receive federal funds. Not all SUD information, though, is subject to Part 2. For example, a primary care provider's SUD diagnosis or referral likely would fall outside of Part 2 because it does not meet the definition of a "program."
Prior to this new final rule, alleged Part 2 violations were subject only to unspecified criminal penalties (the statute and regulation reference criminal penalties as set forth in Title 18 of the U.S. Code, but Title 18 does not actually specify any penalties for Part 2 violations) or risk to accreditation or certification if the program is an opioid treatment program certified by SAMHSA. Despite Part 2 being almost 50 years old, though, we are not aware of any instances of past enforcement.
This final rule implements section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and more closely aligns Part 2 with HIPAA. The HIPAA Privacy Rule permits covered entities to use and disclose an individual's PHI for treatment, payment, or healthcare operations ("TPO") without the individual's authorization. Prior to amendment by the CARES Act, 42 U.S.C. 290dd-2 provided that Part 2 records could be disclosed only with the patient's specific written consent for each disclosure, with limited exceptions. The consent generally had to identify all recipients by name, so broad consents were not permitted. The CARES Act modifications permit a Part 2 patient to provide general consent for TPO. Once disclosed for TPO, the CARES Act provides that Part 2 records may be redisclosed consistent with HIPAA if the recipient is a Part 2 program, HIPAA-covered entity, or business associate. In addition to aligning consent requirements, the CARES Act also aligns Part 2 with several patient rights, breach notification obligations, and enforcements provisions under HIPAA.
Some Welcome Changes to Part 2
The final rule includes many modifications to Part 2 that were proposed in the NPRM, along with some new additions. Some notable changes from the current rule are described below:
- Patient Consent
- Content: Finalizes the proposed alignment of the content requirements for Part 2 written consent with the content requirements for a valid HIPAA authorization.
- TPO Consent: Replaces the provisions requiring consent for uses and disclosures for payment and certain healthcare operations with permission to use and disclose records for TPO with a single consent given once for all future TPO uses and disclosures ("TPO consent") as permitted by HIPAA, unless the patient later revokes the consent in writing.
- Redisclosure: Permits limited redisclosure of Part 2 information for three categories of recipients:
- permits a covered entity or business associate that receives Part 2 records pursuant to a TPO consent to redisclose the records in accordance with HIPAA, except for certain proceedings against the patient;
- permits a Part 2 program that is not a covered entity to redisclose records received pursuant to a TPO consent according to the consent; and
- permits a lawful holder that is not a covered entity or business associate to redisclose Part 2 records for payment and healthcare operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities specified in the consent.
- Copy or Explanation of Consent to Accompany Disclosures: Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.
- Consent in Civil, Criminal, Administrative, or Legislative Proceedings: Adds an express requirement for separate consent (which cannot be combined with patient consent for any other use or disclosure) for use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings.
- Part 2 Patient Notice: Aligns Part 2 Patient Notice requirements with those of the HIPAA Notice of Privacy Practices for entities that are dually regulated by both Part 2 and HIPAA. The final rule also modifies several of the patient notice requirements to account for changes to Part 2, such as the right to request an accounting of disclosures and to opt out of fundraising communications. As a result, a Part 2 provider will need to revise and distribute its Patient Notice (such as posting the revised notice and making it available upon request).
- Other Uses and Disclosures
- Permits disclosure of Part 2 records without patient consent to public health authorities, if the records are de-identified according to the standards established by HIPAA.
- Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent specific patient consent or a court order.
- SUD Counseling Notes: Creates a new definition for an SUD clinician's notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient's SUD treatment and medical record and requires specific consent from an individual for disclosure (and cannot be disclosed based on a broad TPO consent). This is analogous to protections in HIPAA for psychotherapy notes.
- De-identification and patient identifying information: Adopts a modified definition of "patient identifying information" to align more closely with the HIPAA definitions.
- Fundraising: Permits a Part 2 program to use a patient's records for fundraising purposes pursuant to a TPO consent, subject to the patient's right to opt out of receiving fundraising communications.
- Safe Harbor: Limits civil or criminal liability for investigative agencies that inadvertently receive Part 2 records after conducting reasonable diligence to determine whether a provider is subject to Part 2.
Part 2 Changes to View with Caution
- Penalties and Enforcement: Replaces criminal penalties currently in place for Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.
- Although HHS has not officially designated an agency for civil enforcement, OCR seems to be the leading candidate based on its history of enforcing HIPAA and its investigative resources. Whatever HHS agency is selected to enforce Part 2 moving forward, we expect that the risk of enforcement will increase significantly because an HHS agency seems far more likely to bring civil monetary penalties under an established framework than what we have historically seen from U.S. attorneys when there were only unspecified criminal penalties.
- Segregation of Part 2 Data: Adds an express statement that segregating or segmenting Part 2 records is not required. Although this appears to be a welcome clarification, HHS acknowledges that some means of ensuring that records are used and disclosed according to the scope of the consent will be needed. HHS is requiring entities to attach a copy of the patient consent to disclosures, in addition to the existing requirement of attaching a Notice to Accompany Disclosure. HHS acknowledges, however, that this may not address the technical challenges associated with tracking consent, redisclosure, and revocation of consent, nor will it address the technical and procedural challenges associated with concurrently complying with HIPAA and Part 2.
- Part 2 providers will likely have to continue to segregate records for which a patient has not provided TPO consent and recipients will need to have systems in place to understand the consent that was used to disclose records to them. While recipients pursuant to a TPO consent generally can treat Part 2 records as PHI under HIPAA, they still will need to have systems in place to limit redisclosures of Part 2 records to law enforcement or courts.
- Overall, organizations currently must maintain a different set of restrictions on two classes of health data under HIPAA and Part 2: (1) PHI under HIPAA; and (2) PHI that is further restricted by Part 2. Under the final rule, organizations arguably will need to track three categories of health data: (1) PHI under HIPAA; (2) PHI that is subject to the full restrictions of the Part 2 Rule; and (3) PHI for which the patient has provided TPO consent, which can mostly be treated like PHI under HIPAA, but which is subject to additional restrictions on disclosures and redisclosures to courts and law enforcement. Plus, organizations must continue to comply with additional state law restrictions on other categories of sensitive information (e.g., HIV information) and it is likely that organizations will soon have additional restrictions under HIPAA with respect to reproductive healthcare.
- Patient Rights and Notices: Recognizes certain patient rights:
- Accounting of Disclosures: Finalizes a right to request an accounting of disclosures made with consent for up to three years prior to the date the accounting is requested. A separate provision applies to disclosures for TPO purposes made through an electronic health record. The compliance date for this right (with respect to both TPO and non-TPO disclosures) is tolled until the HIPAA Accounting of Disclosures provision at 45 C.F.R. § 164.528 is revised to address accounting for TPO disclosures made through an electronic health record.
- Right to request privacy protection for records: Aligns with HIPAA individual rights to request restrictions on uses and disclosures of records otherwise permitted for TPO purposes and obtain restrictions on disclosures to health plans for services paid in full by the patient.
- Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule to breaches of Part 2 records. Part 2's new breach notification requirement may not have HHS's intended impact, however, because the rule incorporates the definition of "breach" from HIPAA. The incorporated definition is tied to violations under the Privacy Rule. HHS did not revise the definition of "breach" to instead tie it to violations of Part 2. As a result, an organization that violates Part 2 arguably only must provide breach notification if the incident also violates the HIPAA Privacy Rule – in which case the HIPAA Breach Notification Rule likely applies anyway. For example, if a Part 2 program discloses Part 2 records for treatment purposes without consent in violation of Part 2, then this disclosure arguably does not trigger either breach notification requirement because the disclosure was not a violation of the HIPAA Privacy Rule and, therefore, is not a "breach" under either rule.
- Complaints: Adds a right to file a complaint directly with the Secretary of HHS for an alleged violation of Part 2. Patients also may concurrently file a complaint with the Part 2 program.
Looking Ahead
The final rule is effective April 16, 2024, and will be enforced 22 months thereafter. In the meantime, entities should consider:
- Reevaluating if they have one or more programs subject to Part 2;
- Updating Part 2 consent policies and forms;
- Updating Part 2 Patient Notices; and
- Determining whether and how to operationalize electronic health records and other health information technology solutions to apply appropriate segmentation and/or segregation of Part 2 records and consents.
Over the next two years, healthcare providers may need to work with their electronic health record vendors to improve the ability of their technology systems to support Part 2 compliance. As it stands today, our understanding is that it is near impossible to keep Part 2 information from flowing to other healthcare providers through data fields such as medication or problem lists. Lawful holders who receive Part 2 records, such as health plans, also should consider whether their information systems allow for properly segmenting and limiting use and disclosure of Part 2 records, especially in circumstances where the patient signed a limited consent rather than a broader TPO consent.
DWT will continue to monitor HHS's rulemaking efforts, including its designation of an enforcement agency for Part 2 and its expected updates to HIPAA.