Substance Abuse Disorder Records (42 CFR Part 2) Proposed Rulemaking Works Toward HIPAA Alignment
While the federal substance use disorder regulations enjoyed decades without a single change, the federal government has been on a roll since 2017. The latest round of changes was recently announced by the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA). The Notice of Proposed Rulemaking (NPRM) is intended to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR Part 2 (Part 2) in connection with other federal regulatory movements to improve coordination of care and access to care.
We have known since the last round of Part 2 changes in 2020 that HHS intended to release revisions to Part 2 to coordinate with the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The revisions in 2020 were intended to serve as “interim and transitional standards” until the current NPRM is finalized.
A major impetus behind this proposed rule is to improve coordination of care, in part by addressing disconnects between Part 2 and the Health Insurance Portability and Accountability Act (HIPAA). However, this initiative is counterbalanced by changes intended to strengthen confidentiality protections of SUD records so that individuals with substance abuse issues will not avoid treatment out of fear that their records will be disclosed, or that their exposure to criminal consequences for substance use is increased by seeking care. If finalized as drafted, the proposed rule also expands breach notification requirements and enforcement teeth.
Changes Intended to Improve Care Coordination by Bringing Part 2 requirements into closer alignment with HIPAA:
- Revised Consent Contents. Align the Part 2 consent content requirements with the content requirements for a valid HIPAA authorization and clarify how recipients may be designated to use and disclose Part 2 records for treatment, payment, and health care operations (TPO).
- Single Consent for TPO. Permit Part 2 programs to use and disclose Part 2 records for future TPO uses and disclosures based on a single (revocable) consent signed by the patient.
- Alignment with HIPAA Redisclosure Provisions. Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions.
These changes are an important shift in requirements for Part 2 programs, with significant operational, technical, and practical implications for care delivery.
Changes Intended to Improve Privacy Protections and Remove Barriers to Treatment:
- Patient Rights and Notices
- Creation of two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
- Right to request restrictions on disclosures for TPO.
- Right to an accounting of disclosures.
- Modification of the Part 2 confidentiality notice requirements to align with the HIPAA Notice of Privacy Practices (NPP).
- Modification of the HIPAA NPP requirements for covered entities that receive or maintain Part 2 records to limit redisclosure of Part 2 records for legal proceedings according to Part 2 standards.
- Creation of two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
- Obligations and Prohibitions for Part 2 Providers and Records Requestors
- Require Part 2 programs to establish a process to receive complaints of Part 2 violations.
- Prohibit Part 2 programs from taking adverse action against patients who file complaints and from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
- Expanded prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient.
- Permit investigative agencies to apply for a court order to use or disclose Part 2 records after they unknowingly receive Part 2 records while investigating or prosecuting a Part 2 program, when certain preconditions are met.
- Expanded HHS Enforcement Authority
- Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations.
- Apply the standards in the Health Information Technology for Economic and Clinical Health (HITECH) Act and the HIPAA Breach Notification Rule to breaches of Part 2 records by Part 2 programs.
- Require disclosures to the Secretary for enforcement.
What’s Next?
The rule was published in the Federal Register on December 2, 2022 which starts a 60 day comment period. After the public comment period closes, we wait for a final rule, hopefully sometime in 2023.
From a practical perspective, Part 2 providers should consider the following:
- Be prepared to update NPPs and Part 2 patient consent process to align with the proposed changes (once finalized).
- Evaluate current practices to ensure current Part 2 standards, which were last revised in 2020, are implemented correctly.
- Consider potential practical changes that might be coming down the road such as patient consent for disclosing for TPO purposes, accounting of disclosures, and HIPAA breach notification.
- Assess whether the proposed changes will change the preemption analysis in play for state confidentiality law compliance.
- Consider investment in an expanded compliance program that may be necessary to assure effective implementation once the rules – including increased enforcement authority – are finalized.
For questions about this update or Part 2 compliance generally, please contact your Quarles & Brady attorney or:
- Sarah Coyne: (608) 283-2435 / sarah.coyne@quarles.com
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Apurva Dharia: (202) 780-2675 / apurva.dharia@quarles.com