Key Takeaways

  • The U.S. Department of Health and Human Services announced a Notice of Proposed Rulemaking that would align aspects of Part 2 regulations with HIPAA.
  • Proposed changes would harmonize Part 2 with several privacy, confidentiality, patient access and breach notification requirements already found in HIPAA.
  • If finalized, this may require organizations subject to Part 2, or to both Part 2 and HIPAA, to review and update policies and procedures regarding Part 2 records.
  • If finalized, this would significantly change the requirements for obtaining consent from patients regarding their Part 2 records to (1) permit covered entities and business associates to use and disclose Part 2 records as permitted by the HIPAA regulations (subject to some limitations), and (2) clarify that when Part 2 records are obtained under a written consent for all future TPO uses, Part 2 programs are permitted to use, disclose and redisclose Part 2 records for TPO purposes.

Introduction

On November 28, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse Mental Health Services Administration (SAMHSA) announced a Notice of Proposed Rulemaking (NPRM) to amend the Confidentiality of Substance Use Disorder Patient Records under 42 CFR Part 2, often referred to as "Part 2." Part 2 requires that Part 2 providers implement specific privacy, confidentiality and disclosure practices for substance use disorder records. As written, many Part 2 requirements conflict with standards set out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and have resulted in confusion and unintended friction in care coordination. The proposed changes would harmonize Part 2 with several privacy, confidentiality, patient access and breach notification requirements already permitted or required by HIPAA, which could improve synergies for those organizations obligated to comply with both regulatory schemes.

Background on Rulemaking

The Coronavirus Aid, Relief, and Economic Security (CARES) Act was passed on March 27, 2020, as part of congressional efforts to provide aid during the COVID-19 pandemic. Section 3221 of the CARES Act made several amendments to Part 2 (42 U.S.C. 290dd-2) to align its privacy standards with those imposed by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act for protected health information (PHI). The CARES Act directed HHS and SAMHSA to work together to draft new regulations that implement the statutory amendments. Until the NPRM is finalized, Part 2 remains unchanged.

Summary of Proposed Changes

The following summary highlights the proposed changes relevant to the privacy, security and protection of both PHI and Part 2 records. The NPRM proposed the following:

  • Single Patient Consent. Changing the consent requirements so that rather than requiring specific patient consent for each new disclosure, Part 2 programs will be able to obtain a single patient consent for all future treatment, payment and operational (TPO) disclosures. Rather than listing specific receiving entities, programs will be able to list categories of permissible recipients, such as "my providers." This modification also allows Part 2 programs, HIPAA-covered entities and business associates in receipt of Part 2 records to redisclose Part 2 records for any permissible purpose under HIPAA, except in certain legal proceedings against the patient. This is a significant and hotly anticipated change that will ease the ability to share meaningful patient information without consent barriers.
  • HHS Enforcement. Increasing HHS' enforcement authority, and specifically applying enforcement capabilities permitted under HIPAA to violations of Part 2. Information on HHS penalties can be found here.
  • Processes for Complaints and Certain Prohibitions. Requiring Part 2 programs to create a process for receiving complaints regarding its compliance with Part 2, prohibiting discrimination and retaliation against patients for exercising their rights to complain, and prohibiting Part 2 programs from requiring patients to waive their right to file a complaint as a condition for treatment, payment or enrollment in the Part 2 program. HHS noted in the NPRM that Part 2 entities subject to HIPAA are already subject to these requirements, and Part 2 programs that are not covered entities would need to adopt implementing policies, if finalized.
  • Expanded Restrictions on Use in Legal Proceedings. Broadening certain restrictions on the use of Part 2 records as evidence in criminal proceedings against patients, and expanding the protections to cover civil, administrative or legislative proceedings.
  • De-identification Standard. Changing the de-identification standard for Part 2 records to align with the de-identification standard found in the HIPAA regulations. Currently, Part 2's de-identification standard is met by "[r]endering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers)." The HIPAA standard is significantly more proscriptive, requiring the removal of 18 specific identifiers or the certification by a de-identification expert that there is no reasonable basis to believe a patient could be identified based on the available data elements.
  • Breach Notification. Requiring Part 2 programs to implement policies and procedures for notifications of breaches of unsecured (i.e., unencrypted) Part 2 records consistent with the HIPAA regulations. Part 2 programs that were not subject to HIPAA did not previously have a notification obligation in the event there was an unauthorized disclosure of Part 2 records. The notification obligations go beyond informing the patient. If approved, the changes will require Part 2 programs that experience a breach impacting more than 500 patients to notify individuals, HHS and (in some cases) media within 60 days of discovery of the breach, which will result in an OCR investigation. For breaches affecting less than 500 patients, notification is still required to affected individuals within 60 days, but the HHS notification is not required until the first 60 days of the year following the incident.
  • Notice of Privacy Practices. Aligning the patient notice requirements under Part 2 and the HIPAA regulations to incorporate much of the content requirements imposed by HIPAA into the Patient Notice required by Part 2. Currently, Part 2 only requires that the Patient Notice include a summary of Part 2's restrictions. The proposed rule would require Part 2 programs to incorporate the same key elements of a HIPAA notice of privacy practices (NPP), including a full description of the permitted uses and disclosures of Part 2 records and in what circumstances separate patient consent must be obtained. Notably, the proposed rule also suggests modifying non-Part 2 HIPAA-covered entity NPPs for those entities that receive Part 2 records. If the proposed rule is finalized, such entities' NPPs would need to include the restrictions on use and disclosure of Part 2 records in legal proceedings against the patient.
  • Accounting of Disclosures. Creating a new right for Part 2 patients to request and receive an accounting of disclosures of their Part 2 records.
  • Right to Request Privacy of Records. Creating a right for Part 2 patients to request a restriction on disclosures of Part 2 records for TPO purposes, and to request restrictions on disclosures to health plans for Part 2 records related to services paid in full by the individual or someone on their behalf.
  • Audits and Evaluations. Clarifying that Part 2 programs, covered entities and business associates that obtain a patient's consent for all future TPO uses and disclosures can disclose those records for certain audits and evaluations.
  • Disclosures for Public Health. Permitting Part 2 programs to disclose Part 2 records without patient consent for public health purposes so long as the information is de-identified in accordance with HIPAA.

Conclusion

If implemented, the NPRM would result in material changes that would seemingly promote coordination and compliance requirements for Part 2 programs, covered entities, business associates and recipients of Part 2 records. The changes, however, could potentially require a robust review and updating of existing policies, particularly for Part 2 programs and covered entities or business associates that must comply with both Part 2 and HIPAA. If the proposed rule is finalized, the proposed compliance date is 24 months from the date the final rule is published. Comments are due by January 31, 2023. We will continue to monitor and report on significant rulemaking regarding this NPRM.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.