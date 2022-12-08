Key Takeaways

The U.S. Department of Health and Human Services announced a Notice of Proposed Rulemaking that would align aspects of Part 2 regulations with HIPAA.

Proposed changes would harmonize Part 2 with several privacy, confidentiality, patient access and breach notification requirements already found in HIPAA.

If finalized, this may require organizations subject to Part 2, or to both Part 2 and HIPAA, to review and update policies and procedures regarding Part 2 records.

If finalized, this would significantly change the requirements for obtaining consent from patients regarding their Part 2 records to (1) permit covered entities and business associates to use and disclose Part 2 records as permitted by the HIPAA regulations (subject to some limitations), and (2) clarify that when Part 2 records are obtained under a written consent for all future TPO uses, Part 2 programs are permitted to use, disclose and redisclose Part 2 records for TPO purposes.

Introduction

On November 28, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse Mental Health Services Administration (SAMHSA) announced a Notice of Proposed Rulemaking (NPRM) to amend the Confidentiality of Substance Use Disorder Patient Records under 42 CFR Part 2, often referred to as "Part 2." Part 2 requires that Part 2 providers implement specific privacy, confidentiality and disclosure practices for substance use disorder records. As written, many Part 2 requirements conflict with standards set out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and have resulted in confusion and unintended friction in care coordination. The proposed changes would harmonize Part 2 with several privacy, confidentiality, patient access and breach notification requirements already permitted or required by HIPAA, which could improve synergies for those organizations obligated to comply with both regulatory schemes.

Background on Rulemaking

The Coronavirus Aid, Relief, and Economic Security (CARES) Act was passed on March 27, 2020, as part of congressional efforts to provide aid during the COVID-19 pandemic. Section 3221 of the CARES Act made several amendments to Part 2 (42 U.S.C. 290dd-2) to align its privacy standards with those imposed by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act for protected health information (PHI). The CARES Act directed HHS and SAMHSA to work together to draft new regulations that implement the statutory amendments. Until the NPRM is finalized, Part 2 remains unchanged.

Summary of Proposed Changes

The following summary highlights the proposed changes relevant to the privacy, security and protection of both PHI and Part 2 records. The NPRM proposed the following:

Single Patient Consent. Changing the consent requirements so that rather than requiring specific patient consent for each new disclosure, Part 2 programs will be able to obtain a single patient consent for all future treatment, payment and operational (TPO) disclosures. Rather than listing specific receiving entities, programs will be able to list categories of permissible recipients, such as "my providers." This modification also allows Part 2 programs, HIPAA-covered entities and business associates in receipt of Part 2 records to redisclose Part 2 records for any permissible purpose under HIPAA, except in certain legal proceedings against the patient. This is a significant and hotly anticipated change that will ease the ability to share meaningful patient information without consent barriers.

Conclusion

If implemented, the NPRM would result in material changes that would seemingly promote coordination and compliance requirements for Part 2 programs, covered entities, business associates and recipients of Part 2 records. The changes, however, could potentially require a robust review and updating of existing policies, particularly for Part 2 programs and covered entities or business associates that must comply with both Part 2 and HIPAA. If the proposed rule is finalized, the proposed compliance date is 24 months from the date the final rule is published. Comments are due by January 31, 2023. We will continue to monitor and report on significant rulemaking regarding this NPRM.

