Blog

Health Information Technology, Health Law News

Print PDF

Proposed Changes to the Confidentiality of Substance Use Disorder Patient Records Regulations

Posted on December 30, 2022 in Health Information Technology, Health Law News

Published by: Hall Render

On December 2, 2022, the Department of Health and Human Services (“HHS”) Substance Abuse and Mental Health Services Administration (“SAMHSA”) released a proposed rule modifying the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2 (“Part 2”). The goal of the proposed rule is to implement changes necessary to conform with section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act and to better align requirements with current HIPAA standards. It also proposes changes to the administrative procedures for enforcing Part 2 and assessing penalties for noncompliance that leverage the existing structures under HIPAA.

Currently, Part 2 differs in many ways from the HIPAA regulations resulting in variations in the obligations, standards and enforcement applicable to covered entities and non-covered entities that are also Part 2 programs subject to Part 2. Part 2 programs that are also subject to HIPAA have expressed difficulty in complying with both sets of regulations. Additionally, treating providers have expressed difficulty obtaining access to full and complete health care information for continuing treatment and continuity of care purposes. HHS seeks to resolve some of these inconsistencies to allow for greater coordination while ensuring the privacy of substance use disorder (“SUD”) patients is adequately protected. HHS is hopeful that the expanded ability to use and disclose Part 2 records for treatment, payment and health care operations purposes will: (1) facilitate greater integration of SUD treatment information with other protected health information (“PHI”); (2) improve communication and care coordination between providers and with other elements of the health care system, such as payors; (3) enhance the ability to comprehensively diagnose and treat the whole patient; and (4) facilitate the exchange of Part 2 records between Part 2 programs and reduce burdens on such exchanges by allowing a written consent to be given once for all future uses and disclosures for treatment, payment and health care operations (“TPO”) purposes. This article summarizes the most notable of the proposed changes and explains how public comments on the proposed rule may be submitted by interested entities and individuals.

Proposed Changes

The goal of the proposed rule is to implement the changes in the underlying federal statutes made by the CARES Act and to better align Part 2 and its requirements to the HIPAA regulations, including by requiring Part 2 programs that do not act as covered entities under HIPAA to comply with similar obligations as those imposed on covered entities by HIPAA. As a result, both HIPAA-covered entity and non-covered entity Part 2 programs need to be aware of the potential changes.

The noteworthy, proposed changes for all Part 2 programs include the following:

  • Treatment, payment and health care operation consent. Covered entities and Part 2 programs will be permitted to obtain a single general consent from a patient for all current and future uses and disclosures for TPO purposes, as permitted by HIPAA. Additionally, when information is disclosed for such purposes, the recipient would be permitted to redisclose such records as permitted by HIPAA if acting as a Part 2 program, covered entity or business associate (except for certain proceedings against the patient). A lawful holder that is not a covered entity, business associate or Part 2 program would be permitted to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors or legal representatives as needed to carry out the activities in the consent. To accommodate obtaining the patient’s general written consent, “the recipient may be a class of persons, rather than only an identified person. In addition, for a single consent for all future uses and disclosures for TPO, the recipient may be described as ‘my treating providers, health plans, third-party payers, and people helping to operate this program’ or a similar statement.” This is a major revision that will hopefully help to streamline processes and ease administrative burdens on Part 2 programs and covered entities; however, policies and procedures for obtaining and documenting such consent would need to be considered and implemented if the change is finalized.

Additionally, Part 2 programs would need to consider processes for handling Part 2 data when patients refuse to provide general consent or revoke such consent. Notably, covered entities and Part 2 programs would need to ensure that any ongoing or automatic disclosure mechanisms are halted upon receipt of a written request for revocation from the patient. Once a Part 2 program discloses a record for TPO purposes to a Part 2 program, covered entity or business associate with prior written consent, a revocation would only be effective to prevent additional disclosures to those entities. It would not prevent a recipient Part 2 program, covered entity or business associate from continuing to use the record for TPO purposes or redisclosing the record as permitted by HIPAA’s Privacy Rule (except for certain proceedings against the patient).

The proposed changes also include language that prohibits any limits on a patient’s right to request restrictions on use of records for TPO purposes or a covered entity’s choice to obtain consent to use or disclose records for TPO purposes as provided in the HIPAA Privacy Rule.

  • Enforcement of compliance with Part 2. The proposed rule includes language to compel disclosures to the Secretary of HHS that are necessary for enforcement of Part 2, mirroring the language that currently exists in the HIPAA Privacy Rule, and applies the existing civil and criminal penalties that apply to HIPAA violations to violations of Part 2. Additionally, it creates a limitation on civil or criminal liability for investigative agencies that act with reasonable diligence before making a demand for Part 2 records in the course of an investigation or prosecution of a Part 2 program or person holding the record, provided that certain conditions are met. Finally, the proposed rule requires that Part 2 programs implement processes for receiving and responding to patient complaints regarding compliance with Part 2, prohibits adverse action against patients that file such complaints and prohibits requiring a patient to waive the ability to file a complaint as a condition of treatment, payment, enrollment or eligibility for services.
  • Restrictions on the use of Part 2 records in investigations. The proposed rule incorporates the four prohibited actions specified in 42 U.S.C. 290dd-2(c), as amended by the CARES Act, and expands the regulatory prohibition to cover civil, administrative or legislative proceedings in addition to criminal proceedings. Accordingly, SUD records may not be used for any of the following actions without patient consent or court order:
    • The introduction into evidence of a record or testimony in any criminal prosecution or civil action before a federal or state court;
    • Reliance on the record or testimony to form part of the record for decision or otherwise be taken into account in any proceeding before a federal, state or local agency;
    • The use of such record or testimony by any federal, state or local agency for a law enforcement purpose or to conduct any law enforcement investigation; and
    • The use of such record or testimony in any application for a warrant.
  • Changes required to Notices of Privacy Practices.  The proposed rule also makes several updates to the HIPAA Privacy Rule regarding a covered entity’s Notice of Privacy Practices (“NPP”) and expands patient rights with respect to Part 2 records. NPPs will be required to specifically address Part 2 records, particularly where the obligations remain different than under HIPAA. For example, in the case of a covered entity that is also a Part 2 program, the NPP would need to provide notice that a covered entity may use or disclose the individual’s Part 2 records for fundraising on behalf of the covered entity only with the written consent of the individual. Covered entities that receive and maintain Part 2 records (even where not a Part 2 program) would need to also add a provision to their NPP that references the restrictions on the use and disclosure of Part 2 records in civil, criminal, administrative and legislative proceedings against the individual. Part 2 programs are currently required to provide notices to patients concerning federal confidentiality requirements at the time of their admission and the intent of these changes is to align these requirements with the requirements for NPPs under HIPAA.
  • Scientific Research and public health disclosure uses are now aligned with de-identification standards in the Privacy Rule. Part 2 data is permitted to be disclosed without patient consent in research reports and public health disclosures so long as the data has been rendered non-identifiable consistent with the Privacy Rule’s de-identification standard at 45 CFR 164.514.

Part 2 programs that also function as HIPAA-covered entities are already required to comply with the HIPAA regulations in addition to Part 2. However, Part 2 programs that are not HIPAA-covered entities should also take note that the proposed rule would make the following changes to align obligations of Part 2 programs with those that currently exist for covered entities under HIPAA:

  • Align the content requirements for Part 2 written consent with the content requirements for a valid HIPAA authorization.
  • Give patients the right to receive an accounting of disclosures for all Part 2 records made with written consent for up to three years prior to the date the accounting is requested. This change is consistent with HIPAA’s existing requirements for covered entities. However, the compliance date for these requirements would be delayed in order to align with the proposed changes to similar provisions in the HIPAA Privacy Rule that are currently pending.
  • Give patients the right to request restrictions on disclosures for TPO purposes and obtain restrictions on disclosures to health plans for services paid out-of-pocket, in full, consistent with HIPAA’s existing requirements for covered entities.
  • Add breach notification requirements that would require Part 2 programs and most lawful holders to notify HHS, the media and affected patients in the event of a breach, consistent with HIPAA’s existing requirements for covered entities.

HHS also sought comment on whether provision of the HIPAA Security Rule should be extended to Part 2 programs.

Practical Takeaways

Health care providers that are subject to Part 2 should review the proposed rule’s changes and determine potential impacts on their policies, procedures and processes if finalized. Part 2 programs or other health care providers should consider whether to publicly comment on any aspect of the proposed rule for HHS’s consideration when finalizing the changes. Comments are due by January 31, 2023, and can be submitted as follows:

  • Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS–OCR–0945–AA16. Follow the instructions at http://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF).
  • Regular, Express or Overnight Mail: You may mail written comments (one original and two copies) to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: SUD Patient Records, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201.

Once the rule is finalized, Part 2 programs are encouraged to promptly implement compliance with the new and changed requirements. Enforcement activity, which has historically been fairly quiet with respect to Part 2, will likely increase as the processes for enforcing HIPAA, including its structure for accepting and investigating complaints and assessing fines and penalties, will now be leveraged to enforce compliance with Part 2.

Questions

If you have any questions, would like assistance preparing public comments or would like additional information about this topic, please contact:

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.

If you have any questions, please contact one of the following or your regular Hall Render attorney.

Stephane P. Fabus's Photo

Stephane P. Fabus

(414) 721-0904

Email

Related Services

Dropdown arrow

Blog Categories

Archives