Long-Awaited Modifications to Part 2 Regulations for “Confidentiality of Substance Use Disorder Patient Records” Finalized

On February 8, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule that modified the “Confidentiality of Substance Use Disorder Patient Records” regulated by 42 CFR Part 2 (“Part 2”). The Final Rule was published in the Federal Register on February 16, 2024, creating an effective date of April 16, 2024. Entities have until February 16, 2026 to comply with the Final Rule’s requirements.

Background

The Final Rule was informed by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act, which required HHS to bring the Part 2 programs into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Breach Notification, and Enforcement Rules. Part 2 historically differed in many ways from the HIPAA regulations, resulting in variations in the obligations, standards and enforcement applicable to covered entities and non-covered entities that are also Part 2 programs. Part 2 programs subject to HIPAA expressed difficulty in complying with both sets of regulations and obtaining access to complete health care information for continuing treatment and continuity of care purposes. Part 2 programs that were not subject to HIPAA were often not required to comply with similar obligations supporting patient rights, such as those relating to accountings of disclosures and breach notification.

The Final Rule strengthens confidentiality protections for Substance Use Disorder (“SUD”) treatment records by incorporating obligations that currently exist under HIPAA; modifies enforcement mechanisms to leverage those currently used by HHS to enforce HIPAA; enhances coordination of care efforts for patients receiving SUD treatment by allowing the better integration of SUD information with the medical records of non-Part 2 providers; and facilitates use and disclosure of Part 2 records for treatment, payment and health care operations purposes when the patient consents. HHS is hopeful that this will enable providers to more effectively treat the whole person, ensure the availability of SUD treatment records to promote access to care and provide patients with assurances that SUD privacy protections will be enforced.

The Final Rule was issued following the Notice of Proposed Rulemaking (“NPRM”) in December of 2022, and the receipt and review of public comments related thereto. The Final Rule incorporates modifications that were part of the initial NPRM and modifications informed by public comments.

Significant Changes to Part 2 Rule Due to the Final Rule

• Changes to Use and Disclosure of Part 2 Records
  • Allows a single consent for all future uses and disclosures for treatment, payment and health care operations. The consent form must meet the requirements set forth in Section 2.31 for other Part 2 consents, with certain requirements specially modified. HIPAA-covered entities and business associates are permitted to redisclose records received based on a single consent in accordance with the HIPAA regulations, except for uses and disclosures for civil, criminal, administrative and legislative proceedings against the patient. The prohibition on redisclosure notification was also updated to reflect this change.
  • Provides similar protections and consent requirements for disclosures of “SUD counseling notes” that are akin to HIPAA’s provisions regarding “psychotherapy notes.”
  • Patient consent for use and disclosure of records (or testimony relaying information contained in a record) in a civil, criminal, administrative or legislative investigation or proceeding cannot be combined with consent to use and disclose a record for any other purpose.
  • Permits disclosure of records without patient consent to public health authorities if the records are de-identified according to the HIPAA Privacy Rule. Similarly, it aligns with the HIPAA Privacy Rule by replacing requirements to render Part 2 records in research reports non-identifiable with the HIPAA Privacy Rule’s de‑identification standard.
• Segregation of Records
  • No longer requires entities to segregate or segment SUD records that are received pursuant to the patient’s consent from their other records.
• Breach Notification
  • Applies the same requirements of the HIPAA Breach Notification Rule to breaches of unsecured records under Part 2.
• Patient Rights
  • All Part 2 programs will be subject to the requirements regarding issuing and maintaining a notice of privacy practices that is generally consistent with the HIPAA standards, with the specific contents identified in the regulations for certain uses and disclosures particular to Part 2 (“Patient Notice”). If a use or disclosure for certain purposes is prohibited or materially limited by other applicable laws, the description of such use or disclosure must reflect the more stringent law.
  • Clarifies that patients have the right to obtain an accounting of disclosures for the previous 3 years, limit fundraising communications and request restrictions on certain disclosures, including mandating adherence to restrictions on disclosures to a health plan for payment or health care operations purposes where the patient has paid out-of-pocket in full, as provided by the HIPAA Privacy Rule.
• Complaints
  • Requires Part 2 programs to have a process for receiving and responding to patient requests regarding noncompliance and enables patients to submit complaints to HHS regarding noncompliance. A Part 2 program may not intimidate, threaten, coerce, discriminate against or take other retaliatory action against any patient for exercising their rights or participating in any process, including those regarding complaints and their investigation. Additionally, it prohibits requiring a patient to waive the ability to file a complaint as a condition of treatment, payment, enrollment or eligibility for services.
• Enforcement and Penalties
  • Aligns Part 2 enforcement and penalties with HIPAA by granting HHS enforcement authority and the ability to impose civil money penalties for Part 2 violations consistent with those currently permitted under HIPAA.
• Safe Harbor
  • Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine if a provider is subject to Part 2 before making a demand for records. The Final Rule clarifies that an investigative agency must, within a reasonable amount of time (no more than 60 days) before making the request, search for a provider in SAMHSA’s online treatment facility locator or any similar state database and check the provider’s website, location and Patient Notice to determine whether the provider is subject to Part 2.

Practical Takeaways

• Part 2 programs are encouraged to promptly implement compliance with the new and changed requirements. Part 2 programs that also function as HIPAA-covered entities are already required to comply with the HIPAA regulations in addition to Part 2, but would still want to review policies and procedures to assess the impact of the revised regulations. Part 2 programs that are not HIPAA-covered entities should take steps to ensure that they come into compliance with the new requirements relating to authorization forms, notice of privacy practices, accounting of disclosures, patient requests for restrictions and breach notification.
• Part 2 programs will want to consider whether and how to implement processes for obtaining single consent to share SUD records with other health care providers for treatment, payment and health care operations purposes, including through health information networks or exchanges. Additionally, Part 2 programs implementing such a process will also need to consider how to handle Part 2 records when patients refuse to provide a single consent or revoke such consent. Notably, covered entities and Part 2 programs would need to ensure that any ongoing or automatic disclosure mechanisms are halted upon receipt of a written request for revocation from the patient.
• While enforcement activity has historically been relatively quiet with respect to Part 2, it will likely increase as the processes for enforcing HIPAA, including its structure for accepting and investigating complaints and assessing fines and penalties, will now be leveraged to enforce compliance with Part 2.

If you have any questions or would like additional information about this topic, please contact:

• Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
• Charise Frazier at (317) 977-1406 or cfrazier@hallrender.com;
• Philip Davis at (317) 977-1412 or pdavis@hallrender.com;
• Jen Davis at (248) 457-7827 or jdavis@hallrender.com; or
• Your primary Hall Render contact.

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.