On February 8, 2024, the U.S. Department of Health and Human Services (HHS) through the Substance Abuse and Mental Health Services Administration and the Office for Civil Rights (OCR) issued a 485-page Unpublished Final Rule as a follow-up to a 2022 Notice of Proposed Rulemaking. Scheduled to be published on or around February 16, 2024, the Final Rule updates the federal substance use disorder (SUD) patient records regulations at 42 CFR Part 2 in accordance with the CARES Act and aligns them with several Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, breach notification, and enforcement regulations. The OCR also issued a five-page Fact Sheet regarding the Final Rule.
The Final Rule is a significant overhaul of the SUD patient records regulations, including previously proposed changes and other (new) updates based on public comments HHS received. This advisory provides an overview of the Fact Sheet and the Final Rule, which seeks to balance the protection of substance use records with the coordination of patient care.
Background
The substance use disorder regulations under 42 U.S.C. 290dd-2 (the Part 2 regulations) have been in place for almost five decades and are generally more stringent than HIPAA’s Privacy Rule. The Part 2 regulations protect records regarding SUD (formerly known as substance abuse) and encourage individuals to seek SUD diagnosis and treatment despite potential concerns of discrimination or criminal prosecution. A primary purpose of the Part 2 regulations is that SUD patients are “not made more vulnerable” because their patient records are more easily accessible than those of individuals who do not receive SUD services.
Section 3221 of the CARES Act amended 42 U.S.C. 290dd-2 to facilitate Part 2 aligning with certain HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) provisions, especially regarding patient consent and redisclosure of SUD records.
The Part 2 regulations broadly apply to more than just standalone substance use treatment facilities. They protect substance use information obtained by a federally assisted program. A “program” is defined as: “(1) an individual or entity (other than a general medical facility) which holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; (2) an identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or (3) medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.”1 Additionally, because the previous Part 2 regulations contained a specific prohibition on redisclosure, the Final Rule’s changes are also important to persons and entities who receive Part 2 records.
The Final Rule – Major Takeaways
- States its effective date is 60 days after publication of the Final Rule in the Federal Register (currently anticipated publication date of February 16, 2024).
- States its compliance deadline is 24 months after publication of the Final Rule and will apply to records created prior to the Final Rule. HHS intends to align certain compliance dates via a forthcoming (separate) final rule under HIPAA, which is anticipated to address accounting and Notice of Privacy Practices (NPP) obligations relevant to the Final Rule.
- Permits patients to file complaints with the Secretary of HHS alleging Part 2 violations, similar to the HIPAA complaint process. Patients can also simultaneously file a complaint directly with the Part 2 program. Part 2 programs cannot take adverse action (such as intimidating or retaliating) against patients who file such complaints and cannot require patients to waive the right to file such complaints. Patient complaints submitted to the Secretary of HHS can allege a Part 2 violation by a Part 2 program, a covered entity, business associate, qualified service organization, or other lawful holder of Part 2 records. HHS stated a patient can complain to either HHS or a Part 2 program, or both—there is no “wrong door” to complain. Part 2 programs must comply with HHS requests to investigate or determine their Part 2 compliance.
- Applies HIPAA enforcement approach and authorities (including the HITECH culpability tiers) to noncompliance with Part 2 regulations. Any person who violates the Part 2 regulations would be subject to applicable penalties under 42 USC 1302d-5 and 1320d-6. HHS clarified in commentary that such penalties would not be harsher than HIPAA violations, and HIPAA’s mitigating factors and affirmative defenses would apply. HHS also stated an entity could be subject to both Part 2 and HIPAA and therefore potentially subject to penalty provisions of both laws for violations.
- Adds many definitions borrowed in large part from HIPAA definitions to the Part 2 regulations, including breach, business associate, covered entity, health care operations, HIPAA, payment, personal representative, public health authority, unsecured protected health information, and unsecured record. (The definitions of unsecured protected health information and unsecured record are consistent with HIPAA to help align new breach reporting obligations for Part 2 records.)
- Added other formal definitions, such as intermediary and lawful holder, both of which have varying obligations and exceptions.
- The definition of intermediary is based on function: “a person, other than a [Part 2] program, covered entity, or business associate, who has received records, under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient” [emphasis added]. The intermediary definition facilitates Part 2 records being utilized in new care models, such as a health information exchange (HIE), research institution providing treatment, an accountability care organization, or a care coordination/care management organization. An HIE that serves as a business associate to a covered entity Part 2 program would not be an intermediary because the Final Rule’s intermediary definition excludes business associates.
- The definition of lawful holder is based on how the person received the records at issue. HHS stated in commentary that if a person received records based on a Part 2-compliant consent accompanied by a notice of disclosure, or based on a consent exception, that person would be a lawful holder under Part 2.
- Adds a new definition of SUD counseling notes that are maintained separately from the rest of the Part 2 and/or patient’s medical record (similar to psychotherapy notes under HIPAA). SUD counseling notes may contain especially sensitive details and are primarily intended for the direct treating clinician’s use. Clinicians are not required to maintain SUD counseling notes separately but, if they do, such notes are provided additional privacy protections. Like psychotherapy notes under HIPAA, the Final Rule permits disclosures of SUD counseling notes without patient consent in certain situations.
- Modifies previous definitions in Part 2, including patient-identifying information, qualified service organization (now expressly includes a HIPAA business associate if the PHI at issue also is a Part 2 record), records, and third-party payer (now excludes health plans because they are under the new Part 2 definition of a covered entity).
- Permits Part 2 programs to disclose records that are de-identified consistent with either of HIPAA’s de-identification methods (expert determination or through removal of specific identifiers). Applies that same de-identification standard for public health disclosures and for scientific research purposes.
- HHS declined to create an express right to use Part 2 records for health care operations to create de-identified data without patient consent. HHS noted it was constrained by statutory language; therefore, consent would be required under the Final Rule before disclosing records for treatment, payment, or health care operations (TPO), except when Part 2 programs are disclosing SUD records to a covered entity.2
- Addresses a patient’s lack of health care decision-making capacity, whether adjudicated by a court or without court adjudication but due to a medical condition as determined by a Part 2 program director solely for purposes of obtaining payment from a third-party payer or health plan for an adult patient. Also clarifies personal representatives’ role for deceased patients. HHS may provide additional guidance on the intersection of Part 2 and state requirements regarding minors’ consent and involvement of parents/caregivers at a later date.
- Applies the HIPAA covered entity breach notification provisions (as amended by HITECH) to Part 2 programs, including for breaches of unsecured Part 2 records, including those held by a qualified service organization (QSO) or business associate. In commentary, HHS confirmed that a Part 2 program “would not be responsible for breaches by QSOs or business associates” but would be responsible for having contractual requirements in place to ensure it is timely notified of a breach by such entities. HHS also clarified in commentary that breach notification obligations do not apply to QSOs (unless they are business associates). HHS also clarified that lawful holders are not subject to Part 2’s breach notification requirements.
- Adds a notice obligation for Part 2 program to provide a Patient Notice regarding Part 2 records (similar to a HIPAA NPP). The Final Rule imposes specific content requirements for the Patient Notice, including uses and disclosures, patient rights, and duties of Part 2 programs. Patients have the right to receive a paper or electronic copy of the Patient Notice and to discuss such Notice with a designated contact person identified by the Part 2 program. In commentary, HHS confirmed it would be acceptable to combine HIPAA, state law, and Part 2 notices into one notice if the consolidated notice included all the required elements. HHS will revise the HIPAA NPP provision via separate rulemaking and align compliance dates for required changes to the HIPAA NPP and Part 2 Patient Notice.
- Aligns Part 2 written consent with HIPAA’s content requirements for an authorization. HHS recognized in commentary a single form could be used by a Part 2 program that is a covered entity to meet both HIPAA and Part 2 requirements. (HHS declined to replace Part 2’s reference to “consent” with the HIPAA term “authorization” because the two terms have different meanings.) In commentary, HHS clarified that covered entities that receive Part 2 records but do not operate a Part 2 program do not need to create or use a Part 2 consent; they can use a HIPAA authorization to disclose those Part 2 records they receive if the authorization is specific to Part 2 records (instead of generally “my medical records”). HHS declined to expressly adopt a verbal consent to disclose Part 2 records but noted Part 2 provisions regarding a medical emergency or de-identified information might apply for some intake and referral scenarios.
- Allows a single consent to be given one time to permit all future uses and disclosures for TPO consent. Records received under a TPO consent are still Part 2 records because they cannot be used or disclosed for investigations or proceedings against the patient (unless with written consent or a court order).4 HHS also noted the consent options for patients in Part 2 programs include consent for a specific, one-time use or disclosure.
- Adds consent provisions regarding a new category of records (SUD counseling notes) that require specific patient consent if they are maintained separately from the rest of the patient’s Part 2 records; some exceptions apply.5 A consent form for the use or disclosure of SUD counseling notes (1) cannot validly be combined with a consent for disclosure of other Part 2 records, such as billing records; and (2) cannot condition the patient’s treatment, payment, health plan enrollment, or benefits eligibility on whether the patient provides written consent regarding SUD counseling notes.
- Expressly requires a separate written consent for Part 2 records (or testimony which relays information from those records) to be used or disclosed in civil, criminal, administrative or legislative proceedings. This type of consent cannot be combined with a consent to use and disclose a Part 2 record for any other purpose (such as a consent for TPO or a consent for treatment).
- Requires that a copy of the patient’s written consent or a clear explanation of the scope of such consent must accompany each disclosure of Part 2 records made with the patient’s written consent. There are two options for the required accompanying written statement: a detailed paragraph or a one-sentence statement that “42 CFR Part 2 prohibits unauthorized use or disclosure of these records.” HHS renamed Part 2’s previous “prohibition on redisclosure” to “notice to accompany disclosure” to reflect limitations that must be operationalized regarding Part 2 information in civil, criminal, administrative, or legislative proceedings against the patient.
- Permits certain redisclosures by recipients of Part 2 records based on a patient’s written consent for TPO as detailed by HHS in the Final Rule. First, covered entities and business associates that received records for TPO can further disclose those records in accordance with HIPAA regulations but cannot use or disclose such records for civil, criminal, administrative, or legislative proceedings against the patient. Second, a Part 2 program that is not a covered entity or business associate can redisclose according to the terms of a consent given once for all future TPO activities. Third, when Part 2 records are disclosed for payment or health care operations to a lawful holder that is not a covered entity or business associate, “that lawful holder can further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the consent on behalf of such lawful holders.” Such lawful holders (who are not covered entities or business associates) must have certain written contracts or comparable legal instruments in place with the contractor or legal representative regarding their obligations, such as being bound by Part 2 when they receive patient identifying information.
- Adds a new patient right to a request a list of certain disclosures, such as:
- disclosures made by an intermediary with consent for the past three years (this will take effect 60 days from the Final Rule’s publication).
- disclosures by Part 2 programs for TPO purposes, if made through an electronic health record after the first day of the compliance date (this is tolled for now because the HIPAA accounting provision for TPO disclosures made through an electronic health record is not yet finalized).
- Incorporates the HIPAA patient right to obtain restrictions on disclosures to the patient’s health plans for services paid for by the patient in full. HHS acknowledges this provision may benefit patients who can self-pay for SUD treatment while other patients cannot do so, but HHS is constrained by statutory language. HHS states it is working to address access disparities for SUD treatment.
- Adopts the HIPAA patient right to request certain restrictions on Part 2 records for TPO uses and disclosures. A Part 2 covered entity is not required to agree to such a requested restriction that (analogous to HIPAA) would otherwise be required by law or for a purpose permitted by Part 2 except for TPO. HHS expects Part 2 programs that are covered entities to make every reasonable effort to comply with a patient’s requested restriction, to the extent feasible, and encourages Part 2 programs that are not covered entities to make such efforts.
- Provides patients with a clear and conspicuous right to opt out of receiving fundraising communications before a Part 2 program can use or disclose records to fundraise for the Part 2 program’s benefit. Per HHS commentary, a general TPO consent is not sufficient for fundraising.
- Explicitly declined to add a provision in the Final Rule that would have allowed Part 2 programs to disclose records in limited data sets as per HIPAA.
- For disclosures without patient consent:
- permits disclosure of de-identified records to public health authorities, if de-identified consistent with HIPAA requirements.
- adds administrative and legislative proceedings to examples of forums where Part 2 use and disclosure restrictions apply.
- restricts use of testimony in civil, criminal, administrative, and legislative proceedings against the patient absent patient consent or court order.
- finalizes certain requirements for investigative agencies in seeking court orders, including creating a limitation of liability for investigative agencies demonstrating certain, reasonable diligence steps to determine if a provider was subject to Part 2 before making a legal demand for records.
- finalizes criteria for court orders regarding use of undercover agents and informants.
- requires investigative agencies to file certain annual reports with HHS, such as regarding applications for court orders after receiving Part 2 records.
- Specifically states that the segregation or segmentation of Part 2 records is not required of Part 2 programs, covered entities, and business associates when they received Part 2 records based on a single consent permitting all future uses and disclosures for TPO. Per HHS, recipients of Part 2 records can choose the best methods for their unique health information technology environments; they might voluntarily use data segmentation and tracking to operationalize protection of Part 2 data from improper disclosure or redisclosure, such as in legal proceedings against the patient unless with written consent or a court order. HHS may provide guidance regarding data segmentation, tagging, or tracking at a later date, but it is not requiring specific software solutions or technology at this time.
- Does not modify Part 2 regulations to align with the HIPAA Security Rule but may consider doing so in future rulemaking. Part 2 regulations previously contained some general “security” provisions regarding Part 2 programs and lawful holders through maintenance of formal policies and procedures. The Final Rule clarifies that Part 2 programs and certain lawful holders (but not a patient’s family, friends, and other informal caregivers) must develop formal policies and procedures to protect against reasonably anticipated security threats or hazards and that such policies must address maintenance, transfer, removal, de-identification, and destruction of records.
- The lengthy Final Rule and HHS commentary address many other topics in detail, including:
- SUD diagnoses made on behalf of and at the request of law enforcement or a court solely to provide evidence.
- Content and provision of a Part 2 program’s Patient Notice.
- Content of written consent form (with special instructions for intermediaries).
- Medical emergencies/emergency treatment.
- Termination of agreed upon patient requested restrictions.
- Scientific research (including requirements for researchers).
- Audits and evaluations (including for Medicare, Medicaid, and the Children’s Health Insurance Plan).
- Minors.
- Disclosures to criminal justice system that referred patients.
- Confidential communications by a patient to a Part 2 program.
- Mechanics of Part 2 program providing an accounting for the past three years.
- Mechanics and timeframe for an intermediary to provide requested list of certain disclosures made within the last three years.
- Revocation of consent (including in an electronic HIE environment).
- Notice to patients or record holders regarding certain proceedings seeking court orders.
- Court orders (including to investigate or prosecute a patient or Part 2 program).
- Investigative agencies (including steps when they discover in good faith that they received Part 2 records without obtaining a required court order).
- Use of undercover agents or informants in a Part 2 program.
- Mechanics of providing breach notice.
- Retention and disposition of Part 2 records (including for discontinued programs).
- Much remains to be analyzed further and then operationalized, particularly for companies that are both covered entities and Part 2 programs, Part 2 programs that are not HIPAA covered entities, and companies which receive Part 2 information from others.
- Although the Final Rule does not expressly require training, HHS anticipates all Part 2 programs will provide training to their workforce members regarding the Final Rule’s changes.
Moving Forward
HHS noted there are technical challenges, time, and resources involved in concurrently complying with Part 2 and HIPAA. According to the Fact Sheet, HHS will provide resources to support implementation and enforcement, consider what additional guidance is needed, and conduct outreach on how to comply with the Final Rule’s new requirements.6
Although the Final Rule provides an enforcement date of two years after publication, affected entities should begin to work now on implementation requirements, including a new Privacy Notice (or updating their NPP as appropriate), a patient complaint process, and policies, procedures, notices and consent forms. Covered entities, business associates, and persons who receive Part 2 records (such as third-party payers) should review their interactions with Part 2 records and update their forms and processes to incorporate the Final Rule’s provisions as applicable to them. Companies in multiple states may face varying obligations depending on state law because the Final Rule does not preempt more stringent state statutes or regulations regarding SUD.
If we can assist with any of these important efforts in light of the Final Rule’s sweeping changes, please let us know.
[1]According to HHS, whether a provider is a “program” subject to Part 2 is a fact-specific inquiry, involving how it operates and describes or advertises its services. Because most SUD treatment programs are federally assisted, Part 2’s “federal assistance” prong is typically satisfied.
[2] In commentary, HHS stated that under the Final Rule a covered entity or business associate that receives records under a TPO consent can redisclose them consistent with the HIPAA Privacy Rule, which “does not place limitations on the use or disclosure of de-identified information.”
[3] Per HHS, a Part 2 program’s Patient Notice would not contain a statement that patients can inspect or obtain copies of their Part 2 records; the Final Rule does not create a right of access for Part 2 records. A Part 2 program is not required to obtain a patient’s written consent before choosing to provide a patient with access to their own records. However, under the Final Rule, information obtained by patient access to their record cannot be used to criminally investigate the patient or initiate or substantiate any criminal charges against the patient.
[4] Both before and after the Final Rule, if a court order is obtained to authorize the use or disclosure of Part 2 patient information, such a court order merely authorizes (but does not compel) disclosure; it must be accompanied by a subpoena in order to compel disclosure.
[5] Subject to state law, HHS notes that a clinician might choose to voluntarily provide a patient with a copy of their SUD counseling notes (contrary to HIPAA, which does not provide patients with access to their psychotherapy notes).
[6] Under a separate rule, HHS plans to address the CARES Act’s anti-discrimination provisions regarding prohibited uses and disclosures of patients’ Part 2 records, such as regarding access to health care, employment, housing, courts, and federal/state/local government benefits.