HHS Proposes to Align Federal Substance Use Disorder Law with HIPAA

Proposed changes to the federal substance use disorder law will increase provider efficiency and alignment with the Health Insurance Portability and Accountability Act (HIPAA). In a move that seeks to decrease administrative burdens on patients and providers while beefing up enforcement capabilities, the Department of Health and Human Services (HHS) issued its long awaited Notice of Proposed Rulemaking (Proposed Rule) for the proposed changes to 42 C.F.R. Part 2 (Part 2), the regulation governing the confidentiality of substance use disorder patient records. The changes have been expected since 2020 when Congress directed HHS to amend Part 2 in the CARES Act. The Proposed Rule’s impact will be a net positive for substance use disorder providers already required to comply with HIPAA. However, cash-pay providers required to comply with Part 2 but not regulated by HIPAA will be required to comply with HIPAA’s Privacy Rule and Breach Notification Rule.

“HHS understands how critical it is for patients to better align the Part 2 rules and program with HIPAA. This proposed rule helps decrease burdens on patients and providers, improves coordination and increases access to care and treatment, while protecting confidentiality of treatment records.” - OCR Director Melanie Fontes Rainer (Nov. 28, 2022)

Here are six key takeaways from the Proposed Rule.

Single patient consent for all treatment, payment, and operations disclosures. The most anticipated change to Part 2 is the easing of the ability to share Part 2 records for purposes of treatment, payment, and health care operations (TPO). Part 2 programs will be able to obtain a single consent from a patient that permits disclosure for all future TPO uses and disclosures. The proposed rule will allow patients flexibility when identifying recipients. For example, it will be permissible to list categories of recipients on the consent, such as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement. Once the consent, which will look similar to a HIPAA authorization, is obtained, Part 2 programs, covered entities, and business associates that receive Part 2 records pursuant to a written consent for TPO purposes may redisclose the records in any manner permitted by the HIPAA Privacy Rule, except for certain proceedings against the patient.
Part 2 violations will be subject to the HIPAA Breach Notification Rule. The proposed rule would add breach notification requirements to Part 2 through a cross-reference to the HIPAA Breach Notification Rule. This change would require Part 2 programs to notify HHS, affected patients, and in some cases the media, of a breach of unsecured Part 2 records in accordance with the HIPAA Breach Notification Rule. While the majority of Part 2 programs are also covered entities that will already be familiar with these requirements, any Part 2 programs not currently subject to HIPAA will need to develop a robust privacy compliance program and train their workforce to identify disclosures that may trigger a breach notification requirement.
Self-pay patients have the right to restrict disclosures to health plans. Similar to HIPAA, the proposed rule would require Part 2 programs to permit patients to request restrictions on the use or disclosure of Part 2 information to carry out TPO. This includes instances when the patient has signed a written consent for the disclosures. Part 2 programs are not required to agree to these restrictions, except in the event the patient has requested to restrict disclosure of records to a health plan for payment or health care operations purposes where the record pertains solely to a health care item or service for which the patient or someone on the patient’s behalf, other than the health plan, has paid the Part 2 program in full.
Part 2’s Patient Notice requirements are aligned with HIPAA’s Notice of Privacy Practices. The proposed rule would ensure that patients of Part 2 programs are afforded the same level of notice and transparency as is provided to individuals through HIPAA’s Notice of Privacy Practices (NPP). Currently, Part 2 programs are required to provide a written “summary” of Part 2’s restrictions to patients, but Part 2 does not require such programs to provide a comprehensive NPP to patients. Under the proposed rule, the Part 2 patient notice (Patient Notice) would address the same key elements as the HIPAA NPP, including a description of the permitted uses and disclosures of Part 2 records (and when separate consent is required). The Patient Notice would also need to inform patients of the complaint process and the patient’s right to revoke their consent for the Part 2 program to disclose records in certain circumstances.
Notably, the proposed rule would modify both Part 2’s Patient Notice requirements and HIPAA’s NPP requirements. Certain covered entities that are not Part 2 programs but receive and maintain Part 2 records (and are thus subject to Part 2 requirements for those records) would need to add a provision to their NPP that references the restrictions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual. Current NPP requirements would continue to apply, without change, to covered entities that do not maintain or receive Part 2 records.
New Part 2 accounting of disclosures requirements tolled until the issuance of the long-awaited HIPAA final rule on accountings. HHS proposes to incorporate HIPAA’s accounting requirements into Part 2. The proposed rule would also incorporate the requirements in the HITECH Act that disclosures for TPO purposes be included in the accounting only where such disclosures are made through an electronic health record. The compliance date for the Part 2 accounting requirement would be tolled until the effective date of a (long awaited) final rule on the HIPAA accounting of disclosures standard.
HHS will have the authority to enforce Part 2 through civil penalties. The CARES Act replaced the previous criminal enforcement authority for violations of Part 2 with a reference to the statutory penalties that apply to HIPAA violations. The proposed rule would update the Part 2 regulations to reflect this change, creating for the first time a civil enforcement authority that may be exercised by HHS in addition to the Department of Justice’s longstanding criminal enforcement authority. The Proposed Rule notes that there have been no criminal actions undertaken to enforce Part 2. Given that HHS has significant experience investigating and enforcing HIPAA violations through civil penalties, we would expect to see HHS take a similar approach with regard to Part 2.

Make Your Voice Heard

Public comments on the Proposed Rule are due 60 days after publication of the Proposed Rule in the Federal Register, which is expected on December 2, 2022. Note that the current Part 2 rules remain in effect while HHS undertakes this rulemaking process.

Want to Learn More?

For more information on the Proposed Rule, Part 2, or legal considerations related to telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, contact Foley’s Telemedicine & Digital Health, Cybersecurity & Data Privacy, or Health Care Practice Group.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.