Substance Use Disorder (SUD) programs and HIPAA-regulated entities seeking to streamline their privacy and security practices and workflows received welcome news from the U.S. Department of Health & Human Services (HHS) last week. HHS issued the highly anticipated final rule (the Part 2 Final Rule) to revise the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2 (Part 2). The Part 2 Final Rule implements provisions of the 2020 Coronavirus Aid, Relief, and Economic Security Act (CARES Act) and includes modifications that were proposed in the November 2022 Notice of Proposed Rulemaking, as well as additional modifications informed by the public comments.
The Part 2 Final Rule is scheduled to be published in the Federal Register on February 16, 2024. It will be effective 60 days following publication, and compliance is required 24 months following publication.
Part 2 Applicability
As a refresher, Part 2 serves to protect patient health records created or received by Part 2 programs. Part 2 programs are individuals, entities, or identified units in a general medical facility, that are federally assisted, and that holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment. A classic example of a Part 2 program would be an Opioid Treatment Program providing Medication Assisted Treatment for persons diagnosed with an opioid use disorder.
The Part 2 Final Rule permits a Part 2 program to obtain and rely on a single consent from a patient for all future uses and disclosures of Part 2 records for treatment, payment, and health care operations (TPO) as permitted by the HIPAA regulations, until the patient revokes such consent in writing. Part 2 programs will want to update the patient workflow to capture this consent from patients, as it will permit the Part 2 program to use and disclose Part 2 information in a manner that is much less burdensome than what was required prior to this change.
The Part 2 Final Rule also permits HIPAA covered entities and business associates that receive records under this TPO consent to redisclose the records in accordance with the HIPAA regulations, except that the records cannot be redisclosed for use in legal proceedings against the patient without specific consent or a court order. This limitation balances permitting redisclosures for programs, covered entities, and business associates who are recipients of Part 2 records while retaining patient protections against use of the records in proceedings against the patient. Restrictions on the use or disclosure of patient records to initiate or substantiate criminal charges or investigations or civil proceedings against a patient is addressed throughout the Part 2 Final Rule.
A substantive change from the Notice of Proposed Rulemaking is that the Part 2 Final Rule requires that each disclosure made pursuant to patient consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent. This requirement will provide the recipients of records the information the recipient needs to understand the redisclosure permissions that may be available. This is in addition to the redisclosure notice that must accompany each disclosure made with the patient’s written consent (e.g., “42 CFR Part 2 prohibits unauthorized use or disclosure of these records.”).
The Part 2 Final Rule more closely aligns Part 2’s patient notice requirements with the HIPAA Notice of Privacy Practices. Part 2 programs will need to update their patient notice to include the new required heading, amended uses and disclosures permitted under the Part 2 Final Rule, and patient rights available under the Part 2 Final Rule, among other requirements. HHS intends to finalize changes to the HIPAA Notice of Privacy Practices in a subsequent final rule modifying the HIPAA Privacy Rule. The requirements for providing the patient notice to patients is similar to the requirements under the HIPAA Privacy Rule.
The Part 2 Final Rule provides patients with additional rights that closely align with the rights provided under the HIPAA Privacy Rule, including the right to (i) request restrictions of disclosures to a patient’s health plan for services the patient has paid for in full or disclosures made with prior consent for purposes of TPO, (ii) obtain an accounting of disclosures, including for TPO made through an electronic health record in the past 3 years, and (iii) elect not to receive fundraising communications. The enhanced patient rights will increase transparency about how a patient’s records are used and disclosed and provide patients with control over certain uses and disclosures.
Note that Part 2 does not have an expansive right for patients to access their own information like the HIPAA Privacy Rule. HHS confirms this in the commentary to the Part 2 Final Rule, stating “Under the existing (and final) rule, [P]art 2 programs are vested with discretion about providing patients with access to their records. Section 2.23 neither prohibits giving patients access nor requires it …” Part 2 programs that are also HIPAA regulated entities need to follow the HIPAA Privacy Rule’s access requirements.
The Part 2 Final Rule applies HIPAA’s Breach Notification Rule to breaches of unsecured records by Part 2 programs and adopts the HIPAA definition of “breach” and “unsecured.” This means that a Part 2 program that experiences an acquisition, access, use, or disclosure of unsecured records in violation of Part 2 will need to assess if notification to affected individuals, HHS, and the media is required.
Substance Use Disorder Counseling Notes
The Part 2 Final Rule includes a definition of SUD counseling notes that closely follows the HIPAA definition of psychotherapy notes. SUD counseling notes means notes recorded (in any medium) by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a SUD counseling session. Consistent with HIPAA’s definition of psychotherapy notes, the definition requires the notes be separated from the rest of the medical record and excludes medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Similar to the HIPAA Privacy Rule’s treatment of psychotherapy notes, disclosure of SUD counseling notes requires specific consent from the individual. Part 2 permits clinicians to exercise their discretion to provide patients with access to SUD counseling notes.
Segregation of Data
The Part 2 Final Rule removes language requiring segregation or segmentation of Part 2 records, with HHS expressly commenting that segregating or segmenting Part 2 records is not required by Part 2 programs, covered entities, and business associates that receive records based on a single consent for all future TPO. However, the records continue to be Part 2 records and need to be protected as required by Part 2, including ensuring the records are not used in proceedings against the patient.
Violations of Part 2 will be subject to the same civil and criminal penalties as violations of HIPAA, including the imposition of civil money penalties in the four culpability tiers that are applied to HIPAA violations. Similarly, patients may file complaints with HHS for violations of Part 2.
Part 2 programs should begin reviewing their Part 2 compliance programs under the Part 2 Final Rule to determine where changes will need to be made. This will include updating policies and procedures, patient consents, and patient notices. In addition, Part 2 programs should use this as an opportunity to retrain their workforce on Part 2’s requirements for using and disclosing Part 2 records — and how it differs from HIPAA — given that the Part 2 Final Rule imposes breach notification obligations for violations.
Want To Learn More?
HHS Proposes to Align Federal Substance Use Disorder Law with HIPAA If you have any questions on the applicability of Part 2 to your organization or implementing the Part 2 Final Rule, please contact any of the authors or any of the Partners or Senior Counsel in Foley’s Cybersecurity and Data Privacy Group or Health Care Practice Group.