HIPAA and Part 2 Harmonized: What Health Care Organizations Need to Know

Substance Use Disorder (SUD) programs and HIPAA-regulated entities seeking to streamline their privacy and security practices and workflows received welcome news from the U.S. Department of Health & Human Services (HHS) last week. HHS issued the highly anticipated final rule (the Part 2 Final Rule) to revise the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2 (Part 2). The Part 2 Final Rule implements provisions of the 2020 Coronavirus Aid, Relief, and Economic Security Act (CARES Act) and includes modifications that were proposed in the November 2022 Notice of Proposed Rulemaking, as well as additional modifications informed by the public comments.

The Part 2 Final Rule is scheduled to be published in the Federal Register on February 16, 2024. It will be effective 60 days following publication, and compliance is required 24 months following publication.

Part 2 Applicability

As a refresher, Part 2 serves to protect patient health records created or received by Part 2 programs. Part 2 programs are individuals, entities, or identified units in a general medical facility, that are federally assisted, and that holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment. A classic example of a Part 2 program would be an Opioid Treatment Program providing Medication Assisted Treatment for persons diagnosed with an opioid use disorder.

Patient Consent

The Part 2 Final Rule permits a Part 2 program to obtain and rely on a single consent from a patient for all future uses and disclosures of Part 2 records for treatment, payment, and health care operations (TPO) as permitted by the HIPAA regulations, until the patient revokes such consent in writing. Part 2 programs will want to update the patient workflow to capture this consent from patients, as it will permit the Part 2 program to use and disclose Part 2 information in a manner that is much less burdensome than what was required prior to this change.

The Part 2 Final Rule also permits HIPAA covered entities and business associates that receive records under this TPO consent to redisclose the records in accordance with the HIPAA regulations, except that the records cannot be redisclosed for use in legal proceedings against the patient without specific consent or a court order. This limitation balances permitting redisclosures for programs, covered entities, and business associates who are recipients of Part 2 records while retaining patient protections against use of the records in proceedings against the patient. Restrictions on the use or disclosure of patient records to initiate or substantiate criminal charges or investigations or civil proceedings against a patient is addressed throughout the Part 2 Final Rule.

A substantive change from the Notice of Proposed Rulemaking is that the Part 2 Final Rule requires that each disclosure made pursuant to patient consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent. This requirement will provide the recipients of records the information the recipient needs to understand the redisclosure permissions that may be available. This is in addition to the redisclosure notice that must accompany each disclosure made with the patient’s written consent (e.g., “42 CFR Part 2 prohibits unauthorized use or disclosure of these records.”).

Patient Notice

The Part 2 Final Rule more closely aligns Part 2’s patient notice requirements with the HIPAA Notice of Privacy Practices. Part 2 programs will need to update their patient notice to include the new required heading, amended uses and disclosures permitted under the Part 2 Final Rule, and patient rights available under the Part 2 Final Rule, among other requirements. HHS intends to finalize changes to the HIPAA Notice of Privacy Practices in a subsequent final rule modifying the HIPAA Privacy Rule. The requirements for providing the patient notice to patients is similar to the requirements under the HIPAA Privacy Rule.

Patient Rights

The Part 2 Final Rule provides patients with additional rights that closely align with the rights provided under the HIPAA Privacy Rule, including the right to (i) request restrictions of disclosures to a patient’s health plan for services the patient has paid for in full or disclosures made with prior consent for purposes of TPO, (ii) obtain an accounting of disclosures, including for TPO made through an electronic health record in the past 3 years, and (iii) elect not to receive fundraising communications. The enhanced patient rights will increase transparency about how a patient’s records are used and disclosed and provide patients with control over certain uses and disclosures.

Note that Part 2 does not have an expansive right for patients to access their own information like the HIPAA Privacy Rule. HHS confirms this in the commentary to the Part 2 Final Rule, stating “Under the existing (and final) rule, [P]art 2 programs are vested with discretion about providing patients with access to their records. Section 2.23 neither prohibits giving patients access nor requires it …” Part 2 programs that are also HIPAA regulated entities need to follow the HIPAA Privacy Rule’s access requirements.

Breach Notification

The Part 2 Final Rule applies HIPAA’s Breach Notification Rule to breaches of unsecured records by Part 2 programs and adopts the HIPAA definition of “breach” and “unsecured.” This means that a Part 2 program that experiences an acquisition, access, use, or disclosure of unsecured records in violation of Part 2 will need to assess if notification to affected individuals, HHS, and the media is required.

Substance Use Disorder Counseling Notes

The Part 2 Final Rule includes a definition of SUD counseling notes that closely follows the HIPAA definition of psychotherapy notes. SUD counseling notes means notes recorded (in any medium) by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a SUD counseling session. Consistent with HIPAA’s definition of psychotherapy notes, the definition requires the notes be separated from the rest of the medical record and excludes medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Similar to the HIPAA Privacy Rule’s treatment of psychotherapy notes, disclosure of SUD counseling notes requires specific consent from the individual. Part 2 permits clinicians to exercise their discretion to provide patients with access to SUD counseling notes.

Segregation of Data

The Part 2 Final Rule removes language requiring segregation or segmentation of Part 2 records, with HHS expressly commenting that segregating or segmenting Part 2 records is not required by Part 2 programs, covered entities, and business associates that receive records based on a single consent for all future TPO. However, the records continue to be Part 2 records and need to be protected as required by Part 2, including ensuring the records are not used in proceedings against the patient.

Sancties

Violations of Part 2 will be subject to the same civil and criminal penalties as violations of HIPAA, including the imposition of civil money penalties in the four culpability tiers that are applied to HIPAA violations. Similarly, patients may file complaints with HHS for violations of Part 2.

Conclusie

Part 2 programs should begin reviewing their Part 2 compliance programs under the Part 2 Final Rule to determine where changes will need to be made. This will include updating policies and procedures, patient consents, and patient notices. In addition, Part 2 programs should use this as an opportunity to retrain their workforce on Part 2’s requirements for using and disclosing Part 2 records — and how it differs from HIPAA — given that the Part 2 Final Rule imposes breach notification obligations for violations.

Meer weten?

COVID-19: CARES Act Overhauls Federal Substance Use Disorder Privacy Law

HHS Proposes to Align Federal Substance Use Disorder Law with HIPAA If you have any questions on the applicability of Part 2 to your organization or implementing the Part 2 Final Rule, please contact any of the authors or any of the Partners or Senior Counsel in Foley’s Cybersecurity and Data Privacy Group or Health Care Practice Group.

Disclaimer

Deze blog wordt ter beschikking gesteld door Foley & Lardner LLP ("Foley" of "het kantoor") voor informatieve doeleinden. Het is niet bedoeld om het juridische standpunt van het kantoor namens een cliënt over te brengen, noch is het bedoeld om specifiek juridisch advies te geven. Eventuele meningen in dit artikel weerspiegelen niet noodzakelijkerwijs de standpunten van Foley & Lardner LLP, haar partners of haar cliënten. Handel daarom niet op basis van deze informatie zonder advies te vragen aan een bevoegde advocaat. Deze blog is niet bedoeld om een advocaat-cliënt relatie te creëren en de ontvangst ervan vormt geen advocaat-cliënt relatie. Communicatie met Foley via deze website per e-mail, blogbericht of anderszins creëert geen advocaat-cliënt relatie voor welke juridische kwestie dan ook. Daarom wordt communicatie of materiaal dat u via deze blog naar Foley verzendt, hetzij via e-mail, blogpost of op een andere manier, niet behandeld als vertrouwelijk of als eigendom. De informatie op deze blog wordt gepubliceerd "AS IS" en is niet gegarandeerd volledig, nauwkeurig en/of up-to-date. Foley geeft geen verklaringen of garanties van welke aard dan ook, expliciet of impliciet, met betrekking tot de werking of inhoud van de site. Foley wijst uitdrukkelijk alle andere garanties, waarborgen, voorwaarden en verklaringen van welke aard dan ook af, hetzij uitdrukkelijk of impliciet, hetzij voortvloeiend uit een wet, wet, commercieel gebruik of anderszins, met inbegrip van impliciete garanties van verkoopbaarheid, geschiktheid voor een bepaald doel, titel en niet-inbreuk. In geen geval zal Foley of een van haar partners, functionarissen, werknemers, agenten of filialen aansprakelijk zijn, direct of indirect, onder welke rechtsleer dan ook (contract, onrechtmatige daad, nalatigheid of anderszins), jegens u of iemand anders, voor claims, verliezen of schade, direct, indirect speciaal, incidenteel, bestraffend of gevolgschade, voortvloeiend uit of veroorzaakt door de creatie, het gebruik van of het vertrouwen op deze site (inclusief informatie en andere inhoud) of websites van derden of de informatie, middelen of het materiaal waartoe toegang wordt verkregen via dergelijke websites. In sommige rechtsgebieden kan de inhoud van deze blog worden beschouwd als advocaatreclame. Houd er, indien van toepassing, rekening mee dat eerdere resultaten geen garantie bieden voor een vergelijkbaar resultaat. Foto's zijn alleen voor dramaturgische doeleinden en kunnen modellen bevatten. Afbeeldingen impliceren niet noodzakelijkerwijs een huidige status als cliënt, partner of werknemer.

[email protected]

Madison 608.250.7420

Een man in een donker pak en een rode stropdas staat glimlachend in een felverlichte, moderne hal van een advocatenkantoor, die de professionaliteit van topadvocaten in Chicago weerspiegelt.

[email protected]

Tampa 813.225.4129

Verwante inzichten

Bekijk alle berichten

December 12, 2025 Health Care Law Today

Eleventh Circuit Hears Oral Argument in Landmark Constitutional Challenge to False Claims Act’s Qui Tam Provisions

On December 12, the U.S. Court of Appeals for the Eleventh Circuit heard oral argument in U.S. ex rel. Zafirov v. Florida Medical…

9 december 2025 De huidige gezondheidszorgwetgeving

Hoe het opvolgen van 'doktersvoorschriften' een verdediging vormde in een FCA-zaak in het Eerste Circuit

Als het gaat om rechtszaken op grond van de False Claims Act (FCA), bevinden klinische laboratoria zich vaak in het vizier. Maar de eerste...

2 december 2025 De huidige gezondheidszorgwetgeving

Gebruik van digitale gezondheidstechnologieën in klinische proeven: ondersteuning van MAHA en gedefinieerde verwachtingen uit de definitieve richtlijnen van de FDA

Digitale gezondheidstechnologieën (DHT) zijn een belangrijk aspect van het programma Make America... van Robert F. Kennedy Jr., minister van Volksgezondheid en Human Services (HHS) van de Verenigde Staten.