Federal Agency Proposes New Disclosure and Enforcement Rules for Substance Use Disorder Records
February 21, 2023
By: Neil C. Brown and Alaina N. Crislip
SAMSHA’S Recent Proposed Changes to 42 C.F.R Part 2
The U.S. Health and Human Services Department (HHS), through the Substance Abuse and Mental Health Services Administration (SAMHSA) on November 28, 2022, announced significant proposed changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records Rule under 42 C.F.R. Part 2 (“Part 2”).[1]
Background on Part 2
Part 2 is a federal privacy law that protects patient records against unauthorized disclosure of substance use disorder treatment information.[2] It is distinct from, and generally more stringent than, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Part 2 provides protections against the disclosure of records containing SUD data. SUD is a “cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal.”[3] Part 2 privacy protections extend to SUD data created, received, or acquired by federally-assisted entities that meet certain criteria, including those holding themselves out as providing SUD treatment.[4] As such, these entities generally cannot disclose SUD data without receiving patient consent, unless certain exceptions are met.[5]
Context for the New Proposed Rule: Past Compliance Problems
Part 2 currently contains different requirements for SUD data than the HIPAA Privacy Rule (“Privacy Rule”).[6] For example, entities subject to Part 2 must obtain specific written patient consent for uses and disclosures of SUD data in certain instances that do not require written consent under HIPAA. There are also important distinctions between the two rules that deal with redisclosing patient records.[7] These differences sometimes create challenges for regulated entities because they may create separate compliance obligations.[8]
New Proposed Rule Attempts to Better Harmonize Part 2 and HIPAA
In an attempt to harmonize certain aspects of the Privacy Rule and Part 2, HHS is proposing several important changes. Some of the key proposed changes are listed below:
- A patient could give consent once for all future uses and disclosures for treatment, payment and healthcare operations (commonly referred to as “TPO”).[9]
- Part 2 record recipients who received the records as a covered entity, business associate, or a recipient for TPO based on a patient’s consent could redisclose those records as permitted by the Privacy Rule (with certain exceptions).[10]
- Patients would have the right to obtain an accounting of disclosures and the right to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.[11]
- The changes would expand prohibitions on using and disclosing Part 2 records in civil, criminal, administrative, and legislative proceedings.[12]
- HHS is proposing new enforcement authority, including imposing on Part 2 violators the civil and criminal penalties of sections 1176 and 1177 of the Social Security Act.[13]
- HHS would align Part 2 notification requirements with the HIPAA Privacy Rule and the HIPAA Breach Notification Rule (45 C.F.R. parts 160 and 164, subparts A and D).[14] In the event of a breach, Part 2 programs would have to undertake actions consistent with the Breach Notification Rule, such as notifying HHS, affected patients, and in some cases, the media.[15]
- Part 2 would align more closely with the HIPAA Privacy Rule’s Notice of Patient Privacy requirements to ensure that Part 2 patients not covered by HIPAA receive the same notice and transparency as the Privacy Rule provides.[16]
What to Expect Going Forward
While a significant purpose of the proposed rule attempts to harmonize HIPAA and Part 2, some disconnects are still present. For example, it appears that the proposed rule requires certain “intermediaries” (such as Health Information Exchanges (HIEs), research institutions that are providing treatment, accountable care organizations, or care management organizations) to meet requirements that are more stringent than HIPAA.[17]
We are closely monitoring further developments with respect to the proposed rule, and will provide updates when they become available. In the meantime, Jackson Kelly attorneys are ready to serve as trusted advisors to help apprise you of this developing area of the law, and to help you meet all your health care compliance goals.
[1] HHS Proposes New Protections to Increase Care Coordination and Confidentiality for Patients with Substance Use Challenges, SAMSHA (Nov. 28, 2022), https://www.samhsa.gov/newsroom/press-announcements/20221128/hhs-increase-care-coordination-confidentiality-patients-substance-use-challenges (last visited Jan. 6, 2023).
[2] See 42 C.F.R. § 2.11 et. seq.
[3] Id.
[4] Id.
[5] See id.
[6] See HHS Proposes New Protections, supra note 1.
[7] See id. at 74217.
[8] HHS Proposes New Protections, supra note 1.
[9] Confidentiality of Substance Use Disorder (SUD) Patient Records, 87 Fed. Reg. at 74241.
[10] Id. at 74242.
[11] See id. at 74248.
[12] See id. at 74232.
[13] See id. at 74228.
[14] See id. at 74223.
[15] Id.
[16] Id. at 74235.
[17] Id at 74280 (Requirements for intermediaries).