January 9, 2023

HHS Proposes New Rule to Align “Part 2” SUD Provider Confidentiality with HIPAA Privacy Standards

    Manatt Health Solutions / Manatt on Health

On November 28, the Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), released a proposed rule that seeks to better align the Confidentiality of Substance Use Disorder Patient Records regulations under 42 CFR part 2 (Part 2) with the regulatory requirements under the Health Insurance Portability and Accountability Act (HIPAA). 

Part 2 currently imposes different requirements for substance use disorder (SUD) treatment records protected by Part 2 than HIPAA does. OCR and SAMHSA indicate that the changes are intended to improve care coordination for patients seeking or undergoing SUD treatment, ease patient privacy concerns, and break down barriers to information sharing by easing compliance complexities and providing patients with additional rights. (For more, see the agencies’ fact sheet on Part 2 rulemaking.)

If the rule is finalized, entities subject to it will have until 22 months after the rule’s effective date to comply. Public comments on the proposed rule are due January 31.

Consent Requirements

Consistent with Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), enacted in 2020, the proposed rule leaves in place the requirement that Part 2 programs (federally-assisted providers that hold themselves out as providing SUD services) generally must obtain patient consent prior to disclosing Part 2 information for purposes of treatment, payment, and health care operations. However, the rule proposes substantial changes to both how such consent should be obtained and how information can be shared once consent is obtained.

Under the proposed rule, a person who obtains a patient’s consent for the disclosure of that patient’s Part 2 data will have more flexibility regarding how potential recipients of that data are described on the form. If the information is to be disclosed directly to other organizations, then the form is not required to have all potential recipients named but instead may contain a description of a class of persons who may receive the information. For example, a patient could authorize disclosure of the patient’s information to “my treating providers, health plans, third-party payers, and people helping to operate this program.” If instead the information is to be disclosed through an intermediary—such as a health information exchange, an accountable care organization, or an electronic health record system—then the general designation of recipients may apply only to organizations that have a “treating provider relationship” with the patient, and the form must include the name of the intermediary. The proposed rule requires other changes to consent forms intended to make such forms more consistent with HIPAA requirements.

The proposed rule would also provide more flexibility as to how Part 2 information could be shared once patient consent is obtained. Following Section 3221 of the CARES Act, the rule indicates that if the recipient is a HIPAA covered entity, a business associate, or another Part 2 program, such recipient may redisclose the information so long as such redisclosure complies with HIPAA and the information was not shared for use in a civil, criminal, administrative, or legislative proceeding against the patient. If the recipient was neither a HIPAA covered entity nor a business associate or Part 2 program, then the recipient could redisclose the information so long as the redisclosure was consistent with the terms of the consent. In addition, any other lawful recipient of Part 2 data may redisclose Part 2 data for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the patient’s consent. OCR and SAMHSA state that the “expanded ability to use and disclose Part 2 records would facilitate greater integration of SUD treatment information with other protected health information (PHI).”

Other Substantive Changes

The rule proposes to amend and revise several Part 2 requirements and standards to further align with HIPAA requirements and standards in many cases. While Part 2 programs typically are already subject to HIPAA, the alignment of standards is intended to reduce duplicative requirements and to subject Part 2 programs to HIPAA-like requirements in the rare case where such programs are not subject to HIPAA. Nevertheless, in some cases the Part 2 rules continue to impose requirements that exceed those under HIPAA.

The following represents some of the most critical changes to Part 2:

• Accounting of Disclosures. The proposed rule would require Part 2 programs to provide their patients with an accounting of disclosures in certain cases where such accounting is not required under current HIPAA rules. Presently under HIPAA, a covered entity is not required to provide an accounting of disclosures that were made for purposes of treatment, payment, or health care operations, nor is it required to account for disclosures that occurred with an authorization. In contrast, the proposed rule would require Part 2 programs to provide an accounting of all disclosures made with patient consent in the prior six years, although this obligation would extend to disclosures for treatment, payment, and health care operations purposes only if such disclosures were made through an electronic health record in the three-year period prior to the request for disclosures. The proposed rule, however, also states that the changes would only take effect once parallel changes are made to the HIPAA regulation.
• Right to Request Restrictions. The proposed rule would give patients the right to request restrictions on disclosures of Part 2 records otherwise permitted for treatment, payment, or health care operations purposes, and Part 2 programs would be subject to the same obligations as covered entities under HIPAA with respect to such requests.
• Breach Notification. Part 2 programs would be subject to the same breach notification requirements that are set forth in the HIPAA breach notification rule.
• Complaints Process. Similar to the complaint process established by OCR for HIPAA violations, Part 2 programs would be required to have a process to receive complaints. As under HIPAA, entities would not be permitted to take adverse action against patients who file complaints and would be prohibited from requiring individuals to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility services.
• Notice Requirements. Part 2 confidentiality notice requirements would be aligned with the HIPAA Notice of Privacy Practices requirements, meaning that Part 2 programs that are not currently subject to HIPAA would have to provide privacy notices to patients that are similar to the notices issued by HIPAA covered entities. Notably, the proposed rule would also revise notice requirements for covered entities that are not subject to Part 2 but receive or maintain Part 2 records. These covered entities would be required to include a provision in their notices that indicates that any Part 2 records they receive would be subject to the more stringent Part 2 rules.
• Public Health Disclosures, Research Disclosures, and De-identification Standards. Individuals and/or entities subject to Part 2 may disclose Part 2 records without patient consent to public health authorities provided that such records are de-identified in accordance with the HIPAA de-identification standards. The proposed rule clarifies that the rule “should not be construed as extending the protections of Part 2 to de-identified information, as such information is outside the scope of 2.12(a).” Similarly, any person conducting scientific research using Part 2 information could report results in aggregate form if patient identifying information is de-identified in accordance with the HIPAA de-identification standard.
• Security Requirements. The proposed rule would continue to impose security requirements that do not mirror HIPAA standards. However, OCR and SAMHSA seek comment on whether they “should modify Part 2 to apply the same or similar safeguards requirements to electronic Part 2 records as the Security Rule applies to electronic PHI (ePHI) or whether other safeguards should be applied to electronic Part 2 records.”

The proposed rule also increases HHS enforcement capabilities in several ways:

• Part 2 Violations. Following Section 3221 of the CARES Act, the proposed rule applies civil and criminal penalties applicable under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act to Part 2 violations.
• Secretary of HHS. If necessary for the enforcement of Part 2, the Secretary may compel disclosure of Part 2 information.
• Limitation of Civil or Criminal Liability. Under the proposed rule, a person who is acting on behalf of an investigative agency having jurisdiction over the activities of a Part 2 program (or other person holding Part 2 records) is not subject to civil or criminal liability under 42 U.S.C. § 290dd-2(f) for violating Part 2 in the course of investigating or prosecuting a Part 2 program (or other person holding the record) provided certain conditions are met. In particular, such person must have acted with reasonable diligence to determine whether the records in question were subject to Part 2.

In addition, the rule proposes many technical changes to align language under Part 2 more closely to the language used under HIPAA. For example, the common HIPAA phrase “use and disclosure” would be frequently added to the text of Part 2.

The proposed rule does not speak to the nondiscrimination requirements in Section 3221 of the CARES Act, which will be addressed in separate rulemaking.