HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

By: Kathie McDonald-McClure

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Section 3221 of the CARES Act of 2020, enacted by Congress on March 27, 2020, in response to the COVID-19 pandemic, in effect, had amended Title 42, Part 2, to align it with HIPAA but also required HHS to implement these amendments in the Part 2 regulation through the rule-making process. The 260-page Proposed Rule, in sum, would incorporate requirements and definitions from the HIPAA rules into the 40-year-old Part 2 regulation, including HIPAA’s consent, disclosure, de-identification, unsecured PHI and breach notification requirements, as well as HIPAA penalties for noncompliance.

Part 2 Compliance Challenges. For years, providers who are subject to both HIPAA and Part 2’s separate privacy requirements for SUD records have had to grapple with identifying and segregating SUD records that are subject to Part 2 from records that are subject only to HIPAA. In the Proposed Rule, HHS acknowledges that this has contributed to ongoing operational and compliance challenges for providers. HHS notes several examples of this challenge, including the following:  

For example, once a HIPAA covered entity or business associate disclosed PHI to a person who was not a covered entity or business associate, the information was no longer protected by the Privacy Rule, and thus the Privacy Rule’s limitations on uses and disclosures did not apply. In contrast, Part 2 strictly limited the re-disclosure of Part 2 records by any individual or entity that received a Part 2 record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent or as otherwise permitted under the regulations.(Proposed Rule, pp. 19-20.)

SUD Treatment De-Stigmatization & Coordination. HHS additionally notes that the continued segregation of Part 2 Program SUD records sets these records apart in ways that perpetuate the stigma surrounding a person with SUDs.

Prior to passage of the CARES Act, Congressional hearings on the Opioid Crisis had already highlighted the need for HHS to promulgate regulations modifying the confidentiality requirements for Part 2 records to align with HIPAA. Testimony before Congress was that SUD records were being withheld in ways that inhibit care coordination between providers of a person’s mental health and physical health, conditions that are inextricably linked. In the HHS Announcement of the Proposed Rule, Secretary Becerra says, “This proposed rule would improve coordination of care for patients receiving treatment while strengthening critical privacy protections to help ensure individuals do not forego life-saving care due to concerns about records disclosure.” 

Summary of Changes. Some of the most significant changes would include:

  • Permitting providers to use and disclose SUD records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations.  Likewise, permitting providers to re-disclose SUD records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions.
  • Aligning the Part 2 consent content requirements with HIPAA’s consent content requirements.
  • Giving Part 2 patients a right to obtain an accounting of disclosures and a right to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Adding or updating definitions, including:
    • Incorporating HIPAA’s definitions for Breach, Business associate, Covered entity, Health care operations, HIPAA, HIPAA regulations, Payment, Person, Public health authority, Treatment, Unsecured protected health information, and Use;
    • Clarifying Part 2’s language regarding determining lack of capacity of patients, including minors, to make healthcare decisions; and
    • Adding definitions for clarity within the context of Part 2 SUD treatment, such as Part 2 program directorPatientProgramRecords, and more.
  • Giving HHS enforcement authority by incorporating HIPAA’s civil money penalties for privacy violations regarding Part 2 SUD records.
  • Expanding prohibitions on the use and disclosure of SUD records in civil, criminal, administrative, and legislative proceedings.
  • Making HIPAA’s breach notification requirements applicable to Part 2 SUD records.
  • Applying the HIPAA Privacy Rule de-identification standard to SUD records, including in human research and public health authority reporting.
  • Updating the Notice of Privacy Practices (NPP) requirements to require both HIPAA covered entities and Part 2 Programs to provide notice to individuals regarding privacy practices related to Part 2 records, including patients’ rights and uses and disclosures that are permitted or required without authorization.

Public Comment Period. The public will have a 60-day period to submit comments to the Proposed Rule from the date of publication in the Federal Register, December 2, 2022. Accordingly, the public comment period will close on February 2, 2022.

Looking for assistance updating your health information privacy policies for the Part 2 changes? We regularly work with clients seeking advice on developing and updating health information privacy policies and procedures. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit Data Privacy and Cyber Security.

Kathie McDonald-McClure

Kathie McDonald-McClure leads the Firm’s Data Privacy & Cyber Security practice and is a member of the Health Care Service Team. Her longtime passion for and attention to technology-related matters has given her a leg-up in assisting clients with regard to data privacy and cyber security. She regularly advises businesses and business managers on compliance with HIPAA, FERPA, GLBA, GDPR, and state data privacy and breach reporting laws. Read more.