An update to the 42 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records has been proposed by the Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) to align Part 2 more closely with HIPAA.
Part 2 concerns SUD patient records and the HIPAA Rules cover protected health information, but Part 2 has different requirements for SUD records than HIPAA. Part 2 applies to different entities than HIPAA, but HIPAA-covered entities and business associates may be required to comply with both sets of regulations, and that can create compliance challenges.
Currently, under Part 2, a patient’s SUD diagnosis and treatment are only known to the healthcare program responsible for the patient’s healthcare. This can be a problem if a patient receives care from different providers, as it becomes difficult to coordinate care. The different requirements for SUD records mean treatment providers often do not have access to complete patient data when making decisions about patients. For example, due to the Part 2 restrictions, doctors may not be aware that a patient has SUD and may therefore prescribe opioid medications.
The purpose of Part 2 was to increase protections for SUD patients to better protect their privacy. This was and still is important, as a patient’s concern about privacy could be a barrier to treatment. Patients may fear criminal prosecution, social stigma, and discrimination for seeking treatment if their SUD diagnosis and treatment information are disclosed, which could prevent them from getting life-saving care. While better alignment with HIPAA is better for healthcare organizations and patient safety, it is vital that patient privacy is protected.
Section 3221 of the 2020 CARES Act called for the HHS to better align Part 2 with HIPAA while continuing to ensure patient privacy. The aim of the update, published on December 2, 2022, in the Federal Register, is to improve care coordination, break down the existing barriers to information sharing, and ease patient privacy concerns. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” said HHS Secretary Xavier Becerra. The update will decrease the burdens on patients and providers and increase access to care and treatment while continuing to ensure the confidentiality of treatment records.
The proposed update changes the current consent requirements to require patients to provide a single consent for the use and disclosure of their SUD records, with that consent covering all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations. Redisclosure of the records will also be permitted in any manner permitted by the HIPAA Privacy Rule, with certain exceptions applying.
Patients will be given new rights over their Part 2 records and may request an accounting of disclosures of those records to discover to whom they have been disclosed and they are also permitted to request restrictions of disclosures of their Part 2-covered records for payment, treatment, and healthcare operations. There is also an expansion of prohibitions on the use and disclosure of Part 2 records in civil, criminal, and legislative proceedings.
The HIPAA Privacy Rule requirements for Notices of Privacy Practices have been updated to address the uses and disclosures of Part 2 records, the HHS will be given new enforcement authority and will be able to impose civil monetary penalties for violations of Part 2, and the breach notification requirements to the HHS and affected patients have been updated to cover Part 2 records.
The Notice of Proposed Rulemaking is open to comment for 60 days from the date of publication in the Federal Register.