The U.S. Department of Health and Human Services, through the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), has released a final rule that implements modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2. (Part 2). The modifications were first proposed in December 2022 as part of a requirement of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to better align the Part 2 regulations with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The Notice of Proposed Rulemaking (NPRM) was followed by a comment period, and many comments were received on the proposed changes from SUD advocacy groups, trade and professional associations, behavioral and other health providers, health information technology vendors, health information exchanges, and others. Those comments were carefully considered, and appropriate modifications were made ahead of the publication of the proposed rule.
The Final Rule is due to be published in the Federal Register on February 16, 2024, after which the HHS will continue its outreach efforts and will offer guidance on how to comply with the updated requirements, with compliance mandatory within 2 years of the date of publication in the Federal Register. The HHS will be making changes to the Notice of Privacy Practices to HIPAA to address the use and disclosure of information that is also protected under Part 2 in the upcoming Final Rule that implements changes to the HIPAA Privacy Rule, and there will be separate rulemaking for the CARES Act antidiscrimination provisions that prohibit the use of patients’ Part 2 records against them.
“The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.
Announcing the final rule, the HHS stressed that what will not be changing is that patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written patient consent or a court order, which has always been the case. “Records obtained in an audit or evaluation of a Part 2 program cannot be used to investigate or prosecute patients, absent written consent of the patients or a court order that meets Part 2 requirements,” explained the HHS.
“One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “The Final Rule supports access to care and treatment and mitigates the discrimination and stigmatization that we know too often people with SUD experience while continuing to apply stringent privacy protections.”
Most of the modifications proposed in the NPRM are unchanged, some of the most important of which are:
- Allowing a single consent for all future uses and disclosures for treatment, payment, and health care operations.
- Allowing redisclosure of Part 2 records by HIPAA-covered entities and business associates for which consent has been given, provided the disclosures are in accordance with the HIPAA regulations.
- Permitting disclosures of records to public health authorities without consent if the records have been deidentified in accordance with HIPAA Privacy Rule standards.
- Restricting the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
- Aligning Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
- Requiring breach notifications consistent with the requirements of the HIPAA Breach Notification Rule.
- Creation of a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
- Penalties for Part 2 violations will be the same as those that apply to HIPAA violations and the HHS will be given enforcement authority.
After consideration of the comments, changes were made to the proposed modifications in several areas.
- Clarification and strengthening of the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor. Namely, before submitting a request for records, an investigative agency must search for the provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
- The addition of a new right for patients, that allows them to file a complaint directly with the Secretary for an alleged Part 2 violation.
- Inclusion of a statement confirming Part 2 records do not need to be segregated.
- Inclusion of a new right for patients to be able to opt out of fundraising communications.
- The creation of a new definition for SUD clinician notes analyzing conversations in SUD counseling sessions that are maintained voluntarily by the clinician. These notes are not covered by general patient consent and require separate consent from a patient before disclosure.
- Prohibiting the combination of patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
- The requirement for each disclosure made with patient consent to include a copy of the consent or a clear explanation of the scope of the consent.