Long before enactment of HIPAA, substance use disorder (“SUD”) treatment records have enjoyed confidentiality protections under 42 C.F.R. Part 2 (“Part 2”). Since HIPAA/HITECH and related regulations went into effect, SUD treatment providers that are subject to Part 2 (“Part 2 programs”) have struggled to make sense of the inconsistencies between Part 2 and HIPAA. For example, Part 2 programs cannot rely on HIPPA’s treatment, payment or health care operations exception to the authorization requirement because Part 2 is more restrictive than HIPAA and only permits disclosure of Part 2 records without a consent under limited circumstances. These types of inconsistencies, historically, have created numerous operational burdens for Part 2 programs and impeded care coordination.
Part 2 plays an important role to help address concerns that discrimination and fear of prosecution would deter individuals from seeking SUD treatment. It has been challenging for regulators to balance the heightened need for confidentiality of SUD treatment records with the need for sufficient operational flexibility to allow for effective care coordination and treatment.
HHS issued a Notice of Proposed Rulemaking (“NPRM”) proposing rules that implement statutory amendments to section 290dd-2 of title 42 United States Code (42 U.S.C. § 290dd-2) enacted in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Public comments on the NPRM were due by January 31, 2023. HHS is proposing to give providers 24 months to comply with the changes after the publication of the final rule, but it has welcomed comments on whether that compliance period is sufficient.[i]
While Part 2 programs will likely continue to push for greater alignment with HIPAA, the NPRM takes a step in the right direction by allowing Part 2 programs to obtain a single consent to use and disclose Part 2 records for treatment, payment or health care operations purposes, and permitting Part 2 programs to rely on such consent for all future uses and disclosures for treatment, payment or health care operations purposes, until the patient revokes the consent in writing.
Subject to limitations for disclosures in connection with certain legal proceedings under Part 2, the NPRM also relaxes restrictions on redisclosure of Part 2 records by (1) permitting a Part 2 program, covered entity or business associate that receives Part 2 records pursuant to a written consent authorizing disclosure for treatment, payment or health care operations purposes to redisclose the Part 2 records in any manner permitted by the HIPAA Privacy Rule; and (2) allowing a lawful holder that is not a covered entity, business associate or Part 2 program to redisclose Part 2 records for payment and health care operations (but not treatment purposes) to its contractors, subcontractors or legal representatives to carry out the purpose of the consent.
These flexibilities would reduce the operational burden on Part 2 programs because Part 2 programs could obtain consent during intake for treatment, payment or health care operations related use and disclosure and not have to chase down individuals for consent later which can result in care coordination and treatment delays. Also, the provider that receives Part 2 records could then redisclose without obtaining another consent in accordance with the Privacy Rule’s treatment, payment or health care operations exception to the authorization requirement, subject to limitations under Part 2 for disclosures in connection with certain legal proceedings. 87 Fed. Reg. 74,242.
Some other proposals that are intended to better align Part 2 and HIPAA include:
- Requiring Part 2 programs to implement a process that allows patients to file complaints with the Part 2 program regarding Part 2 compliance issues similar to the HIPAA Privacy Rule, 45 C.F.R. § 164.530(d);
- Incorporating key definitions from HIPAA into Part 2, such as definitions for “treatment,” “payment,” “health care operations,” “business associate,” “covered entity,” “use,” etc.;
- Clarifying that qualified service organizations are HIPAA “business associates” when Part 2 records also meet the definition of protected health information;
- Introducing the concept of “SUD counseling notes” (similar to “psychotherapy notes” under the Privacy Rule) and proposing to require a separate, specific consent for use and disclose of “SUD counseling notes” similar to HIPPA’s requirements for psychotherapy notes;
- Applying the Breach Notification Rule provisions to breaches of Part 2 records;
- Aligning notice to patients of Part 2 confidentiality requirements under 42 C.F.R. § 2.22 with the Notice of Privacy Practices (“NPP”) requirements under the Privacy Rule (45 C.F.R. § 164.520), and requiring covered entities that receive and maintain Part 2 records to amend their NPP to describe uses and disclosures that are permissible or required under Part 2 and reference the restrictions on use and disclosure of Part 2 records in civil, criminal, administrative and legislative proceedings against the individual;
- Incorporate patients’ rights to request accounting of disclosures of electronic Part 2 records; request restrictions on disclosures of records otherwise permitted for treatment, payment or health care operations purposes; and to obtain restrictions on disclosures to health plans for services paid in full by the patient similar to the Privacy Rule, 45 C.F.R. §§ 164.522 and .528; and
- Incorporate HIPAA Enforcement Rule requirements to prosecute violations of Part 2.
To comply with the proposed rules (if finalized), Part 2 programs will need to update their policies/procedures, NPP and intake/consent forms; implement a procedure to receive complaints for allegations of Part 2 noncompliance; ensure breach notification policies and procedures applicable to Part 2 records comply with the Breach Notification Rule (for Part 2 providers that are not covered entities); and revisit data segmentation practices to assess whether the rules allow for operational flexibilities.
[i] The NPRM is inconsistent because on one hand it states the compliance period is 24 months, but later includes language that states: “The Department requests comment on whether the 22-month compliance period is an appropriate length of time for entities subject to a final rule to come into compliance and any benefits or unintended adverse consequences for entities or individuals of a shorter or longer compliance period.” 87 Fed. Reg. 74,218 (emphasis added). We suspect this is just a clerical oversight and HHS intends to give providers 24 months to comply.