On February 8, 2024, the U.S. Department of Health & Human Services, through the Substance Abuse and Mental Health Services Administration and the Office for Civil Rights (collectively, HHS), issued a Final Rule that amends the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). This Final Rule arrived nearly four years after the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act) directed HHS to implement amended regulations to more closely align Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Below, we outline the major changes to Part 2, including the alignment of Part 2 with HIPAA, simplified patient consent, other substantive changes, and new civil and criminal penalties.
Through the Final Rule, HHS aims to alleviate compliance and administrative burdens on Part 2 programs and simplify processes for using and disclosing SUD patient records. Part 2 programs (i.e., federally assisted providers who provide or refer patients for SUD treatment) and any other entities that are subject to Part 2 should pay close attention to these changes. The modified Part 2 requirements go into effect on April 16, 2024, and compliance must be achieved by February 16, 2026.
Aligning Part 2 with HIPAA
While HIPAA imposes privacy and security obligations on protected health information (PHI) held by covered entities (e.g., healthcare providers), Part 2 more narrowly applies to SUD patient records held by certain Part 2 programs (collectively, Part 2 Information). Because PHI and SUD records are distinct categories of information, compliance with both HIPAA and Part 2 can be burdensome for dually-regulated entities (i.e., entities that are subject to both HIPAA and Part 2). Thus, as mandated by the CARES Act, the Final Rule seeks to better align Part 2 with HIPAA by making the following changes:
New Defined Terms
The Final Rule adds new defined terms that are given the same meaning as those terms under HIPAA, including: “ breach,” “business associate,” “covered entity,” “health care operations,” “HIPAA regulations,” “payment,” “public health authority,” “treatment,” and “unsecured protected health information.”
De-Identification
The Final Rule requires Part 2 programs to implement formal policies and procedures to address removing “patient identifying information” (another new defined term added by the Final Rule) from records in accordance with the HIPAA standard for de-identification. The Final Rule provides that the patient identifying information must be de-identified such that there is no reasonable basis to believe the information could be used to identify a patient.
Patient Notice
The Final Rule modifies the Patient Notice obligation to mirror the required contents of a Notice of Privacy Practices (NPP) under HIPAA more closely. Dually-regulated entities may use a combined Patient Notice/NPP so long as it includes all elements required under HIPAA and Part 2. The compliance date for using an updated Patient Notice will be delayed until the Office for Civil Rights finalizes changes to the requirements for a HIPAA NPP.
Right to Accounting
The Final Rule creates the right for an SUD patient to receive an accounting of disclosures of Part 2 information made pursuant to a consent for up to three years prior to the date the accounting is requested, except that disclosures for treatment, payment, and healthcare operations (TPO) only have to be included when they are made through an electronic health record (EHR). The compliance date for this new Part 2 accounting of disclosures obligation will be delayed until the HIPAA accounting of disclosures obligation is revised to implement HITECH changes with respect to EHR disclosures.
Right to Request Privacy Protections
The Final Rule creates a right for an SUD patient to request privacy protections, which mirrors the right to request restrictions on use and disclosure of an individual’s PHI under HIPAA.
Breach Notification
The Final Rule makes the HIPAA Breach Notification Rule applicable to Part 2 programs with respect to unsecured Part 2 Information in the same manner the HIPAA Breach Notification Rule applies to covered entities with respect to breaches of unsecured PHI.
Simplified Part 2 Consent Requirements
The Final Rule overhauls patient consent requirements for Part 2 Information to align the process with HIPAA and ease operational burdens on Part 2 programs and recipients of Part 2 Information. These changes significantly simplify the Part 2 consent process.
Under the Final Rule, a patient may sign a single Part 2 consent form to permit uses and disclosures for TPO instead of signing a separate Part 2 consent form for each use or disclosure. Previously, a patient had to name recipients in the consent form (such as specifying the name of their insurance company). Now, designated recipients may be described as “my treating providers, health plans, third-party payers, and people helping to operate this program.”
In addition, once a Part 2 consent is obtained, Part 2 Information may then be used, disclosed, and re-disclosed by covered entities, including Part 2 programs and their business associates, for any purpose permitted under HIPAA (including for additional TPO purposes). However, Part 2 Information may not be disclosed for use in legal proceedings without separate patient consent or a court order accompanied by a subpoena.
Each disclosure of a patient’s record must be accompanied by a copy of the consent or an explanation of the scope of the consent, which may be difficult to operationalize.
Other Substantive Changes
New and Modified Defined Terms
The Final Rule adds and modifies several defined terms:
- Intermediary: The Final Rule adds a definition for “intermediary.” Part 2 defines an intermediary as a person—other than a Part 2 program, covered entity, or business associate—that receives patient records under a general written consent that is to be disclosed to one or more member participants that have a treating provider relationship with the patient. An intermediary can be a natural person or an entity. For example, an intermediary could be a Health Information Exchange, a research institution that is providing treatment, an accountable care organization, or a care management organization. Upon patient request, the Final Rule requires an intermediary to provide patients with a list of persons to whom the patient’s records have been disclosed within the past three years.
- Lawful Holder: The Final Rule adds a definition for a “lawful holder” to be a person who is subject to Part 2 because the person either received patient records pursuant to a written consent or one of the exceptions to written consent. Part 2 requires lawful holders (other than family, friends, or other informal caregivers) to have formal policies and procedures in place to protect against unauthorized uses and disclosures, as well as anticipated security threats. In contrast, all lawful holders (including family, friends and other informal caregivers) are subject to restrictions on re-disclosing Part 2 Information.
- Qualified Service Organization: The Final Rule modifies the definition of “qualified service organization” to include a person who meets the definition of a business associate under HIPAA of a Part 2 program that is also a covered entity.
- SUD Counseling Notes: The Final Rule adds a definition of “SUD counseling notes.” Part 2 defines SUD counseling notes as provider notes that document or analyze the content of conversations with patients, which are separate from the rest of the patient’s treatment and medical record. The definition excludes certain actions such as medication prescription and monitoring and results of clinical tests. Each disclosure of SUD counseling notes requires a consent, and a Part 2 program cannot disclose SUD counseling notes pursuant to a broad TPO consent. This is nearly identical to HIPAA’s definition and treatment of psychotherapy notes.
Required Disclosure to HHS Secretary
The Final Rule adds a new provision that requires Part 2 Programs to disclose patient records to the Secretary of HHS when disclosure is required to investigate or determine whether a person is in compliance with Part 2.
Public Health Disclosures
The Final Rule permits disclosure of Part 2 Information to public health authorities without patient consent as long as the disclosed records are de-identified in accordance with HIPAA.
New Patient Right to Complain
The Final Rule creates the right for patients to file complaints directly with the Secretary of HHS for alleged violations of Part 2 by a Part 2 program, covered entity, business associate, qualified service organization, and other lawful holder under Part 2. In addition, the Final Rule prohibits a Part 2 program from requiring patients to waive their right to file a complaint as a condition of the provision of treatment, payment, enrollment, or eligibility for any Part 2 program.
Fundraising Opt-Out
The Final Rule adds a right for patients to opt out of receiving fundraising communications.
Data Segregation Not Required
The Final Rule provides that a Part 2 program, covered entity or business associate that receives Part 2 records based on a single consent for all TPO is not required to segregate or segment such records.
New Civil and Criminal Penalties
The Final Rule aligns penalties for violations of Part 2 with the civil and criminal enforcement penalties imposed via the HIPAA Enforcement Rule. Previously, a person who violated Part 2 was subject to criminal enforcement and penalties under Title 18 of the United States Code (U.S.C.). Now, a person who violates Part 2 will be subject to the civil and criminal penalties outlined in the Social Security Act at Sections 1176 and 1177. Notably, violators may be subject to concurrent penalties for violations of both HIPAA and Part 2.
Next Steps
In response to the Final Rule, Part 2 programs—and any other entities subject to Part 2—should examine and revise their current policies and procedures as necessary to comply with Part 2 by February 16, 2026. In addition, we are monitoring impending changes to HIPAA.
Please contact the authors if you have any questions about the requirements of Part 2 or HIPAA in light of this Final Rule.
