On November 28, 2022, the U.S. Department of Health and Human Services (“HHS”) proposed sweeping changes to the rules that govern use and disclosure of protected health information (“PHI”) about patients receiving substance use disorder (“SUD”) services regulated under 42 CFR Part 2 (“Part 2”) (each a “Part 2 Program”).These proposed changes aim to reduce barriers to useful information sharing among healthcare providers and better align Part 2 standards with those under HIPAA. If implemented, these rules may require, among other things, that Part 2 Programs and non-Part 2 Programs that receive Part 2 patient information update their Notice of Privacy Practices and related policies. However, some of the proposed standards are ambiguous, and critical questions remain, including those regarding breach notification and enforcement.
Part 2 contains onerous consent and other requirements on the use and disclosure of PHI created by a Part 2 Program (“Part 2 Data”), which limits the sharing of useful patient data among providers and others involved in a patient’s healthcare. The HHS Notice of Proposed Rulemaking (“NPRM”) proposes to amend Part 2 to reduce barriers to the exchange of Part 2 Data by aligning Part 2 with Health Insurance Portability and Accountability Act (“HIPAA”) requirements set forth in the HIPAA Privacy Rule (the “Privacy Rule”) and to further HHS’s stated goal to increase coordination among providers who treat patients with substance use challenges and reduce discrimination of that vulnerable population.1
Below is an overview of the proposed changes as set forth in the NPRM.
A. Consent and Re-Disclosure
The NPRM proposes the following changes to the consent and re-disclosure rules:
1. Part 2 Programs can use and disclose patient Part 2 Data based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operation (“TPO”) activities.
2. When PHI is re-disclosed for treatment, payment or (“TPO”) activities to a Part 2 program, covered entity, or business associate, the recipient may further use or disclose those records as permitted by HIPAA Privacy Rule with certain exceptions, including for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.
3. When PHI is disclosed to a Part 2 Program that is not a covered entity or business associate, the recipient may further use or disclose those records consistent with the patient consent.
4. When PHI is disclosed for payment or health care operations activities to a lawful holder that is not a Part 2 Program, covered entity, or business associate, the recipient may further use or disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the patient consent.
These rules summarized above reflect a serious relaxation on current Part 2 rules, which have historically contained specific consent requirements for each downstream re-disclosure. The NPRM also modifies the requirements of a valid Part 2 consent so that it is more closely aligned with the requirements for a HIPAA patient authorization.
B. Uses and Disclosures
Part 2 generally only mentions disclosures, but not uses of Part 2 records. The NPRM proposes various changes to Part 2 to clarify requirements for both uses and disclosures by adopting a definition of “use” that is consistent with the definition ascribed by HIPAA.
C. Breaches
The NPRM recommends that the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) breach notification provisions currently implemented in the HIPAA Breach Notification Rule be applied to Part 2 Programs. That is, in the event of a breach of Part 2 Data, Part 2 Programs would be required to notify HHS, affected patients, and, in some situations, the media. In addition, Part 2 Programs would also have to establish and implement policies and procedures that address notification in the event of a breach of Part 2 Data. This change would ensure even those Part 2 Programs that are not HIPAA covered entities or business associates would have to provide the same breach notification in the event of a breach of Part 2 Data.
D. Intermediaries
Under Part 2, patients have a right to know each recipient an intermediary has disclosed the patient’s Part 2 records to within the past two years. The NPRM proposes to expand this time period to three years. While the NPRM does not currently define who an “intermediary” is, examples may include entities such as health information exchanges, research institutions providing treatment, accountable care organizations, and/or care management organizations.
E. Notice of Privacy Practices
The NPRM proposes to amend Part 2 patient notice requirements (42 CFR § 2.22) to align with HIPAA and HIPAA’s Notice of Privacy Practices requirements (45 CFR § 164.520). Specifically, the NPRM would require Part 2 Programs to include a full description of the permitted uses and disclosures of Part 2 Data, patient rights with respect to their Part 2 Data, where patients may make complaints regarding their Part 2 Data, and under what circumstances separate patient consent must be obtained. The NPRM also suggests modifying non-Part 2 HIPAA covered entities’ Notice of Privacy Practices for entities that receive Part 2 records. If approved, non-Part 2 HIPAA covered entities will need to also include restrictions on use and disclosure of Part 2 records in the event of legal proceedings against a patient. If the current version of the NPRM goes into effect, enforcement of the new Part 2 rules and modified HIPAA provision regarding the Notice of Privacy Practices will begin 24 months after the final rule is published.
F. Patient Rights
The NPRM seeks to create two (2) new patient rights under Part 2 that align with the HIPAA Privacy Rule; namely, patients will have the right to:
1. Receive an accounting of certain disclosures of their Part 2 Data, and
2. Request restrictions on the disclosure of their records for TPO activities and obtain restrictions on disclosure to health plans for services paid in full by the patient.
Under HIPAA, patients generally have a right to access PHI contained in a designated record set (aka, “the right to access”). Part 2 Data is generally considered part of that record set.
One major exception to the general right to access, however, is HIPAA’s exclusion of psychotherapy notes. According to the NPRM, HHS is also considering whether a similar carve out should be made for notes generated in the course of a SUD counseling session by a Part 2 Program (“SUD Notes”). If this rule change is adopted, those SUD Notes would be considered Part 2 Data, but could not be disclosed based on a patient’s general consent to future TPO activities. That patient would have to provide a separate and specific written consent for the Part 2 Program to disclose those SUD notes.
G. De-Identification
The NPRM also proposes adopting HIPAA’s de-identification standards and to require Part 2 Programs to implement formal policies and procedures regarding how to address de-identification of Part 2 Data in accordance with HIPAA’s de-identification standards. The NPRM also expressly permits disclosures to public health authorities provided that the records are de-identified in accordance with HIPAA standards.
H. Complaints
The NPRM proposes that Part 2 Programs establish a process to receive complaints regarding the Part 2 Program’s compliance with Part 2. The NPRM also proposes to expressly prohibit intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against a patient for filing a complaint or otherwise exercising a right provided for under Part 2. Similar to HIPAA’s provisions regarding complaints, the NPRM outlines that Part 2 Programs cannot require individuals to waive their right to file a complaint as a condition of receiving treatment, enrollment, payment, or eligibility for services.
I. Enforcement and Penalties
The NPRM proposes both civil and criminal penalties to align Part 2 with HIPAA enforcement standards. For example, the NPRM proposes to apply the civil monetary penalty tiers established under the HITECH Act. In addition, the NPRM designates a safe harbor for investigative agencies that conduct reasonable diligence but unknowingly receive Part 2 Data without first obtaining a court order. Despite lack of enforcement to date, the United States Attorney General can enforce Part 2 rules. It is unclear, however, whether the HHS Office of Civil Rights, the Substance Abuse and Mental Health Services Administration, or some other agency will have additional civil enforcement authority over Part 2.
I. Implications of the NPRM
HIPAA covered entities and Part 2 Programs have long wrestled with the disparate requirements between HIPAA and Part 2. As the U.S. transitions to integrated care and value-based payment healthcare models, these varying requirements stymie efforts to deliver coordinated care under these new models. The NPRM aims to overcome some of these roadblocks by reducing barriers to information sharing among providers. However, some of the proposed standards are ambiguous and critical questions remain around areas such as breach notification and enforcement.
The full text of the NPRM can be found here. Public comments are due by January 31, 2023 (60 days after publication in the Federal Register). If the current version of the NPRM is adopted in its entirety, Part 2 Programs and non-Part Programs that may receive Part 2 Data will likely need to plan for the following:
1. Development of internal policies and procedures regarding new patient rights, such as the right for patients to restrict disclosure of their records for TPO and for reporting violations of Part 2;
2. Updates to their Notice of Privacy Practices; and
3. Evaluation of how to implement policies and procedures to address new security and breach notification requirements.
Healthcare stakeholders should consider the impact that these changes may have on their practices and may want to consider discussing how to implement the above requirements with legal counsel.
