HHS proposes significant changes to Part 2 substance use disorder records regulations

Melissa Bianchi, Donald DePass, Lindsey Johnson, Melissa Levine
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

The U.S. Department of Health and Human Services (HHS) has proposed to significantly revise rules governing patient records in substance use disorder (SUD) programs, commonly known as the Part 2 rules, with important implications for many SUD providers. HHS’s December 2, 2022, Notice of Proposed Rulemaking (NRPM) would align many aspects of the Part 2 rules with the HIPAA Privacy Rule. If finalized, the rules would require regulated entities to take a number of steps to come into compliance, including making updates to policies and procedures, revisions to existing forms, and changes to electronic records systems.

The NPRM was triggered by amendments to the statute that authorizes the Part 2 rules contained in the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which was enacted on March 27, 2020. Congressional support for revisions to the Part 2 rules was due, in part, to concerns that the rules impeded providers’ efforts to provide coordinated and integrated care to patients with substance use disorders, including those affected by the opioid epidemic.

The Part 2 rules have a long history. Federal rules governing SUD treatment records were first introduced in the 1970s, years before HIPAA was enacted or electronic medical records were widely available. Because most SUD providers are regulated by both HIPAA and Part 2, as well as similar state laws, compliance with the relevant rules can be challenging and require complex strategies.

For example, unlike the standards for routine disclosures under HIPAA, Part 2 records can only be released with the patient’s written consent, with very limited exceptions. Further, once the patient consents to the release of certain records, the recipient is then subject to the same restrictions as the disclosing entity and is not permitted to share the Part 2 records without going back to the patient to request another signed consent form.

The NPRM includes a more pragmatic approach. The revised statute and proposed rules now specify that, once the patient has provided consent, SUD providers may share the Part 2 records for “treatment, payment, and health care operations,” as those terms are defined and understood in the context of HIPAA. This should make it much easier for providers to coordinate care, bill the patient’s health plan, and manage the information as needed for their own internal operations, without repeatedly returning to the patient to request consent.

The proposed rules also align a number of terms, concepts, and obligations with the HIPAA Privacy Rule, including

  • conforming de-identification standards,
  • adding breach notification requirements consistent with HIPAA’s Breach Notification Rule, and
  • pursuant to the CARES Act, adding
    • a right to request an accounting, consistent with the HITECH’s accounting of disclosures provisions, which have not yet been implemented, and
    • a right to request restrictions on disclosures.

The NPRM also includes revisions to the HIPAA Privacy Rule, requiring Notices of Privacy Practices to include specific requirements for covered entities that operate a Part 2 program. Importantly, the NPRM also reissues many proposed changes to the HIPAA Notice of Privacy Practices requirements that HHS previously issued in a 2020 proposed rule but has not yet finalized. These proposals are now open for comment again.

Part 2 programs will have significant work to do to align their practices and policies with the new rules, if adopted, including:

Revising consent forms. The NPRM includes several detailed changes for consent forms, including some mandatory and some optional language.

Revising Part 2 Notices and HIPAA Notices of Privacy Practices. The NPRM outlines specific requirements for the notice that must be provided to any Part 2 patient upon admission. In addition to the current requirements, the notice must contain:

  • A statement that the patient has the right to request restrictions on certain disclosures and an accounting of disclosures.
  • Information about how the patient can complain to the provider and to HHS if they feel their rights have been violated.
  • Specific words, in all caps, in the header.

Updating “formal policies and procedures.” Currently, § 2.16 requires “formal policies and procedures,” but it does not include any references to the HIPAA Privacy Rule. The proposed regulation will require the policies and procedures to also address:

  • How records will be de-identified in accordance with the HIPAA Privacy Rule, and
  • Breach reporting requirements.

In addition to requiring new privacy rules and standards, the revised statute now also restricts the use of regulated SUD records in criminal, civil, and administrative proceedings and includes antidiscrimination protections for patients treated at regulated facilities. The NPRM includes regulatory changes related to the use of these records in court proceedings, but HHS said that it plans to address the antidiscrimination rules in a separate rulemaking.

There are a number of other changes that regulated entities will likely want to review as they consider whether to comment on the NPRM and prepare for the implementation of the final rules, including a variety of new definitions and regulatory obligations on “intermediaries” and institutions.

Comments on the NPRM are due January 31, 2023. The proposed effective date of the final regulations is 60 days after the publication of the Final Rule, but HHS would not begin enforcement until 24 months after the publication of the Final Rule, giving regulated entities 22 months after the effective date to prepare for implementation by revising the relevant materials, as noted above, as well as updating systems and training staff.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide