This final rule, announced by the HHS Substance Abuse and Mental Health Services Administration (SAMHSA) and Office for Civil Rights (OCR), implements provisions of the March 2020 CARES Act that have important implications for SUD providers. Many of the changes introduced by the final rule were previewed in HHS’ December 2, 2022, Notice of Proposed Rulemaking (NRPM), as outlined in our prior post.

In a webinar hosted by HHS on February 9, 2024, HHS advised that that it will conduct outreach and develop guidance on how to comply with the new requirements. HHS also shared plans to finalize changes to the HIPAA Notice of Privacy Practices (NPP) requirements, including provisions to address uses and disclosures of PHI that are also protected by Part 2, in an upcoming final rule modifying the HIPAA Privacy Rule, which we discussed in this previous post.

Fostering care coordination and simplifying compliance practices through streamlined patient consent requirements and other modifications

A key aim of the Part 2 modifications is to simplify compliance efforts and facilitate care coordination, particularly for SUD providers regulated by both Part 2 and HIPAA. Prior to these changes, complying with both regulations required complex strategies and uneven treatment of different patient records. For example, while HIPAA allows for disclosures of PHI for treatment, payment, and healthcare operations without patient authorization, Part 2 records could only be disclosed with patient consent. To address this inconsistency, the final rule allows a single consent for all future uses and disclosures of Part 2 records for treatment, payment, and health care operations, and allows HIPAA-regulated entities that receive records under this consent to redisclose the records in accordance with the HIPAA regulations. This alignment with HIPAA allows providers to more effectively coordinate patient care.

The final rule makes additional changes related to patient consent, including:

• Requiring a separate patient consent for the use and disclosure of SUD counseling notes, which generally receive analogous protections to those afforded psychotherapy notes under HIPAA;
• Requiring that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent;
• Permitting disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified under HIPAA; and
• Prohibiting combining patient consent for the use and disclosure of Part 2 records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure and restricting the use of Part 2 records and testimony in such proceedings against patients, absent patient consent or a court order.

The final rule includes additional obligations that align with HIPAA, including:

• Individual Notice: Aligning Part 2 patient notice requirements with the requirements of the HIPAA NPP to notify patients of their rights regarding the use and disclosure of Part 2 records.
• Breach notification: Applying HIPAA Breach Notification Rule requirements to breaches of Part 2 records.
• Penalties: Replacing the criminal penalties for Part 2 violations with the HIPAA civil and criminal penalty structure.
• Individual Rights: Granting patients rights to an accounting of disclosures and to request restrictions on disclosures of such records.

In addition, the final rule makes clear that segregating or segmenting Part 2 records is not required.

Next steps for Part 2 programs

Part 2 programs may need to modify their practices to ensure compliance with the new requirements and consider:

• Assessing their breach notification procedures to ensure alignment with HIPAA requirements;
• Reviewing and revising policies and procedures to address new consent obligations and modified restrictions on uses and disclosures of Part 2 information;
• Revising notices to align with HIPAA NPP requirements;
• Implementing measures to be able to receive and fulfill individual rights requests; and   
• Providing appropriate training for employees on the new requirements of the final rule.