The Department of Health and Human Services (HHS) on December 2, 2022 proposed a substantial revision of the regulations governing the confidentiality of Substance Use Disorder records. These changes could mean less administrative burden for providers and more comprehensive care for patients.

Background:

Substance use disorder (SUD) treatment records created or maintained by a HIPAA covered entity or a business associate are protected by the Health Insurance Portability and Accountability Act (HIPAA) and‎, for certain covered SUD programs,‎ by a stricter set of rules contained in 42 CFR Part 2^[1]. SUD treatment includes medication and counseling that a patient receives for abuse of substances like alcohol, tobacco, or opioids. Federal regulators view these records as even more sensitive than other kinds of patient data given the risk of personal and professional damage that disclosure could cause. For this reason, SUD records are protected by both HIPAA and 42 CFR Part 2 (often referred to as simply “Part 2”). The Part 2 rules apply to SUD Programs. Any other entity that receives written reports from an SUD program, such as a hospital or health insurer, must comply with the Part 2 rules when disclosing written reports received from a Part 2 program.

Perhaps the most burdensome requirement of Part 2 is that a covered program must obtain prior written consent before disclosing records related to a patient’s treatment to any third party. This stands in stark contrast to HIPAA, which allows providers to share PHI for “treatment, payment, and health care operations” (TPO) without consent from the patient. This means that HIPAA covered entities can share protected health information (PHI) with other practitioners to assist with a patient’s treatment, or with insurance plans to allow for reimbursement.

The dual compliance requirements of HIPAA and Part 2 have long been a target for reform by industry stakeholders for two main reasons.

First, these disparate rules impact coordination between general medical care (following HIPAA rules) and SUD care (following Part 2 rules). Many facets of an SUD patient’s overall health are impacted by their condition. Effective care requires that healthcare providers have the full picture of the patient’s medical record. For example, a physician could unknowingly prescribe opioids to a patient with a concealed history of substance abuse. The integration of HIPAA and Part 2 contained in the proposed rules will therefore allow for more effective treatment for SUD patients.

Second, regulating patient health records with two different sets of rules has long caused compliance headaches for providers that do not operate SUD programs. Not only must providers navigate two sets of rules, but each rule is enforced by a different agency. The Office for Civil Rights (OCR) enforces violations of HIPAA, while the Substance Abuse and Mental Health Services Administration (SAMHSA) is responsible for enforcing Part 2.

Reforms:

Recognizing these challenges, Congress included language in the CARES Act (March 2020) requiring HHS to align Part 2 with certain provisions of HIPAA. The proposed regulations do this in several ways:

• The proposed rule makes the Part 2 rules more consistent with HIPAA by using common definitions, disclosure requirements, and enforcement provisions. For example, the rules would now share definitions of “breach,” “covered entity,” “healthcare operations,” “unsecured protected health information,” and “HIPAA regulations,” which they remarkably did not share before.
• The proposed rule also seeks to mirror the patient rights established in the HIPAA-mandated Notice of Privacy Practices (NPP). It does so by creating additional patient rights for requesting a disclosure history of their PHI and restricting disclosure in some cases. The proposal allows patients to request an accounting of Part 2 disclosures made by the Part 2 program for a period of six years prior to the request. Similar to HIPAA, patients can also request an accounting of TPO disclosures made through electronic health records for a three-year period prior to the request.
• In addition to the accounting of disclosures, patients would have a new right to request restrictions of disclosures for TPO use and disclosures to a patient’s insurance when paying 100% out-of-pocket for services.
  • We note that some commentators have questioned the wisdom of pushing the duty onto patients to assert their right to restrict disclosure rather than requiring the covered entity to restrict disclosure by default. The average patient will not understand their HIPAA rights and may not assert them even when it would be in their best interest to do so.
• The regulations are now more permissive with what SUD data can be shared, but are also more restrictive in how the data can be used. For example, the revised regulations require only a single written consent to disclose SUD information, rather than individual written consents to each disclosure. This means that providers can include the consent in the standard patient onboarding materials.
  • To balance this lenient disclosure rule, the proposal contains safeguards preventing discrimination against patients on the basis of an SUD. For example, the proposal explains that some health plans have restrictive coverage policies that may be triggered upon learning of a patient’s SUD diagnosis. To protect patient interests, the proposal creates the new patient right discussed above to request restrictions on disclosure of their TPO records.

Additionally, covered entities are prohibited from using a patient’s own SUD records against them in civil, criminal, administrative or legislative proceedings (except in cases of suspected child abuse or neglect). This demonstrates that Part 2 will still not be fully aligned with HIPAA, but retain special protections for SUD data in some instances.

Impact:

HHS has proposed a 24-month timeframe for compliance after the final rule is published. This includes a 60-day window for the rule to become effective after publication followed by a 22-month safe harbor before enforcement begins. It remains unclear what level of enforcement priority the agency will assign to violations of the new rules, but the rule provides several new enforcement mechanisms.

Under the old rules, U.S. attorneys could bring criminal actions against Part 2 violators, but there were no civil penalties. Criminal proceedings related to Part 2 were extremely rare. The CARES Act empowered HHS to levy civil monetary penalties for Part 2 violators. The proposed rule replaces the old enforcement provision with Sections 1176 and 1177 of the Social Security Act, meaning that the same enforcement tools available to pursue HIPAA violations will be available to pursue Part 2 violations. State attorneys general are also empowered to bring suit on behalf of patients who suffer damages due to Part 2 violations. This broader array of enforcement options is likely to result in increased enforcement of Part 2 requirements.

Providers will likely encounter short-term compliance burdens, like updating their patient notices, if the proposed rule goes into effect. But the long term impact will be less administrative complexity and, hopefully, better outcomes for patients.