The U.S. Department of Health and Human Services (“HHS”) in coordination with the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule on February 16, 2024 (effective April 16, 2024)^[1] to bring the regulations governing confidentiality of substance use disorder (“SUD”) treatment records (under 42 CFR Part 2 (“Part 2”)) more in alignment with the requirements of Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). HHS was required to undertake this change to the Part 2 regulations as a part of the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”). By strengthening confidentiality protections and improving care coordination for patients and providers, HHS aims to ensure patients can seek care for SUD while remaining confident their records will be kept private.

Amendments To Patient Consent, Disclosure, And Re-Disclosure

As part of HHS’s effort to better align Part 2 with HIPAA, the Final Rule broadens the scope of a patient’s consent for disclosures to remove the necessity to obtain consent each time a disclosure for treatment, payment, and health care operations (“TPO”) is made. The Final Rule permits a Part 2 program to obtain a single consent for all future uses and disclosures for TPO purposes, consistent with the authorization requirements in the HIPAA regulations. The Final Rule also establishes the following re-disclosure permissions of Part 2 records: (1) permits a covered entity or business associate that received Part 2 records pursuant to a TPO consent to redisclose the records except in certain proceedings against the patient; (2) permits a Part 2 program that is not a covered entity to disclose records pursuant to a TPO consent; and (3) permits a lawful holder that is not a covered entity or business associate to redisclose Part 2 records for payment and health care operations to its contractors as needed.

As has always been the case under Part 2 and remains the case following the issuance of this Final Rule, patients’ records cannot be used to investigate or prosecute the patient without written patient consent or a court order.

Breach Notification

Under the Final Rule, HHS applies the same notification requirements of the long-standing HIPAA Breach Notification Rule to breaches involving records under Part 2. Prior to this change, for Part 2 entities that were not subject to HIPAA, there was no obligation to report a breach of patient information to HHS.

Patient Notice

The Final Rule amends the Part 2 Patient Notice Requirements to align with the requirements of the HIPAA Notice of Privacy Practices (“NPP”). The Final Rule adds specific requirements that must be included in a Patient Notice, including uses and disclosures, patient rights, and duties of a Part 2 program. In comments to the rule, HHS explained that a single notice can be provided to a patient if it includes the necessary disclosures for HIPAA, applicable state law, and Part 2. OCR plans to issue a subsequent final rule to finalize changes to the HIPAA NPP to address uses and disclosures of protected health information (“PHI”) that is also protected by Part 2.

Amendments To Complaints And Penalties

This Final Rule modifies the penalty for violation of any provision of Part 2 to align with the civil and criminal penalties under HIPAA Enforcement Rules. Aligning Part 2’s enforcement approach with HIPAA should make the enforcement process for Part 2 Programs that are covered entities more straightforward as it allows the same mitigating factors to be considered in enforcement, as well as the same affirmative defenses.

In addition to the modification of the penalties for violation, the Final Rule adds a safe harbor under Part 2 for investigative agencies that “act with reasonable diligence before making a demand for records in the course of an investigation or prosecution of a Part 2 program or person holding the record” and defines reasonable diligence steps to mean taking all of the following actions: (1) searching for the practice or provider among the SUD treatment facilities in SAMHSA’s online treatment locator; (2) searching in a similar state database of treatment facilities where available; (3) checking a practice or program’s website, where available, or physical location; (4) viewing the entity’s Patient Notice or HIPAA NPP if it is available; and (5) taking all of these steps within no more than 60 days before requesting records or placing an undercover agent or informant.

The Final Rule provides a few modifications and additions to the provisions related to complaints of noncompliance, including a requirement for Part 2 Programs to establish a process to receive complaints directly and a provision permitting patients to file complaints with the Secretary in the same manner as HIPAA. The Final Rule also finalizes a prohibition against taking adverse action against patients who file complaints and requiring patients to waive the right to file a complaint as a condition of receiving care. Part 2 Programs that are also covered entities likely already have the administrative requirements in place to adhere to these complaints of noncompliance rule changes; however, Part 2 programs that are not covered entities must take steps to adopt new policies and procedures to comply with these administrative requirements.

Amendments To Definitions

Various terms were added or modified in Part 2 to align with the definitions in the respective HIPAA provisions, such as breach, business associate, covered entity, health care operations, informant, person, patient, payment, personal representative, public health authority, third-party payer, treatment, unsecured protected health information, and use. As the comments to the Final Rule note, the term “patient identifying information” was not replaced with the HIPAA term, “individually identifiable health information” because the two regulatory schemes (Part 2 and HIPAA) apply to different sets of health information. Part 2 programs should ensure their policies and procedures are updated for the revised or new definitions.

Conclusion

The modifications to Part 2 reflect multiple efforts by HHS to align the requirements of Part 2 with HIPAA and mitigate the discrimination and stigmatization that people with SUD experience. Differences in the permitted uses and disclosures of Part 2 records and protected health information under HIPAA have contributed to operational compliance challenges. The Final Rule strengthens the confidentiality protections surrounding Part 2 records while also allowing behavioral health providers to provide integrated and coordinated care to their patients.

Part 2 entities will need to update their policies and procedures to address the changes and new requirements in the Final Rule. There is plenty of time to undertake this action, as there is a delayed compliance deadline of February 16, 2026.

---