A proposed HHS regulation on the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 C.F.R. Part 2 would bring it further in line with HIPAA, which is somewhat of a double-edged sword, attorneys say.[1] While patient consent would become less burdensome for Part 2 providers, they also would be subject to the breach notification obligations of HIPAA and its civil and criminal penalties if the proposed rule—published in the Federal Register Dec. 2—is finalized.
Part 2, as it’s known, applies to organizations that hold themselves out as providing drug and alcohol diagnosis and treatment and receive federal assistance, potentially including providers participating in Medicare or Medicaid. The rule also applies to recipients of the records, such as health plans, from Part 2 providers.
“Part 2 has been this rule for decades that is very difficult to comply with, but the counterbalance is it wasn’t actively enforced through criminal penalties,” said attorney Adam Hepworth, with Foley & Lardner in Los Angeles. “Now by aligning more closely with HIPAA, it might be easier to comply with, but probably will have more enforcement.”
If the proposed rule seems like déjà vu all over again, that’s because HHS finalized significant changes to Part 2 in 2020. This time around, however, HHS is interpreting revisions ordered by Congress in Sec. 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. “There’s a lot of tweaking to reconcile the definitions and terms between HIPAA and Part 2,” said attorney Adam Greene, with Davis Wright Tremaine in Washington, D.C. “The huge change is now we will have HHS enforcing 42 CFR Part 2 in the same manner as HIPAA.”
Until now, the responsibility for enforcement rested with U.S. attorneys, but there has never been a criminal enforcement action for a Part 2 violation, Hepworth said. Because HHS has experience investigating breaches, imposing penalties and requiring corrective action, it suggests Part 2 providers will face enforcement actions down the road for violations, he said. They may be pursued by HHS through either or both agencies that jointly released the proposed rule: the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights (OCR).
Greene said the proposed rule incorporates the definition of a breach from the HIPAA breach notification rule, which defines a breach as a violation of the privacy rule. “It’s a little unclear how breach notification will play out here,” he observed. Will a Part 2 breach only be reportable if the Part 2 information is disclosed in violation of the HIPAA Privacy Rule? “Because there are plenty of circumstances where uses and disclosures are prohibited by Part 2 but permitted by the privacy rule,” Greene noted. “Is it a breach of the Privacy Rule or Part 2 rule that triggers the breach notification rule?” Maybe the final rule will provide more clarity.
The proposed rule also builds on earlier efforts to harmonize Part 2 and HIPAA. In the 2020 rule, HHS added care coordination and case management to a list of 17 activities—including billing and fraud, waste and abuse activities—that are now treated as payment and health care operations. Hand in hand with other provisions, this means a patient can consent to share SUD information with a Part 2 entity, and that entity can further disclose the information to its contractors for payment and health care operations.
Consent Allows Information to Be Treated Like PHI
The proposed rule goes further to mesh with HIPAA, although “it’s not a total alignment,” Hepworth noted. “Part 2 is still a privacy law with its own requirements and still in some cases imposes stricter standards. The burden reduction is largely in the consent process.”
Greene explained that the proposed rule allows for a one-time consent for treatment, payment and operations (TPO) under Part 2. When Part 2 patients sign the broader consent for the use and disclosure of their SUD information, a receiving Part 2 program, covered entity or business associate is permitted to treat it like protected health information (PHI) under HIPAA, he said. For example, the information can be shared with health plans as part of TPO “and treated like any other PHI and they wouldn’t have to segment their systems,” Greene said.
But compliance may still be an uphill battle. Patients could say no to the broader consent in favor of a limited consent that only allows Part 2 providers to disclose SUD information to a specific health plan, for example, he said. That information may need to be segmented from other PHI in the recipient’s information systems. “There are really big challenges here with respect to the insurance company,” Greene noted. “Do they have to find out the basis for the consent so they know whether they can treat it like PHI? We will still see some operational challenges as long as the consent is voluntary. Electronic medical records often don’t allow for the data segmentation that Part 2 requires.”
There are other implications. While HIPAA-covered entities generally can’t refuse to treat patients who won’t sign HIPAA authorizations, it’s not quite the same under Part 2, Greene said. “Consent can be a condition of treatment. It begs the question of whether providers will require TPO consents as a condition of treatment.”
Greene is particularly excited about HHS’s proposed changes to some of the consent terms, which make them “similar or identical to HIPAA.” One of them is the addition of the phrase “class of persons” to describe the recipient of a consent form. “To accommodate TPO written consents, the recipient may be a class of persons, rather than only an identified person,” the proposed rule states. “In addition, for a single consent for all future uses and disclosures for TPO, the recipient may be described as ‘my treating providers, health plans, third-party payers, and people helping to operate this program’ or a similar statement.”
The reason this matters so much is it makes consents “a lot more reasonable and consistent with pretty much every other consent regime out there,” Greene said. The Part 2 rule has gone “through this rollercoaster: you used to have to identify a specific entity” (e.g., ABC Health Plan) in the consent form and then HHS required the identification of a specific person at the entity in certain circumstances and then the rule went back to just naming the entity, he said. Now the consent form is permitted to only name a class of persons (e.g., health plans).
Part 2 Notice Would Look More Like NPP
The proposed rule also makes some changes to the Part 2 confidentiality notice, which is analogous to HIPAA’s notice of privacy practices (NPP). “In the past, they were completely distinct. There were no references to HIPAA in the Part 2 privacy notices and no references to Part 2 in the NPP,” Greene said. That left most Part 2 programs—which are going to be HIPAA covered entities—to decide whether to give patients a combination notice or separate notices. It’s a fact-specific determination because, for example, 95% of a health system may not be subject to Part 2 except for its small chemical dependency treatment unit. Maybe the health system has a separate Part 2 notice for patients on the unit or maybe it incorporates the Part 2 notice into the NPP so all patients receive a notice that includes language to the effect of “to the extent you received services from the chemical dependency unit, X, Y and Z also apply,” he said.
But now the Part 2 notice will resemble the NPP, although Greene said as a practical matter this isn’t a big deal. “There’s not a huge sea change here. What they have done is revised the notice requirements in the Part 2 rule to look a lot more like the structure in the HIPAA NPP.” For example, the proposed rule requires a new header—Notice of Privacy Practices (Part 2 Program)—and must contain an explanation of the uses and disclosures of the patient information.
HHS explained that “while the CARES Act only expressly requires the modification of the NPP requirements at 45 CFR 164.520, the Department proposes to also modify the Part 2 Patient Notice at § 2.22 to align more closely with the NPP requirements. The proposal to modify § 2.22 would ensure that patients of Part 2 programs that are not covered by HIPAA are afforded as much notice and transparency as is provided to individuals in the NPP.” But it’s complicated by the fact that OCR proposed its own rule last year that revises the NPP.[2] HHS must ensure its Part 2 proposals aren’t based on the old NPP language, Greene said.
“At the end of the day, Part 2 programs will have a choice to maintain separate notices or one that is combined,” he said. “You still have the choice.”
[View source.]