Key Takeaways

• For non-HIPAA covered entities, there will be a breach notification requirement for unauthorized uses and disclosures of Part 2 data. Part 2 programs will be required to notify the patient and the Secretary of HHS, just as is required of covered entities under HIPAA. With this also comes similar enforcement mechanisms for Part 2 programs, such as defined criminal and/or civil penalties.
• Part 2 consents to share information should become simpler for both the patient and the program to encourage care coordination and allow for redisclosures as permitted by business associate agreements (for HIPAA covered entities).
• Part 2 confidentiality requirements will be more closely aligned with the HIPAA Privacy Rule.
• The final rule defines “SUD counseling notes” in parallel with HIPAA’s “psychotherapy notes,” which will require separate recordkeeping for this subset of Part 2 documentation.
• Tribal entities are now also considered “investigative agencies” for Part 2 enforcement and will receive some qualified protection should any such tribal entity receive Part 2 data unknowingly.

Introduction

On February 8, 2024, the U.S. Department of Health & Human Services (HHS) released a final rule modifying 42 CFR Part 2 (Part 2) provisions regarding the confidentiality of Substance Use Disorder (SUD) Patient Records. The final rule was published on February 16, 2024, which starts the clock for the new standards’ effective date (60 days or April 17, 2024) and compliance date (24 months or February 16, 2026).

As we have previously reported, the final rule better aligns Part 2’s confidentiality requirements with those requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The final rule makes several changes to align the Part 2 confidentiality requirements with HIPAA, including providing patients with rights to request restrictions on uses and disclosures of health information and to receive an accounting of such disclosures, granting SUD providers the ability to disclose de-identified records for public health purposes, and, perhaps most highly anticipated, allowing providers to obtain a single patient consent for all future uses and disclosures related to treatment, payment, and healthcare operations (TPO). The final rule also creates breach notification obligations for Part 2 providers that are not HIPAA covered entities – a population that previously were governed only by state law data breach statutes, to the extent any such regulations applied.

This final rule is a significant change for Part 2 entities that are not also HIPAA covered entities and should facilitate improved communications, and therefore better continuity of care, for individuals receiving treatment from Part 2 and non-Part 2 providers.

Administrative Process

The Coronavirus Aid, Relief, and Economic Security (CARES) Act, passed in 2020, led the charge for these updates by amending Part 2 (42 USC 290dd-2) to better align it with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act standards for safeguarding protected health information (PHI). The CARES Act required HHS and the Substance Abuse and Mental Health Services Administration (SAMHSA) to propose new regulations to carry out the changes the CARES Act made.

The HHS and SAMHSA Notice of Proposed Rulemaking (NPRM) was announced in November 2022. The NPRM sought to receive comments from stakeholders by January 31, 2023. On February 8, 2024, HHS released the final rule describing the changes to Part 2 along with over 400 pages of responses to comments provided by stakeholders.

Summary of Major Changes

HHS adopted most of the proposed rules, with some modifications based on the comments shared by stakeholders. Key points of the changes are below:

Consents

• The Part 2 written consent form now aligns with the HIPAA authorization form and allows entities to list more general classes of recipients (e.g., “all my treating providers, health plans, and individuals operating this business” or “for all treatment, payment, and health care operations”) than previously permitted.
• A TPO can be indefinite for TPO purposes, and permits TPO recipients that are HIPAA covered entities or business associates to use and disclose the Part 2 information in almost exactly the same manner as under HIPAA.
• Entities subject to both HIPAA and Part 2 may use a combined authorization form (for both Part 2 records and general PHI if it meets requirements under both regulations. However, entities cannot combine a consent for disclosure of records for civil, criminal, administrative, or legislative proceedings with a consent for any other use or disclosure.
• Part 2 records disclosed pursuant to a TPO consent must be accompanied by either a copy of the consent or a clear explanation of the scope of the consent. Note that this was a change from the proposed rule.
• A separate patient consent is required for the use and disclosure of SUD counseling notes.
• No consent is needed for disclosures of de-identified SUD information to public health officials, but de-identification must be achieved according to HIPAA standards.

Patient Rights

• Part 2 programs must provide patient notice of confidentiality requirements under Part 2, similar to the HIPAA Notice of Privacy Practices. Entities subject to both regulations may have a combined notice.
• The newly created right to an accounting of disclosures is distinct from the right under HIPAA in that it applies to all disclosures made with consent for up to three years prior to the date the accounting is requested. The accounting of TPO disclosures only includes such disclosure done through the electronic health record (EHR). Note that the compliance date for this right is tolled until 45 CFR 164.528 is revised to address accounting for TPO disclosures made through an EHR.
• Patients will have the right to request restrictions on uses and disclosures for TPO, and the right to restrict disclosures to health plans if the patient pays for services fully out of pocket.
• Part 2 entities must establish a process to receive complaints from patients, and patients may also make complaints directly to HHS following the same process for individuals who file HIPAA complaints to the Secretary.

Creation of “SUD Counseling Notes”

• The creation of SUD counseling notes, will receive treatment similar to that of psychotherapy notes under HIPAA. For SUD counseling notes to be shared, the patient will have to provide separate consent, and the notes may not be shared pursuant to a TPO consent in the way that other Part 2 notes can. These SUD counseling notes must also be separated from the rest of the patient’s record, just like psychotherapy notes.

Breach Notification

• Previously, Part 2 providers not subject to HIPAA had no federally required breach notification obligations. Part 2 entities must follow the HITECH Act breach notification process. It may come as a surprise to Part 2 entities that a “breach” does not only mean situations where outsiders gain access to patient records. Rather, it encompasses any use or disclosure not permitted by the HIPAA privacy rule or, now, Part 2. Breaches include situations where staff looks at patient records without a business need, when (even nonclinical) patient information is shared with a third party where there was not patient consent, or when a vendor holding patient information exposes that information to an unauthorized party.
• The notification obligations include:
  • Written notice to patients within 60 days of discovery containing a description of the breach, date of discovery, date the breach occurred, what information was impacted, steps the program is taking to help prevent similar incidents from happening in the future, steps the patient can take, and a toll-free phone number that individuals can call with questions.
  • Posting of substitute notice on the entity’s website (prominently linked on the home page) for 90 days after notification or publication in prominent media containing the same elements as the written patient notice.
  • Notice to prominent media in any state or jurisdiction where 500+ patients are impacted.
  • Notice to the Secretary within 60 days of the discovery (for breaches impacting 500+ patients) or within the first 60 days of the year following the discovery (for breaches impacting under 500 patients).
• This brings with it the ability for HHS Office for Civil Rights (OCR) to investigate Part 2 entities that report breaches. HHS OCR is required to investigate any breach reported to it that impacts 500+ patients, but it has investigated entities reporting smaller breaches as well.

Qualified Service Organizations and Business Associates

• The Final Rule revises the definition of Qualified Service Organization to include a person/entity that meets the definition of “business associate” in 45 CFR 160.103 of a Part 2 program that is also a covered entity, with respect to the use and disclosure of PHI that also constitutes a Part 2 record. Note that a business associate agreement can also include the language required for a Qualified Service Organization Agreement.

Penalties

• Civil and criminal penalties for violations of Part 2 will be enforced as they are under HIPAA. Penalties will be assessed as they are under the HIPAA Enforcement Rule, as implemented by HITECH (see 42 USC 1320d-5, explaining the four tiers of civil penalty assessments ranging from $100 per violation to $50,000 per violation; see also 42 USC 1320d-6, explaining potential criminal penalties of up to 10 years’ imprisonment and/or a $250,000 fine).

Special Notes for Tribal Entities

Given the critical need for SUD care in Indian Country and the fact that SUD care is often provided incidental to primary medical care in remote settings, tribal health experts advocated for an exemption from the Part 2 requirements in tribal health settings. In a move that will undoubtedly create compliance challenges for tribal health providers, HHS declined to explicitly carve out Indian Health Service (IHS) and tribal facilities that provide medications for opioid use disorder incident to general medical care. Instead, HHS performed a tribal consultation in summer 2023 and will reportedly continue to consider additional ways to clarify the distinction between a Part 2 program and incidental treatment for SUD within a general medical care setting, along with considering additional ways to provide technical guidance to IHS and tribal facilities on Part 2 topics. The definition of a Part 2 program received only a minor clarifying update, with the key remaining that a Part 2 program is a federally assisted individual or entity that holds itself out as providing SUD treatment. Those tribal nations with codified healthcare privacy and security laws that also take the position that HIPAA does not apply to their respective tribal health services likely will still need to comply with the Part 2 requirements for their SUD programs.

HHS also declined a tribal health board’s request that tribal facilities using the IHS record system be exempt from compliance with Part 2 until the modernization of the record system is complete (currently projected for 2025). HHS instead responded that the two-year period between the effective date and compliance deadline should allow tribal facilities using the IHS system to properly comply with the new Part 2 rules.

In an interesting twist, tribal entities have been added to the definition of “investigative agency,” providing them with a qualified safe harbor (plus some additional reporting requirements to HHS) when the tribal entity is investigating a Part 2 program and the entity unknowingly received Part 2 patient records. This recognizes tribal agencies as having standing equivalent to that of state and local investigative agencies.

Conclusion

The long-awaited changes to Part 2 are significant and should alleviate some administrative burdens on entities subject to both HIPAA and Part 2 while enhancing patient rights to know how their information is being used and, in the event of a breach, misused. Part 2 entities not subject to HIPAA should conduct a thorough review of the changes and ensure policies, procedures, and staff trainings are updated in a timely manner to handle these changes. The two-year compliance period was designed to give entities sufficient time to make the necessary updates before the final compliance date. We are able to help entities assess their compliance with these new requirements and make the necessary changes before the compliance date. We will continue to monitor and report on any additional guidance HHS provides in the next two years to help entities with their compliance efforts.

[View source.]