Summary
The Upshot
- Jointly, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) revised 42 C.F.R. Part 2 (Part 2), which governs certain patient-identifying substance use disorder (SUD) records, effective April 16, 2024.
- Significant regulatory changes implement Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (relating to “confidentiality and disclosure of records relating to substance use disorder”), which required HHS to update both HIPAA and Part 2 regulations in order to better align respective privacy protections.
- The changes consist of new and revised Part 2 regulations governing, in part: patient consent for SUD record use, disclosure, and redisclosure; individual patient rights relating to notices, accountings of disclosures, and complaint procedures; and increased penalties for noncompliance.
- Part 2 programs may now maintain, use, and disclose records in a manner more consistent with HIPAA regulations.
- As a result, Part 2 programs have expanded flexibility in utilizing Part 2 records, but must carefully note additional compliance responsibilities and civil penalties for noncompliance.
The Bottom Line
Newly effective regulations will ease administrative burden on Part 2 programs by aligning regulations governing the privacy of Part 2 records with the regulatory framework governing HIPAA. Part 2 programs will, however, be subject to more stringent penalties for noncompliance with this more flexible framework. Part 2 programs have until February 16, 2026, to implement any necessary changes.
HIPAA governs certain protected health information maintained by, or on behalf of, HIPAA-covered entities, while Part 2 regulations govern patient-identifying information created by, received, or acquired by federally assisted entities that provide SUD diagnosis, treatment, or referral. Section 3221 of the CARES Act required HHS to further align Part 2 regulations with the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. With this update, HHS fulfills that requirement.
Pursuant to these regulatory changes, Part 2 programs are now:
- subject to HIPAA civil and criminal penalties, as well as the HIPAA Breach Notification Rule and the Privacy Rule’s requirement for disclosures related to HHS investigations
- required to provide individuals with an opportunity to make complaints, free from retaliation, to the Part 2 program or HHS in accordance with existing HIPAA privacy regulations
- required to provide an accounting of each disclosure of patient-identifying information, as well as an opportunity for individuals to restrict certain uses and disclosures to which the individual consents
- required to provide patients a notice of privacy practices (NPP) matching the HIPAA Privacy Rule’s existing requirements for NPPs for protected health information (which, in turn, will be subject to future rulemaking)
Part 2 programs should further note expanded prohibitions on the use and disclosure of Part 2 records, absent court order or consent, in various legal proceedings.
Additionally, the final rule substantially modifies patient consent requirements for use and disclosure of Part 2 records. Requirements for written consent to use and disclose Part 2 records now correspond to the Privacy Rule’s specifications for HIPAA authorizations. Special provisions exist for SUD counseling notes (which correspond to HIPAA’s regulation of psychotherapy notes), as well as use and disclosure of records in civil, criminal, administrative, or legislative investigations or proceedings.
The final rule provides patients with the option to provide a single consent for uses and disclosures for treatment, payment, and operations, as permitted by HIPAA, until revoked in writing. Records received pursuant to this expanded consent process will no longer need to be segregated from other medical records. Further, recipients of Part 2 records are no longer strictly prohibited from redisclosing the records received pursuant to such consent.
Instead, the records may be redisclosed in compliance with HIPAA and Part 2, meaning that Part 2 programs, covered entities, and business associates may redisclose records if received in accordance with a compliant (unrevoked) patient consent and such redisclosure conforms with existing HIPAA regulations governing treatment, payment, and health care operations.
All Part 2 programs must comply with the revised regulations by February 16, 2026, prior to which date HHS will identify the relevant enforcement agency. Ballard Spahr’s health care attorneys will monitor proposed enforcement processes and are available to assist with compliance as this date approaches.
Subscribe to Ballard Spahr Mailing Lists
Copyright © 2024 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.