Health and Human Services Proposes Changes to Part 2 Regulations Concerning Substance Use Disorder Records to Further Align with HIPAA

Alert
December 21, 2022
10 minutes

For decades, health care providers that are subject to both HIPAA and to the specialized Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (known as “Part 2”)1 have had to navigate differing, and at times divergent, privacy and confidentiality rules applicable to patient health information and patient records. These disparate privacy rules have, for many providers, served as a hindrance to the information sharing necessary to facilitate coordinated care. On December 2, 2022, OCR2 and SAMHSA3 released long-awaited proposed changes to Part 2 through a Notice of Proposed Rulemaking (the “Proposed Rule”) to better harmonize HIPAA and Part 2.4

This Alert provides a brief history of Part 2, summarizes key changes in the Proposed Rule, and discusses potential implications of the Proposed Rule, which, if finalized,5 we expect will improve care coordination between providers and facilitate sharing of patient records for individuals experiencing substance use disorders.

Background on Part 2

Although many providers have only recently begun to focus on Part 2’s specialized privacy restrictions, Part 2 predates HIPAA by more than twenty years. Congress enacted a set of laws in the 1970s designed to provide strict confidentiality protections to SUD records because of the perceived stigma associated with such diagnoses, and HHS promulgated the first regulations at 42 C.F.R. Part 2 implementing statutory protections for SUD records in 1975. The initial Part 2 regulations were designed to ensure the confidentiality of SUD patient records “at a time when there was no broader privacy and data security standard for protecting health care data.”6 When HIPAA was enacted and the rules promulgated in the early 2000s, there was little effort to harmonize the privacy requirements of each.

Part 2 applies to federally assisted programs known as Part 2 programs7 as well as “lawful holders,” which are individuals and entities that receive Part 2 records from Part 2 programs.8 Part 2 generally restricts the disclosure of records without patient consent that identify patients with a SUD diagnosis and who are seeking or receiving treatment from a Part 2 program. Any recipient of Part 2 records is similarly prohibited from redisclosing such records, absent express patient consent allowing redisclosure. Due to the enhanced rules around disclosure and non-disclosure, providers subject to both Part 2 and HIPAA have long struggled to align their policies and procedures to address both privacy regimes.

Summary of Proposed Rule

The Proposed Rule issued by OCR and SAMHSA contains key updates to harmonize HIPAA and Part 2, including the following:

  • Uses and Disclosures for Treatment, Payment, and Health Care Operations (“TPO”).9 Unlike HIPAA, Part 2 requires a patient’s written consent to disclose SUD records for TPO activities. Such consent must identify to whom disclosures of such records may be made, and recipients of SUD records are generally prohibited from redisclosing such records absent explicit written consent from the patient. The Proposed Rule relaxes the patient consent requirement for disclosures related to TPO by permitting a single, written consent from a patient to authorize all future uses and disclosures of their record for TPO activities. In addition, the Proposed Rule authorizes redisclosures of patient records by recipients in three circumstances:

    1. if records are disclosed for TPO activities to a Part 2 program, covered entity, or business associate, the recipient may further use or disclose the records as permitted under HIPAA;
    2. if records are disclosed to a Part 2 program that is not a covered entity or business associate, the recipient may further use or disclose the records consistent with the initial patient consent; and
    3. if records are disclosed to a lawful holder that is not a covered entity or business associate, the lawful holder may further use or disclose the records for payment or health care operations purposes to its contractors, subcontractors, or legal representatives.

    Importantly, the Proposed Rule would also further modify the required elements of a written patient consent to align with the content requirements for a valid HIPAA authorization. By harmonizing the uses and disclosures permitted under Part 2 and HIPAA, we expect that covered entities that also maintain Part 2 records will be able to avoid strictly segregating Part 2 records, thereby improving care management for SUD patients.

  • Breach Notification and Security of Part 2 Records. Part 2 currently requires Part 2 programs and lawful holders to implement formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information. The Proposed Rule would apply the HIPAA Breach Notification Rule to Part 2. Accordingly, Part 2 programs and most lawful holders experiencing a breach of unsecured records under Part 2 would be required to report the breach to HHS, affected individuals, and, in certain circumstances, media outlets. Part 2 programs would also be required to implement policies and procedures addressing breach notification. Importantly, HHS would be permitted to apply the Breach Notification Rule obligations under Part 2 to any person who receives SUD records, and HHS would evaluate whether the person experiencing a breach of SUD records had a duty to reasonably protect against unauthorized uses of the SUD records and against reasonably anticipated threats or hazards based on the facts and circumstances. Given the potentially significant nature of these changes, HHS requested comment on (1) the burdens on Part 2 programs to comply with the Breach Notification Rule, and (2) circumstances in which lawful holders should not be held responsible for breaches of Part 2 records (e.g., when the lawful holder is a family member of a patient). HHS further requested comment on whether the HIPAA Security Rule or similar requirements should apply to Part 2 providers and others subject to Part 2 requirements even when such providers are not otherwise considered covered entities or business associates. We expect that any final rulemaking will clarify the circumstances under which HHS will apply the HIPAA Security Rule and Breach Notification Rule to recipients of SUD records.
  • Uses and Disclosures Without Patient Consent. Currently, Part 2 permits the disclosure of Part 2 records without patient consent in three narrowly tailored circumstances: medical emergencies, for purposes of scientific research, and if disclosure is needed in furtherance of an audit. The Proposed Rule alters the audit exception (to allow for management audits, financial audits, and program evaluation) and adds a fourth circumstance in which disclosures may be made without patient consent: disclosure of Part 2 records for public health purposes to public health authorities provided that the records are de-identified. Part 2 does not have the same standard for de-identification of information as HIPAA, and HHS proposes applying the HIPAA standard for de-identification of protected health information (“PHI”) to Part 2 records.
  • Patient Rights. To align with HIPAA, the Proposed Rule would codify two new rights for patients under Part 2:

    1. The right to request restrictions on disclosures of their records for TPO purposes and to restrict disclosures to health plans for those services paid in full by the patient; and
    2. The right to receive an accounting of disclosures of their Part 2 records for the prior three years.10
  • Qualified Service Organizations. Currently, Part 2 requires explicit written consent from an individual before a Part 2 program may disclose any identifying information to a qualified service organization (“QSO”), unless the Part 2 program and QSO have a qualified service organization agreement (“QSOA”) in place permitting the exchange of identifying information or unless Part 2 otherwise permits the disclosure. HIPAA similarly permits a covered entity to disclose PHI to its business associates without patient consent as long as a business associate agreement is in place. The Proposed Rule clarifies that business associates will also be considered QSOs if the Part 2 records also constitute PHI. Additionally, the parties will not be required to enter into a separate QSOA for disclosure of Part 2 records in such circumstances.
  • Intermediaries. Part 2 currently requires that “intermediaries” provide patients, upon request, with a list of entities to which the patient’s information has been disclosed within the past two years. However, Part 2 currently does not define “intermediary.” The Proposed Rule defines the term “intermediary” as a person (including an organization or entity) that receives records (after receipt of a patient’s written consent) for the purpose of redisclosing the records to one or more of its member participants that has a treating provider relationship with the patient. Examples of intermediaries include health information exchanges, accountable care organizations, and care management organizations. The Proposed Rule would also extend the current requirement regarding an accounting of an intermediary’s disclosures to disclosures made within the past three years and make clear that patient consent forms must continue to name intermediaries if they are used to exchange Part 2 records.
  • Enforcement of Part 2 Consistent with HIPAA.11 The Proposed Rule would align the enforcement provisions of Part 2 with the HIPAA Enforcement Rule, permitting both civil and criminal penalties for violations of Part 2. As under HIPAA, HHS would have authority to enforce Part 2, and violations would be referred to the Secretary of HHS.
  • Notice of Privacy Practices. Currently, Part 2 programs are required to provide notices to patients concerning federal confidentiality requirements at the time of admission. The Proposed Rule would align the Part 2 patient notice requirement with HIPAA’s requirement to provide a Notice of Privacy Practices (“NPP”) to patients. The Proposed Rule would also modify HIPAA to require that the NPP include a provision limiting redisclosure of SUD records in legal proceedings consistent with Part 2. As noted below, unresolved ambiguities still remain in the Proposed Rule.

Implications of the Proposed Rule and Considerations for Part 2 Providers

Providers subject to both HIPAA and Part 2 have long struggled with the disparate privacy and non-disclosure rules of the two regulations. In recent years, with a shift to models of integrated care and value-based payment, the barriers to information sharing imposed by Part 2 have blocked efforts to deliver integrated and coordinated, outcomes-based care to individuals experiencing SUD and receiving treatment from Part 2 programs. The Proposed Rule recognizes the need for information sharing across the spectrum of providers and stakeholders involved in delivering care to individuals experiencing SUD and attempts to balance the continued need for confidentiality of Part 2 records with information-sharing requirements to deliver coordinated care.

Important among these proposed modifications is the relaxation of consent requirements around information sharing for TPO, including permitted redisclosure; the recognition that QSOs often function as business associates and must use and disclose Part 2 information to provide services to the covered entity or Part 2 provider; and the recognition that intermediaries play an important role in care coordination and delivering outcomes-based care that both improves the health of an individual and reduces the cost burden of such care to the system.

And, yet, the Proposed Rule is not a panacea. Some of the proposed standards are ambiguous—such as the applicability of breach notification requirements to lawful holders based on a nebulous facts-and-circumstances analysis—and leave open questions about the spectrum of enforcement and breach notification, including how HHS anticipates enforcing Part 2 in the event of a reported breach and whether SAMHSA (or another HHS agency) will take on a role comparable to the role OCR plays with respect to HIPAA compliance and breach reporting. Moreover, Part 2 providers will still need to obtain initial patient consent for TPO activities, and certain aspects of Part 2 remain relatively unchanged (such as with respect to court orders and disclosures for law enforcement purposes).

HHS is seeking comments on a number of critical aspects of the Proposed Rule, including the scope of the new enforcement authority and whether the standards of the HIPAA Security Rule should apply to Part 2 providers and others subject to Part 2 requirements. HHS’s final position on these proposals will dramatically affect the compliance and privacy posture of the providers and other entities subject to Part 2.

Practically, if the Proposed Rule is finalized, providers subject to Part 2 will need to:

  • Develop internal procedures to address the new patient rights created by the Proposed Rule, such as the right for patients to restrict disclosures of their records for TPO purposes;
  • Be prepared to update the form of consent and NPP used with patients;
  • Begin to evaluate how to implement security measures and policies and procedures to address the security and breach notification obligations of the Proposed Rule; and
  • Develop internal procedures for reporting violations of Part 2.

* * *

If you have any questions concerning Part 2, please do not hesitate to contact your regular Ropes & Gray advisor. Comments on the Proposed Rule are due on or before January 23, 2023, and your Ropes & Gray advisor welcomes the opportunity to work with you on any comments that you want to submit during the rulemaking process.

  1. 42 C.F.R. Part 2.
  2. United States Department of Health and Human Services (“HHS”), Office for Civil Rights.
  3. Substance Abuse and Mental Health Services Administration.
  4. In the 2020 Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”), Congress made modifications to the Part 2 statute and charged HHS agencies, including OCR and SAMHSA, with aligning HIPAA and Part 2.
  5. The Proposed Rule is subject to a sixty-day comment period, with comments due on or before January 31, 2023. Once the Proposed Rule is finalized, individuals and entities will have twenty-two months to come into compliance with the changes to Part 2 and corresponding changes to HIPAA, where applicable.
  6. 85 Fed. Reg. 42,986 (July 15, 2020). HHS has since updated the Part 2 regulations on several occasions, most notably in 2020, but the changes set forth in the Proposed Rule are the most far-reaching since Part 2’s initial enactment.
  7. For purposes of Part 2, a “program” is any of the following: (1) An individual or entity (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; (2) an identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or (3) medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers. 42 C.F.R. § 2.11 (definition of “program”).
  8. Lawful holders may be organizations within the health care spectrum (e.g., third-party payors and care coordination agencies), or they may be individuals or entities outside the patient care environment, such as family members, courts, or law enforcement agencies.
  9. The terms “treatment,” “payment,” and “health care operations” are defined in HIPAA at 45 C.F.R. § 164.501.
  10. The right to an accounting of disclosures is intended to align with the individual right to an accounting under HIPAA, and HHS does not intend to implement such right until the analogous right under HIPAA is implemented.
  11. Currently, violations of Part 2 are punished by a criminal penalty in the form of a fine and are reported to the U.S. Attorney’s Office for the judicial district in which the violation occurs or to SAMHSA (for violations by opioid treatment programs).