The Department of Health and Human Services (HHS) on December 2, 2022 proposed a substantial revision of the regulations governing the confidentiality of Substance Use Disorder records. These changes could mean less administrative burden for providers and more comprehensive care for patients.
Substance use disorder (SUD) treatment records created or maintained by a HIPAA covered entity or a business associate are protected by the Health Insurance Portability and Accountability Act (HIPAA) and, for certain covered SUD programs, by a stricter set of rules contained in 42 CFR Part 2. SUD treatment includes medication and counseling that a patient receives for abuse of substances like alcohol, tobacco, or opioids. Federal regulators view these records as even more sensitive than other kinds of patient data given the risk of personal and professional damage that disclosure could cause. For this reason, SUD records are protected by both HIPAA and 42 CFR Part 2 (often referred to as simply “Part 2”). The Part 2 rules apply to SUD Programs. Any other entity that receives written reports from an SUD program, such as a hospital or health insurer, must comply with the Part 2 rules when disclosing written reports received from a Part 2 program.
Perhaps the most burdensome requirement of Part 2 is that a covered program must obtain prior written consent before disclosing records related to a patient’s treatment to any third party. This stands in stark contrast to HIPAA, which allows providers to share PHI for “treatment, payment, and health care operations” (TPO) without consent from the patient. This means that HIPAA covered entities can share protected health information (PHI) with other practitioners to assist with a patient’s treatment, or with insurance plans to allow for reimbursement.
The dual compliance requirements of HIPAA and Part 2 have long been a target for reform by industry stakeholders for two main reasons.
First, these disparate rules impact coordination between general medical care (following HIPAA rules) and SUD care (following Part 2 rules). Many facets of an SUD patient’s overall health are impacted by their condition. Effective care requires that healthcare providers have the full picture of the patient’s medical record. For example, a physician could unknowingly prescribe opioids to a patient with a concealed history of substance abuse. The integration of HIPAA and Part 2 contained in the proposed rules will therefore allow for more effective treatment for SUD patients.
Second, regulating patient health records with two different sets of rules has long caused compliance headaches for providers that do not operate SUD programs. Not only must providers navigate two sets of rules, but each rule is enforced by a different agency. The Office for Civil Rights (OCR) enforces violations of HIPAA, while the Substance Abuse and Mental Health Services Administration (SAMHSA) is responsible for enforcing Part 2.
Recognizing these challenges, Congress included language in the CARES Act (March 2020) requiring HHS to align Part 2 with certain provisions of HIPAA. The proposed regulations do this in several ways:
Additionally, covered entities are prohibited from using a patient’s own SUD records against them in civil, criminal, administrative or legislative proceedings (except in cases of suspected child abuse or neglect). This demonstrates that Part 2 will still not be fully aligned with HIPAA, but retain special protections for SUD data in some instances.
HHS has proposed a 24-month timeframe for compliance after the final rule is published. This includes a 60-day window for the rule to become effective after publication followed by a 22-month safe harbor before enforcement begins. It remains unclear what level of enforcement priority the agency will assign to violations of the new rules, but the rule provides several new enforcement mechanisms.
Under the old rules, U.S. attorneys could bring criminal actions against Part 2 violators, but there were no civil penalties. Criminal proceedings related to Part 2 were extremely rare. The CARES Act empowered HHS to levy civil monetary penalties for Part 2 violators. The proposed rule replaces the old enforcement provision with Sections 1176 and 1177 of the Social Security Act, meaning that the same enforcement tools available to pursue HIPAA violations will be available to pursue Part 2 violations. State attorneys general are also empowered to bring suit on behalf of patients who suffer damages due to Part 2 violations. This broader array of enforcement options is likely to result in increased enforcement of Part 2 requirements.Providers will likely encounter short-term compliance burdens, like updating their patient notices, if the proposed rule goes into effect. But the long term impact will be less administrative complexity and, hopefully, better outcomes for patients.
 To be a “program” that falls under 42 CFR Part 2, an individual or entity must be federally assisted and hold itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment (42 CFR § 2.11). A hospital or emergency department that happens to treat or diagnose SUD will not be classified as a program, but a unit of a hospital dedicated to SUD might very well be a program.
Sign up for our newsletter and get the latest to your inbox.