Final Rule Aligns 42 C.F.R. Part 2 with HIPAA

On February 8, 2024, the U.S. Department of Health & Human Services (HHS) announced a final rule modifying the Confidentiality of Substance Use Disorder Patient Records regulations at 42 C.F.R. Part 2 (“Part 2”) and implementing the confidentiality provisions of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act, which was enacted in 2020, required HHS to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

According to HHS, this final rule will improve the ability of entities subject to Part 2 to use and disclose Part 2 records, decrease the burden on patients and providers, improve coordination of care and access to care and treatment, and protect confidentiality of treatment records. Below is a summary of the significant changes to Part 2 and some recommendations for entities subject to the Part 2 regulations with respect to implementing the final rule.

1. Patient Consent and Disclosure
   
   The final rule streamlines the legitimate sharing of information by allowing patients to provide a single consent for all current and future uses or disclosures of substance use disorder records for the purposes of treatment, payment, or health care operations (“TPO”). Under the current Part 2 regulations, the patient’s prior written consent is required for most uses and disclosures of Part 2 records, including certain non-emergency treatment purposes. This final rule will permit, but not necessarily require, a Part 2 Program to use and disclose Part 2 information in a less burdensome manner in comparison to the current rule. When making such disclosures, the information must be provided with a copy of the patient consent form or a clear explanation of the scope of the patient’s consent for the relevant use or disclosure.
   
   Further, when the patient provides a single consent for all future TPO uses and disclosures, a Part 2 Program, HIPAA covered entity or business associate may use and disclose those substance use disorder records for TPO purposes as permitted by the HIPAA regulations until the patient revokes the single consent in writing. However, the records may not be used in legal proceedings without the patient’s specific written consent or a court order. Patient written consent for the use and disclosure of records for civil, criminal, administrative, legislative, or legal proceedings must be separate and specific to the proceedings and may not be combined with patient consent for other uses or disclosure, including those for TPO. Importantly, this final rule clarifies that a Part 2 Program or a non-Part 2 provider–for example a HIPAA covered entity or business associate–that receives records based on a single consent for all TPO is no longer required to segregate or segment such records from its own records for the patient. This final rule eliminates data “silos” by removing the segregation or segmentation requirement from the current version of §2.12(d)(2)(ii), but the records continue to be protected by Part 2 and cannot be used or disclosed in proceedings against the patient without the patient’s written consent or a court order.
   
   Another exception to the single consent approach described above relates to a newly created category of “SUD Counseling Notes” introduced by the final rule. SUD Counseling Notes are notes recorded in any medium by a Part 2 Program substance use or mental health professional documenting or analyzing an SUD counseling session. SUD Counseling Notes are separated from the rest of the patient’s SUD and/or medical record. For those familiar with “psychotherapy notes” under HIPAA, SUD Counseling Notes are analogous and treated similarly. SUD Counseling Notes do not include medication and prescription monitoring, session start/stop times, modalities and frequencies of treatment provided, test results, or summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress. The Part 2 Program responsible for originating the SUD Counseling Notes may refer to the notes for its own TPO purposes but is prohibited from further use or disclosure of the SUD Counseling Notes without the patient’s specific written consent. Such consent may not be a condition for the provision of treatment, enrollment, or eligibility for benefits and must be provided separately from any consents unrelated to SUD Counseling Notes.
   
   
2. Notice of Privacy Practices
   
   Prior to implementation of this final rule, Part 2 and the HIPAA regulations require different notices of privacy practices (“NPP”). Given a HIPAA NPP is more robust than a Part 2 notice, HHS modified Part 2 to track the HIPAA NPP requirements, excluding those elements that are not applicable to a Part 2 Program. If a Part 2 Program uses or discloses records for the purpose of fundraising on its own behalf, it must be included in the Patient Notice/NPP and is permitted only if the patient is first provided with a clear and conspicuous opportunity to elect to opt-out of receiving fundraising communications.
   
   
3. De-Identification and Data Breach Notification
   
   The final rule expressly incorporates HIPAA’s De-Identification Standard and Breach Notification Rule into Part 2 by cross-referencing each among the Part 2 requirements for security of substance use disorder records. Section 2.16 of Part 2, which currently requires “rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers)," under the final rule has been clarified to require policies and procedures for rendering patient identifying information de-identified in accordance with the requirements of the HIPAA De-Identification Standard (45 C.F.R. §164.514(b)). Once the information is de-identified in accordance with the HIPAA De-Identification Standard, the Part 2 program may disclose the information without the patient’s specific written consent.
   
   The final rule also clarifies that the HIPAA Breach Notification Rule will apply to breaches of unsecured substance use disorder records in the same manner as the rule applies to a HIPAA covered entity with respect to breaches of unsecured protected health information.
   
   
4. Accounting of Disclosures
   
   This final rule further aligns Part 2 and HIPAA by imposing HIPAA’s accounting of disclosures requirements on Part 2 Programs. The newly added Section 2.25 affords each patient the right to an accounting of all disclosures made with consent for the past three years. The accounting must meet all the HIPAA accounting of disclosure requirements. A new accounting requirement will take effect once the HIPAA regulations are updated, and Part 2 Programs will also be required to account for TPO disclosures when such TPO disclosures are made through an electronic health record.
   
   
5. Enhanced Patient Protection
   
   The core Part 2 patient protections are generally unchanged in the final rule. A patient’s substance use disorder records still must not be used or disclosed for the purposes of investigating or prosecuting a patient, and any records disclosed by a Part 2 program in the context of an audit or evaluation cannot be further used or re-disclosed for the purpose of investigating or prosecuting patients, without the patient’s specific written consent or a court order in each scenario. The final rule extends these protections beyond criminal investigation or prosecution and prohibits disclosure for use in any civil, criminal, administrative, or legislative proceedings by a Part 2 program or any person who obtains the records from a Part 2 program, covered entity, business associate, or other lawful holder of the records.
   
   
6. Penalties
   
   This final rule updates the penalties for wrongful use and disclosure of substance use disorder records to align with the civil and criminal penalties imposed under HIPAA. Civil penalties under the new rule range from a fine of $25,000 to $1,500,000 during a calendar year. Criminal penalties range from fines between $50,000 to $250,000 and/or imprisonment from one to ten years.

Effective Date & Implementation Recommendations

The final rule will become effective 60 days after it is published in the Federal Register, which is anticipated to occur on February 16, 2024. The proposed compliance date will be 24 months from the publication of the final rule, with limited exception of accounting for TPO disclosures through an electronic health record, which will be delayed until similar revisions to the HIPAA regulations can be finalized.

To prepare for compliance with this final rule, entities subject to Part 2, Qualified Service Organizations, HIPAA covered entities and business associates should begin the following:

• Review and update policies and procedures related to the use and disclosure of substance use disorder records to comply with this final rule and merge or combine with overlapping HIPAA policies as applicable;
  
  
• Review and update all notices of privacy practices, patient consent forms, and release of information forms to comply with this final rule (e.g., notice/consent regarding SUD Counseling Notes) and consolidate certain notices and forms as permissible under this final rule;
  
  
• Review and update (or implement if one does not yet exist) a data breach notification policy and procedure and/or incident response plan applicable to substance use disorder records that complies with the HIPAA Breach Notification Rule and applicable state law;
  
  
• Develop a plan to train staff on the changes being implemented to comply with this final rule and any related training materials; and
  
  
• Audit compliance with the modified Part 2 regulations.

If you have any questions about this alert, please contact Marc Lombardi or Joan Feldman.