HHS Issues Long-Awaited Final Rule Modifying Part 2 Regulations
On February 8, the U.S. Department of Health and Human Services (HHS), through the Substance Abuse and Mental Health Services Administration (SAMHSA) and Office for Civil Rights, announced a long-awaited final rule (the Final Rule) modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations codified at 42 C.F.R. part 2 (Part 2). The Final Rule was published in the Federal Register on February 16th. It will take effect 60 days following publication, and compliance with the applicable requirements in the Final Rule is required by February 16, 2026.
Part 2 was first promulgated in 1975 in response to concerns about the potential use of SUD information in nontreatment-based circumstances, such as administrative or criminal hearings as well as housing, employment and child custody decisions. The original concern behind the federal regulations was that the unauthorized disclosure of SUD information could, at times, lead to negative consequences for the patient in the aforementioned situations and others. The purpose of the Part 2 regulations was to safeguard patients with a history of SUD treatment from being more vulnerable to discrimination as a result of the availability of their treatment records than those individuals who chose not to seek treatment for SUD. Part 2 only protects SUD records from certain types of federally assisted programs, known as "Part 2 programs." The current Part 2 regulations are very restrictive and, with very limited exceptions, require patient consent for disclosure.
Although at the time of initial enactment of Part 2 there was little need to communicate outside stand-alone SUD treatment facilities, SUD treatment has since been gradually integrated into general medical settings and electronic health record systems have been broadly implemented by healthcare providers. Even following SAMHSA's recent modifications to and clarifications of Part 2 in 2017, 2018 and 2020 in an attempt to better align the regulations with contemporary healthcare systems and advancements in health information technology, strict compliance with the stringent Part 2 requirements in present-day integrated care systems has proven challenging for individuals and entities subject to Part 2. Part 2 has often been perceived as a significant source of confusion in the development of healthcare systems' compliance programs and has burdened efforts to streamline care coordination between general medical providers and Part 2 programs.
The Final Rule has been in the making for some time. Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which was enacted on March 27, 2020, required the alignment of certain key aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health Act. On November 28, 2022, in response to the CARES Act requirement, HHS issued a Notice of Proposed Rulemaking to revise Part 2, which proposed several revisions to Part 2 to better align it with HIPAA while still recognizing the sensitive nature of SUD records. The Final Rule adopts many of the proposals set forth in the notice as well as further modifications informed by public comments, including, but not limited to, the following notable revisions to Part 2:
- Single-patient treatment, payment and healthcare operations (TPO) consent: The Final Rule replaces the requirement that patients provide written consent for uses and disclosures for payment and certain healthcare operations with permission to use and disclose Part 2 records for purposes of TPO as permitted by HIPAA once the patient has provided a single, written consent for all such future uses and disclosures (TPO Consent). This permission remains in effect until the patient revokes the consent in writing. In addition, the Final Rule provides for new redisclosure permissions in reliance on the TPO Consent: (1) HIPAA-covered entities and business associates that receive Part 2 records pursuant to a TPO Consent may redisclose the Part 2 records as permitted by HIPAA, except in certain proceedings against the patient; (2) Part 2 programs that are not HIPAA-covered entities may redisclose the Part 2 records received pursuant to a TPO Consent according to the consent; and (3) "Lawful Holders" of Part 2 records (as defined in Part 2) that are not HIPAA-covered entities or business associates may redisclose Part 2 records for payment and healthcare operations to their contractors, subcontractors or legal representatives as needed to carry out the activities specified in the TPO Consent.
- Consent for disclosure of Part 2 records in proceedings: The Final Rule requires a separate patient consent for the use and disclosure of Part 2 records in civil, criminal, administrative and legislative proceedings.
- SUD counseling notes: The Final Rule creates a new definition for "SUD counseling notes" that is analogous to the HIPAA definition of "psychotherapy notes." This definition encompasses an SUD clinician's notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient's treatment record. SUD counseling notes are afforded additional privacy protection and cannot be used or disclosed based on a TPO Consent. A separate patient consent for the use and disclosure of SUD counseling notes is required.
- Segregation of Part 2 records: The Final Rule includes an express statement that the segregation or segmentation of Part 2 records received by a Part 2 program, covered entity or business associate pursuant to a TPO Consent is not required. These records, however, continue to retain their characteristic as Part 2 records to ensure that recipients continue to comply with the continuing prohibition on use and disclosure of the Part 2 records in investigations or proceedings against the patient, absent written patient consent or a court order.
- Breach notification requirements: The Final Rule requires Part 2 programs to provide breach notification for breaches of Part 2 records in the same manner as breach notification is required for protected health information breaches under HIPAA.
- Patient notice requirements: The Final Rule aligns the existing Part 2 patient notice requirements with the content and implementation requirements of the HIPAA Notice of Privacy Practices.
Day Pitney's Healthcare practice represents numerous healthcare providers and organizations subject to Part 2 and has worked with them over the years to develop compliance programs that take into account the continual changes to Part 2. We are available to help providers and organizations assist with navigating the most recent significant changes to Part 2 and update their compliance programs accordingly.
Recommended
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024