Aligning Part 2 With HIPAA: HHS Proposes Amendments to Part 2 Substance Use Disorder Confidentiality Regulations
In December 2022, the U.S. Department of Health and Human Services (HHS) published the long-awaited notice of proposed rulemaking (the Proposed Rule) that would modify 42 CFR Part 2 (Part 2), the regulations protecting the confidentiality of patient information held by treatment programs for individuals with substance use disorder (SUD). The Proposed Rule implements Section 3321 of the Coronavirus Aid, Relief, and Economic Security Act of 2020 (CARES Act), which required HHS to align Part 2 with the requirements of the Health Insurance Portability and Accountability Act of 1996 and its accompanying regulations (HIPAA).
The discrepancies between Part 2 and HIPAA create compliance challenges for entities subject to both sets of regulations. A SUD treatment program subject to Part 2 (Part 2 Program) that is also a HIPAA covered entity or business associate must segregate Part 2 Program records from those subject only to HIPAA, and get separate consent from patients for disclosures of Part 2 Program records for almost any purpose. This makes coordination of care more difficult for Part 2 Programs, because they must get consent each time to disclose Part 2 Program information for treatment purposes. The Proposed Rule proposes changes to Part 2 to help ease these compliance, efficiency and coordination challenges by aligning Part 2 with HIPAA. The major changes are described below.
Single Consent for Disclosure of Part 2 Records for Treatment, Payment and Health Care Operations
The Proposed Rule would make it easier for Part 2 Programs to share Part 2 Program information for treatment, payment and health care operations (TPO) purposes. As currently in effect, Part 2 requires Part 2 Programs to get written patient consent for each disclosure of Part 2 Program information, and prohibits redisclosure by third parties without additional specific consent. The Proposed Rule would allow Part 2 Programs to obtain a single written consent for all future TPO uses and disclosures. This one-time consent for TPO purposes would allow Part 2 Programs, as well as covered entities and business associates that receive Part 2 Program information pursuant to the consent, to redisclose the records in any matter permitted by the Privacy Rule, except for civil, criminal, administrative or legislative proceedings against the patient without a court order. It also would allow other lawful holders of Part 2 Program information to redisclose the information to their contractors, subcontractors or legal representatives to carry out payment and health care operations activities. In addition, the Part 2 Program could use or disclose Part 2 Program information in other manners consistent with the patient’s written consent. The Proposed Rule also modifies the content requirements for a valid Part 2 Program consent, aligning Part 2 Program consents with the requirements for a valid HIPAA authorization.
Other Uses and Disclosures of Part 2 Records
While the Proposed Rule allows more flexibility in use and disclosure of Part 2 Program information for TPO purposes, it also heightens protections on the use and disclosure of Part 2 Program information in proceedings against the patient. The Proposed Rule expressly includes civil, criminal, administrative and legislative proceedings as forums where a court order is required to use Part 2 Program information against the patient.
Under the current regulations, Part 2 programs are not required to disclose records under any circumstances. The Proposed Rule would require disclosures to the Secretary of HHS when disclosure is necessary for the Secretary to investigate or determine if a person follows the Part 2 regulations.
De-identification
The current standard for de-identifying Part 2 Program information is “rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification.” The Proposed Rule would replace that standard with the de-identification standard of the HIPAA Privacy Rule: a record is de-identified when there is no reasonable basis to believe that the information could be used to identify a patient as having or having had a substance-use disorder. The Proposed Rule expressly allows disclosures to public health authorities for public health purposes without patient consent, as long as the records are de-identified.
Patient Notice
Under the current rules, Part 2 Programs must provide patients with a Patient Notice that describes the Part 2 Program’s obligation to comply with 42 CFR Part 2. This notice is less comprehensive and gives patients less notice and transparency than the Notice of Privacy Practice (NPP) required under HIPAA’s Privacy Rule. Under the Proposed Rule, Part 2 Programs would have to provide Patient Notices with the same key elements as the HIPAA NPP, including a description of permitted uses and disclosures of Part 2 Program information, information on the complaint process, and the patient’s right to revoke their consent to disclosure under certain circumstances. The Proposed Rule also would modify the HIPAA NPP: covered entities that maintain or receive Part 2 records would be required to add or update their NPPs to include provisions about patient’s rights under Part 2, the covered entity’s duties to comply with Part 2, and information related to the use and disclosure of Part 2 Program information.
Additional Patient Rights
The Proposed Rule would add new patient rights with respect to Part 2 Program information. Consistent with HIPAA, patients would have the right to receive an accounting of disclosures of their Part 2 Program information. In addition, patients would have the right to request restrictions on the disclosures of their Part 2 Program information for TPO, and the right to restrict disclosures of their Part 2 Program information to health plans if the patient paid in full for the services.
Additionally, Part 2 gives patients the right to a list of the entities to which an intermediary has disclosed their records going back two years; the Proposed Rule would extend this to three years. The Proposed Rule would define “intermediary” as “a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.” Examples of intermediaries include health information exchanges, research institutions that are providing treatment, accountable care organizations and care management organizations.
Breach Notification
Currently, Part 2 does not require Part 2 Programs to notify patients following an unauthorized use or disclosure of their Part 2 Program information. The Proposed Rule would apply the HIPAA Breach Notification Rule to Part 2 Program information. In the event of a breach of unsecured information, a Part 2 Program would be required to notify HHS, the affected individuals and potentially the media. This proposed change would have a greater impact on those Part 2 Programs that are not covered entities or business associates under HIPAA. If finalized as proposed, Part 2 Programs would be required to set up compliance programs and train staff on Breach Notification Rule compliance. As a note, HHS is also considering, and requesting comment on, whether Part 2 should be amended to adopt the HIPAA Security Rule or a similar set of security requirements.
New Complaint Procedure
The Proposed Rule would modify the procedure for making complaints about Part 2 violations. Currently, complaints of Part 2 violations should be sent to the U.S. attorney for the judicial district in which the violation occurs. If the report is for a violation by an opioid treatment program, the complaint should be sent to the U.S. attorney and the Substance Abuse and Mental Health Services Administration. The Proposed Rule would align Part 2 with the Privacy Rule provisions concerning complaints, and individuals would send complaints of potential violations directly to the Part 2 Program or the Secretary of HHS. Part 2 Programs would be required to set up a process to receive such complaints. In addition, the Proposed Rule would prohibit a Part 2 Program from intimidating, threatening, coercing, discriminating against or taking other retaliatory action against a patient who files a complaint or exercises any other rights held under Part 2.
Enforcement Provision
Violations of Part 2 currently are enforced through criminal penalties under Title 18 of the U.S. Code. In accordance with the CARES Act amendments, the Proposed Rule would provide for both civil and criminal penalties for Part 2 violations, and align Part 2 enforcement with HIPAA enforcement. References to Title 18 would be replaced with references to Sections 1176 and 1177 of the Social Security Act, as implemented by the HIPAA Enforcement Rule. In addition, HHS would be able to issue civil monetary penalties as governed by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The proposed changes to the enforcement provision of Part 2 would increase the risk of civil and criminal liabilities to agencies investigating or prosecuting Part 2 violations. To address this risk, the Proposed Rule creates a safe harbor for those “investigating agencies.” An investigating agency would not be held liable for improperly receiving Part 2 Program information if it uses “reasonable diligence” in determining whether Part 2 applies to the information or programs at issue before requesting the information or a court order. If an investigating agency does not use reasonable diligence, it would be precluded from remedying the violation by seeking a court order to use or disclose the Part 2 Program information. The Proposed Rule gives examples of reasonable diligence, such as checking a prescription drug monitoring program in the state where the provider is located, or checking the website or physical location of a provider to determine if the provider offers Part 2 services.
Definition and Language Changes
To further align Part 2 with HIPAA, the Proposed Rule would incorporate some definitions from HIPAA and its accompanying regulations into Part 2. Part 2 would define the following terms, as they are defined by HIPAA: breach, business associate, covered entity, health care operations, HIPAA, HIPAA regulations, payment, person, public health authority, treatment, unsecured protected health information and use.
The Proposed Rule also would change certain language of Part 2, such as changing “disclosure and use” to “use and disclosure” and adding “use” to where the current rules just say “disclosure.” HHS does not believe these changes are substantive but would be helpful to further align Part 2 with HIPAA.
Comment Period, Effective Date and Compliance Date
The Proposed Rule currently is open for public comment, and HHS is requesting comment from stakeholders about the Proposed Rule’s changes to Part 2. The comment period ends on January 31, 2023.