The Department of Health and Human Services recently issued a proposed rule that would streamline the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). Comments on the proposed rule are due to HHS by January 31, 2023
For years, health care providers regulated by both Part 2 and HIPAA and their patients, have wrestled with the inconsistencies across these two privacy frameworks. Part 2, for example, currently imposes different patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records (Part 2 Records) than HIPAA, even though such records often constitute protected health information (PHI) as well. The inconsistencies (and in some cases, conflicts) between HIPAA and Part 2 requirements have created barriers to information sharing and confusion and compliance challenges for entities regulated under both frameworks, which in turn have unnecessarily impeded treatment access and care coordination.
As noted in the HHS fact sheet and the press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), the proposed rule would, if finalized, enhance care coordination, afford patients a formal right of access to their SUD records, and extend HIPAA’s breach notification standards to Part 2-regulated providers and information. The proposed rule would also allow health care providers to align internal privacy compliance programs, the importance of which is underscored by another proposal to impose the same HIPAA civil and criminal penalties on regulated providers for noncompliance with Part 2 regulations.
Major Provisions of Proposed Rule
In this post we will summarize several of the most significant proposed changes in greater detail.
- Changes to Content and Scope of Patient Consent The proposed rule contemplates changes to Part 2’s patient consent requirements to improve alignment between Part 2 and HIPAA with respect to the required components and permitted scope of a patient’s consent to disclose Part 2 Records. Currently, Part 2 requires the patient’s written consent to use/disclose Part 2 Records for treatment, payment, or health care operations (TPO) purposes. Additionally, the consent must indicate the names of the specific individuals to whom or entities to which the disclosure can be made Therefore, Part 2 programs must often obtain separate written patient consent for each TPO use or disclosure. The proposed rule modifies these requirements to permit a general recipient designation (e.g., “my treating providers”) on patient consents authorizing the use/disclosure of Part 2 Records for TPO activities. This will allow patients to sign a single general consent that will apply to all future uses/disclosures of their information for TPO activities. This is one of the more significant (and anxiously anticipated) proposed changes and would serve to significantly decrease the administrative burden to providers and patients in facilitating effective patient care.
- Redisclosure The proposed rule also expands permissions for the redisclosure of Part 2 Records. Currently, Part 2 permits lawful holders who receive Part 2 Records under a valid consent for payment/health care operations purposes to redisclose the information to their contractors or subcontractors for the purpose of facilitating such payment/health care operations. Under the proposed rule, HHS contemplates expanded redisclosure permissions applicable to two separate categories of recipients:
- If the recipient is a Part 2 program, a HIPAA covered entity, or a HIPAA business associate that has received the Part 2 Records under a written consent for TPO activities, the recipient is permitted to broadly redisclose the records for uses and disclosures permitted under the HIPAA Privacy Rule, subject to restrictions pertaining to legal proceedings.
- If the recipient is not in any of the aforementioned categories, but receives Part 2 Records under a written consent for payment and health care operations purposes, the recipient is permitted to redisclose the records to contractors, subcontractors, and legal representatives to “carry out the intended purpose” (i.e., facilitate payment and health care operations of the recipient). Notably, HHS clarifies that recipients under this category would not be permitted to redisclose the records for treatment purposes without obtaining a separate consent from the patient.
- Deidentification requirements The proposed rule enhances the requirements for deidentification of patient records under Part 2 to align with the requirements under HIPAA. Currently, Part 2’s standard for deidentification of Part 2 Records only requires that the information be rendered “non-identifiable” such that there is a “very low risk of reidentification.” The proposed rule would incorporate the requirements under HIPAA, which require the removal of 18 specific identifiers or a de-identification expert’s certification that there is no reasonable basis that the information could be used to identify a patient.
- Disclosure to Public Health Authorities Currently, Part 2 only permits disclosure of Part 2 Records without patient consent for three limited purposes – medical emergencies, research, and audit and evaluation – and does not expressly address disclosure of information to public health authorities. The proposed rule authorizes disclosures of Part 2 Records without patient consent to public health authorities, if the records are de-identified in accordance with HIPAA standards.
- Patient Rights In connection with the expanded disclosure permissions contemplated by the changes to the scope of patient consent, the proposed rule also incorporates two categories of patient rights that currently exist under HIPAA, but not Part 2. These include: (i) the right to obtain an accounting of disclosures of the patient’s Part 2 Records made with written consent during the previous 3 years; and (ii) a right to request restrictions on disclosures of Part 2 Records made for TPO purposes with written consent or made to health plans for services that have been paid in full.
- Enforcement and Complaint Reporting Part 2 currently requires that any person who violates any provision of the Part 2 regulations be criminally fined and provides that complaints/reports of violations should be directed to SAMHSA and the U.S. attorney for the jurisdiction in which the violation occurs. Under the proposed rule, HHS seeks to expand its enforcement authority (and streamline oversight of HIPAA and Part 2 issues), by replacing these criminal penalties with the civil and criminal penalties applicable to covered entities and business associates under the HIPAA Enforcement Rule. Additionally, the proposed rule also contemplates that complaints of Part 2 violations should be directed to the Part 2 program and HHS, rather than SAMHSA and the applicable U.S. attorney.
- Breach Notification and Security Standards Currently, Part 2 does not impose specific breach notification requirements. However, the breach notification requirements under HIPAA do currently apply to any Part 2 Records that are also considered PHI. Under the proposed rule, the HIPAA Breach Notification Rule would be incorporated by reference to apply to all Part 2 programs and would require such programs to notify HHS, affected patients, and the media (where applicable) in accordance with HIPAA requirements. HHS is also contemplating potential changes to security requirements applicable to Part 2 Records, and has requested comments regarding whether the HIPAA Security Rule or other similar requirements should apply to Part 2 programs.
- Changes to Notice of Privacy Practices Requirements Currently, HIPAA and Part 2 require covered entities and Part 2 programs, respectively, to provide certain notices to patients regarding the applicable confidentiality requirements. The proposed rule seeks to align these notification requirements such that providers subject to both laws can use one standard form to comply with patient notification requirements under both laws. Notably, if the proposed rule is finalized, it would also modify the HIPAA regulations to require HIPAA notices of privacy practices to address Part 2 confidentiality requirements.
The changes contemplated under the proposed rule would significantly impact the treatment of Part 2 Records and would seemingly address many of the concerns raised by stakeholders related to the administrative burden of complying with inconsistent data privacy frameworks. They would also help those same stakeholders surmount the resulting barriers to effective care coordination between SUD treatment providers and primary care providers. HHS is encouraging all stakeholders, including health care providers, associations, insurers, patients, and others, to submit comments to the proposed rule. Comments are due January 31, 2023.
Reed Smith will continue to monitor developments on these proposed regulations. If you have any questions about these regulations or would like to comment on them to HHS, please reach out to the authors of this post or to the health care lawyers at Reed Smith, LLP.