On December 2, 2022, the US Department of Health and Human Services (“HHS”) Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking to modify portions of Part 2 of Title 42 of the Code of Federal Regulations (“42 CFR part 2” or “Part 2”) which protect the confidentiality of substance use disorder patient records. See 87 Fed.Reg. 74216. Currently, Part 2 imposes different confidentiality requirements for substance use disorder treatment records than the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, Breach Notification, and Enforcement Rules apply to protected health information (“PHI”). Thus, entities governed by Part 2 (“Part 2 programs”) and HIPAA have competing legal obligations. HHS intends to address these inconsistencies through the Proposed Rule.
While HIPAA takes a more permissive approach to the disclosure of PHI by healthcare providers for treatment, payment, and healthcare operations, Part 2 does not. Part 2 generally requires record holders to obtain prior written consent before disclosing records related to substance use disorder treatment to any third party. The only exceptions provided in Part 2 for record disclosure without prior authorization are for medical emergencies, research, program audits, and certain limited court-ordered disclosures. The Proposed Rule simplifies the process patients must follow to give providers consent to release substance use disorder treatment information, and it provides healthcare providers easier access to necessary patient information related to the patient’s substance use disorder.
Key provisions in the Proposed Rule include:
- Allowing patients to sign one general consent form permitting all future uses and disclosures of substance use disorder records for treatment, payment, and healthcare operations to treating providers, health plans, third-party payers, and people helping to operate the Part 2 program. If indicated on the consent form, the general consent can last indefinitely. The Proposed Rule also allows Part 2 programs to condition treatment on the patient’s consent enabling the program to disclose the patient’s records for treatment, payment, and healthcare operations.
- Updating Part 2 to include the Notice of Privacy Practices requirement from the HIPAA Privacy Rule. The Notice of Privacy Practices required by HIPAA is much more comprehensive than the notices required under Part 2, which only require providers to inform patients of the program’s obligation to comply with 42 CFR Part 2.
- Creates new rights under Part 2 that allow patients to request an accounting of disclosures and to request restrictions on disclosures for treatment, payment, or healthcare operations.
- Incorporate a breach notification process for Part 2 programs and other lawful record holders that aligns with the existing Breach Notification Rule under HIPAA. Currently, some Part 2 programs are not covered entities under HIPAA; this would ensure that all Part 2 programs comply with the breach notification process if a breach were to occur.
- Expanded options for enforcement actions for Part 2 violations. At this time, the only enforcement actions available for Part 2 record violations are criminal actions brought by the US Attorney for the applicable jurisdiction. The Proposed Rule increases the available enforcement actions for Part 2 violations by referencing the actions in Sections 1176, civil penalties, and 1177, criminal penalties, of the Social Security Act, as implemented by the HIPAA Enforcement Rule. This change subjects Part 2 programs that violate the Part 2 requirements to potential civil penalties of up to $50,000 per violation. Moreover, the criminal penalties would significantly increase under the Proposed Rule. Currently, under Part 2, criminal liability is limited to a fine of $5,000 per violation for individuals and $10,000 per violation for organizations. By replacing the criminal enforcement actions available in Part 2 with the Section 1177 penalties, the potential criminal liability increases to imprisonment of up to 10 years or fines of up to $250,000. All penalties are based on the severity of the violation. Additionally, the Proposed Rule would allow HHS to initiate enforcement actions against business associates and covered entities for Part 2 breaches and HIPAA violations.
- Replacing the de-identification standard in Part 2 with the de-identification standard in the HIPAA Privacy Rule.
HHS is taking comments on the Proposed Rule until January 31, 2023. The proposed effective date of a final rule would be 60 days after publication, and the compliance date would be 22 months after the effective date.