This article was sourced from troutman.com
On February 8, 2024, the Department of Health and Human Services (HHS) posted a final rule that aims to align 42 CFR Part 2 (Part 2) — which protects certain substance abuse disorder (SUD) records — with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The final rule also implements modifications required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The goal is to improve care coordination and strengthen privacy protections, particularly for patients seeking SUD treatment. While the majority of these changes apply to Part 2 programs,[1] it is also important that providers that exchange records with these programs, such as covered entities under HIPAA that are not Part 2 programs, are also aware of these changes. The final rule will be effective on April 16, 2024, but Part 2 programs have two years to come into compliance with the final rule, as the final compliance date is February 16, 2026.
Historically, care coordination with Part 2 programs has been difficult due to the onerous and complex compliance obligations applicable to Part 2 records.[2] The new rules seek to improve care coordination by upgrading the mechanisms for record exchanges and enhance confidentiality protections, thereby empowering more SUD patients to seek treatment.
Here are the key changes introduced by the final rule:
Single Consent for Part 2 Records
Patients have always needed to consent to the use and disclosure of Part 2 records, but consent had to be obtained for each disclosure, with a precise description of the purpose of the disclosure. Now, consistent with the way covered entities handle consent for non-SUD records under HIPAA, patients can sign a single consent form for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations (TPO). This consent remains active until the patient revokes it. This will expedite the exchange of Part 2 records between Part 2 programs and other healthcare providers, facilitating more coordinated patient care and minimizing treatment delays.
Re-disclosures of Part 2 Records
Re-disclosures of Part 2 records for purposes beyond treatment, payment, and health care operations (TPO) are now permitted in accordance with the HIPAA Privacy Rule by covered entities and business associates. This applies to covered entities and business associates even if they are not Part 2 programs but are in receipt of a Part 2 record. Part 2 programs that are not covered entities may continue to re-disclose according to the scope of the consent, which was already the case prior to the final rule.
Additional Protections for SUD Counseling Session Notes
The final rule introduces additional protections, similar to those in HIPAA for psychotherapy notes, for Part 2 records. These protections apply to notes of treating clinicians documenting a SUD counseling session by a Part 2 program, which must now be maintained separately from a Part 2 record. The use and disclosure of SUD counseling notes will require separate patient consent and can no longer be included as part of general consents for TPO.
Right to Accounting of Disclosures and Request Restrictions
Patients of Part 2 programs now have the right to request an accounting of disclosures and the right to request restrictions and obtain restrictions on disclosures of Part 2 records, even if the Part 2 program is not a covered entity. The right of accounting now applies to Part 2 records made through electronic health records in the 3 years prior to the date of the request. It is important to note that the accounting of disclosures requirement is tolled until modifications to the accounting requirement are finalized in HIPAA. Regarding restrictions, a patient in a Part 2 program who has signed a single consent for TPO can now request that their Part 2 program not disclose certain information, but the Part 2 program is not obligated to agree with this request. However, if the Part 2 program does agree, they are then required to withhold that information from disclosures. Similar to HIPAA, a patient also has the right to obtain restrictions on certain disclosures to health plans for services paid in full.
Expanded Prohibitions on Use and Disclosure of Part 2 Records
The final rule clarifies and expands prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legal proceedings conducted by federal, state, or local authority against a patient. The prohibitions apply to any person who obtains a Part 2 record from a Part 2 program, covered entity, business associate, intermediary, or other lawful holder. Absent patient consent or a court order, the proposed prohibitions are: (1) the introduction into evidence of a record or testimony in any criminal prosecution or civil action before a federal or state court; (2) reliance on the record or testimony to form part of the record for decision or otherwise be taken into account in any proceeding before a federal, state, or local agency; (3) the use of such record or testimony by any federal, state, or local agency for a law enforcement purpose or to conduct any law enforcement investigation; and (4) the use of such record or testimony in any application for a warrant.
Civil Enforcement for Violations of Confidentiality Provisions
Civil enforcement for violations of confidentiality provisions of Part 2 have been introduced. Previously, enforcement was limited to criminal sanctions. Now, in addition to criminal penalties, violators could be subject to civil monetary penalties (CMP). Patients have the right to file complaints of violations to the HHS Secretary and directly with the Part 2 program.
Breach Reporting Requirements
Part 2 programs are now required to report breaches of Part 2 information in the same manner set forth in the HITECH Act. If a breach is discovered, the program has no more than 60 calendar days to notify patients, HHS, and/or the media, depending on the number of individuals affected.
Disclosure of Part 2 Records for Public Health Purposes
Disclosure of Part 2 records without patient consent for public health purposes is now permitted, but limited to de-identified information according to the standard already established in HIPAA.
Alignment of Part 2 Patient Notice Requirements with HIPAA
Part 2 patient notice requirements have been aligned with HIPAA’s notice of privacy practices. Part 2 programs must establish notices of privacy practices (NPPs). Covered entities that are not Part 2 programs but have Part 2 records must add the protections of Part 2 to their notices. However, HHS intends to provide the same compliance date for both the proposed modifications to the HIPAA NPP provision and the Part 2 patient notices.
Limit on Liability for Investigative Agencies
The final rule implements a “safe harbor” or limitation on civil or criminal liability for individuals acting on behalf of investigative agencies. This safe harbor applies when these individuals unknowingly receive Part 2 records during an investigation or prosecution without first obtaining the necessary court order. Notably, the safe harbor is only applicable when records are obtained for the purpose of investigating a Part 2 program or a person holding the record, not a patient. The safe harbor is available for uses or disclosures inconsistent with Part 2 only when the person acted with reasonable diligence to determine whether Part 2 applied to the records or program.
Revised Definition of a Qualified Service Organization
The final rule revises the definition of a “qualified service organization” (QSO) to include a person who meets the definition of a “business associate” for a Part 2 program that is also a covered entity with respect to the use and disclosure of protected health information that also constitutes a “record”. While QSOs supporting Part 2 programs in such activities as data processing and other professional services are analogous to the activities of business associates supporting covered entities, QSOs have a distinct function within Part 2. For these reasons, HHS determined that QSOA under Part 2 should be understood as distinct from business associate agreements required by HIPAA.
Key Recommendations
Overall, there are many changes to Part 2 that will impact the way in which a Part 2 program interacts with its patients’ information. To prepare for these rule changes, Part 2 programs should consider the following steps:
- Review and Update Policies and Procedures: Review your current policies and procedures and forms for alignment with the final rule and make updates as needed.
- Training and Communication: Conduct comprehensive training for all relevant staff members to ensure they understand the operational changes in the final rule and any changes to existing processes. Develop a plan for communicating the changes to patients.
- Periodic Compliance Reviews: Conduct periodic compliance reviews with a focus on consents and uses/disclosures to assess ongoing compliance with the final rule and identify potential operational enhancements.
- Legal Consultation: Consider consulting with a legal professional experienced in healthcare law to determine the impact of the final rule on your organization and steps you can take to align operations with the requirements of the final rule.
- Monitor for Relevant Changes to HIPAA: Some of the operational changes to Part 2 are dependent on updates to HIPAA (e.g., accounting of disclosures, NPPs). Continue to monitor HHS-OCR and other resources for changes to the HIPAA rules.
By taking these steps, Part 2 programs can better prepare for the rule change and ensure they remain in compliance, thereby minimizing the potential risk of penalties.