The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued long awaited updates to the regulations at 42 CFR Part 2 (Part 2) on February 16, 2024. Part 2 is a critical set of rules protecting the privacy of patients receiving substance use disorder (SUD) treatment services and their associated clinical records.
With the goal of better aligning and integrating Part 2 with the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and increasing care coordination among SUD treatment providers (such as Opioid Treatment Programs and community mental health centers), the Part 2 Final Rule modifies permitted uses and disclosures of SUD records, creates breach notification requirements, and expands HHS’s enforcement authority, among other protections.
Patient Consents and Notices
HHS’s updates to Part 2 broaden the scope of SUD patient consents to facilitate coordination among SUD treatment providers. Under the Final Rule, a single patient consent may be applied, with the express permission of the patient, to all future uses and disclosures for treatment, payment, and healthcare operation (TPO) purposes.
Additionally, the Final Rule more closely aligns the regulations governing Part 2 with the HIPAA privacy rule standards, mirroring the Part 2 Patient Notice requirements with the HIPAA Notice of Privacy Practices, and permitting HIPAA covered entities and business associates that receive records pursuant to a Part 2 patient consent to redisclose these records in accordance with the HIPAA regulations.
Like the accounting requirement under the HIPAA Privacy Rule, the Final Rule adds a requirement that Part 2 programs provide patients with an accounting of the disclosures in the three years prior to the request of their health records if made with consent under § 2.31, though accounting of disclosures of records for treatment, payment, and healthcare operations are only required when made through an electronic health record.
However, certain constraints specific to Part 2 records still apply, including the prohibition against using the Part 2 patient records in a legal proceeding against the patient without a specific consent or court order. Similarly, Part 2 prohibits combining a patient’s consent specific to use and disclosure for civil, criminal, administrative, or legislative proceedings with patient consents for other purposes. SUD patients would need to sign two separate consents for these distinct purposes.
Under the Final Rule, Part 2 also requires a third, separate patient consent for treatment providers to use or disclose SUD counseling notes. Like the HIPAA protections governing psychotherapy notes, SUD counseling notes—meaning those clinician notes that analyze the conversation in a SUD counseling session which are maintained separate and apart from the rest of the patient’s SUD treatment and medical record—may not be used or disclosed pursuant to merely a broad consent for TPO purposes.
The Part 2 Final Rule also allows certain disclosures without patient consent, including disclosure of de-identified records to public health authorities and scientific researchers pursuant to the standards established in the HIPAA Privacy Rule.
Segregation of Records
Within the Part 2 Final Rule, HHS also added an express statement that Part 2 treatment programs, covered entities, and business associates are not required to segregate Part 2 records received under a consent for TPO. However, such Part 2 records will retain the applicable prohibitions against use and disclosure in investigations or proceedings absent specific patient consent or a court order.
Breach Notifications
In further alignment with HIPAA, the Part 2 Final Rule also applies the same requirements as promulgated under the HIPAA Breach Notification Rule to breaches affecting Part 2 records, meaning that Part 2 programs must provide notification of the breach to affected individuals, the HHS Secretary, and, in certain circumstances, to the media following a breach of unsecured protected health information.
Complaints and Penalties
The Part 2 Final Rule also bolsters an SUD patient’s right to redress for privacy violations, as well as expands HHS’s civil enforcement powers. Under the Final Rule, patients now have a right to file a complaint directly with the HHS Secretary for alleged violations of Part 2, in addition to concurrently filing a complaint directly with the Part 2 treatment program. Consistent with this requirement, the Final Rule requires Part 2 programs to develop a process to receive complaints from patients, similar to HIPAA’s complaint process requirement, and prohibits retaliation against patients for filing a complaint.
Violators of Part 2 requirements may also now face the same civil and criminal enforcement authorities that apply to HIPAA violators, including possible application of civil monetary penalties and imprisonment. Under the Final Rule, a Part 2 program will be subject to the civil penalties promulgated at 42 USC 1320d–5 for violations of Part 2 in which either the violator did not know (and by exercising reasonable diligence would not have known) of the violation, or in instances where the requirements were violated through reasonable cause or willful neglect.
Part 2 programs may also be subject to the criminal penalties promulgated at 42 U.S.C. 1320d–6 for knowingly using, obtaining, or disclosing individually identifiable information in violation of Part 2.
Safe Harbor
Relatedly, the Final Rule also creates a safe harbor from civil or criminal liability for investigative agencies (i.e., state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agencies having jurisdiction over the activities of Part 2 programs or other person holding Part 2 records) that act with reasonable diligence in determining whether a provider is subject to Part 2 before making a request for records. To exercise reasonable diligence, an investigative agency must review SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
The safe harbor also requires investigative agencies to take certain protective steps in the event the agency discovers Part 2 records were received without the requisite court order. Upon discovery, the investigative agency must take steps to secure the Part 2 records and immediately cease using or disclosing the records until a court order is received. If the agency does not seek a court order or the court order is rejected, the records must be returned or destroyed.
Recommendations
Notably, the Part 2 regulations “follow the information,” meaning that the restrictions imposed by Part 2 apply to Part 2 records even after the records leave the hands of the Part 2 treatment program. Accordingly, providers and vendors of all kinds that touch Part 2 information must familiarize themselves with the updated regulations and work to update affected policies and procedures, as well as conform any applicable patient notices and consents.
Additionally, any qualified service organizations providing applicable services to a Part 2 treatment program—such as data processing, laboratory analyses, and medical staffing, among many others—must reevaluate and potentially update the language in any executed qualified service organization agreements (QSOA) to ensure continued compliance with the Part 2 mandates and changes. This may include, though may not be limited to, revisions to applicable definitions consistent with the Final Rule and a breach notification provision.
HHS has stated in response to public comments that it may consider issuing concise additional guidance on what is required in a QSOA following the Final Rule publication. With the updates in the Final Rule, qualified service organizations are those individuals or entities who provide services to a Part 2 program and have entered into a qualified service organization agreement with a Part 2 program, including business associates for a covered entity that is also a Part 2 program, with respect to the use and disclosure of protected health information.
For those conducting due diligence on Part 2 programs, the Final Rule’s efforts to more closely align Part 2 with applicable HIPAA regulations will require additional scrutiny of Part 2 provider compliance programs, including review for appropriate implementation of qualified service organization agreements, patient consent and complaint processes, and compliant breach log and notification procedures.
Although the Final Rule takes effect April 15, 2024, any individuals or entities subject to Part 2 have until February 16, 2026, to come into full compliance with the Final Rule. Since the Part 2 regulation does not contain a standard compliance period for regulatory changes, the Final Rule intends the 22-month compliance period to give Part 2 programs the opportunity to revise existing policies and practices, complete other implementation requirements, and train their workforce members on the changes, as well as to minimize administrative burdens on entities subject to the HIPAA Privacy Rule.
If you have questions about your organization’s current and future compliance with Part 2 or are a qualified service organization seeking to understand potential liability for Part 2 disclosures, contact the authors or your Morgan Lewis lawyer.