The U.S. Department of Health & Human Services (HHS) has recently released the Part 2 Final Rule, marking a significant update for Substance Use Disorder (SUD) programs and HIPAA-regulated entities. This crucial revision to 42 CFR Part 2, known as Part 2, aims to modernize and streamline privacy and security practices, addressing long-standing complexities in the realm of health care privacy. The final rule, eagerly anticipated by stakeholders, directly implements provisions from the 2020 CARES Act and incorporates modifications proposed in the November 2022 Notice of Proposed Rulemaking, further refined by public feedback.
Scheduled for publication in the Federal Register on February 16, 2024, the Part 2 Final Rule will become effective 60 days post-publication. Crucially, covered entities will have 24 months from the publication date to achieve full compliance, providing a necessary window for adaptation and implementation of these updated regulations.
Understanding Part 2 Applicability in Healthcare Privacy
To fully grasp the impact of these changes on health care privacy, it’s essential to revisit the core applicability of Part 2. These regulations are designed to safeguard patient health records created or managed by Part 2 programs. A Part 2 program is defined as any individual, entity, or specific unit within a general medical facility that is federally assisted, and which presents itself as providing, and indeed provides, SUD diagnosis, treatment, or referral services. A quintessential example of a Part 2 program is an Opioid Treatment Program (OTP) offering Medication Assisted Treatment (MAT) for individuals diagnosed with opioid use disorder. These programs operate under stringent privacy rules to encourage individuals to seek help without fear of legal repercussions or stigma.
Streamlining Patient Consent for Enhanced Healthcare Operations
One of the most impactful updates within the Part 2 Final Rule is the simplification of patient consent procedures. Now, Part 2 programs can obtain a single, comprehensive consent from a patient. This consent covers all future uses and disclosures of Part 2 records for treatment, payment, and health care operations (TPO) as permitted under HIPAA regulations. This consent remains valid until the patient actively revokes it in writing. This change necessitates an update to patient workflows within Part 2 programs to effectively capture this broader consent at the outset. This updated consent framework significantly reduces the administrative burden associated with using and disclosing Part 2 information, moving away from the more restrictive requirements of the previous regulations and enhancing overall healthcare operations.
Furthermore, HIPAA covered entities and business associates receiving records under this TPO consent are now authorized to redisclose these records in accordance with HIPAA regulations. However, a critical caveat remains: redisclosure for use in legal proceedings against the patient is prohibited without explicit specific consent or a court order. This carefully constructed limitation aims to facilitate necessary information sharing among programs, covered entities, and business associates for coordinated care, while simultaneously preserving vital patient protections against potential misuse of these sensitive records in legal contexts. The Part 2 Final Rule consistently emphasizes restrictions on using or disclosing patient records to initiate or substantiate criminal charges, investigations, or civil proceedings against patients, reinforcing patient privacy within healthcare.
A noteworthy modification from the proposed rule is the mandate that each disclosure made with patient consent must include a copy of the consent or a clear, concise explanation of its scope. This requirement ensures that recipients of patient records are fully informed about the permissible redisclosure parameters. This is in addition to the standard redisclosure notice accompanying each disclosure with written consent, reminding recipients, “42 CFR Part 2 prohibits unauthorized use or disclosure of these records.” This multi-layered approach aims to bolster patient privacy and ensure responsible data handling throughout the healthcare ecosystem.
Aligning Patient Notice with HIPAA Standards for Clarity
The Part 2 Final Rule also brings Part 2’s patient notice requirements into closer alignment with the HIPAA Notice of Privacy Practices. Part 2 programs are now required to revise their patient notices to incorporate several key elements. These include a newly mandated heading, updated descriptions of permitted uses and disclosures under the revised Part 2 Final Rule, and a clear articulation of patient rights as expanded by the Final Rule. HHS has indicated its intention to further harmonize these regulations by finalizing changes to the HIPAA Notice of Privacy Practices in a future rule specifically modifying the HIPAA Privacy Rule. The modalities for providing patient notice under Part 2 will mirror the established requirements under the HIPAA Privacy Rule, promoting consistency and ease of understanding for both providers and patients.
Enhanced Patient Rights Mirroring HIPAA in Healthcare Settings
Reflecting a commitment to enhanced health care privacy, the Part 2 Final Rule significantly expands patient rights, mirroring many of the protections afforded under the HIPAA Privacy Rule. Patients now have the right to: (i) request restrictions on disclosures to their health plan for services paid out-of-pocket or disclosures made with prior consent for TPO purposes; (ii) obtain an accounting of disclosures, including those made for TPO via electronic health records within the preceding 3 years; and (iii) opt out of receiving fundraising communications. These enhanced rights are designed to foster greater transparency regarding how a patient’s records are utilized and disclosed, empowering patients with increased control over their sensitive health information within the healthcare system.
It is important to note that, unlike HIPAA, Part 2 does not currently include a broad, explicit right for patients to directly access their own information. HHS has clarified this point, stating that Part 2 programs retain discretion regarding patient access to records. However, Part 2 programs that are also HIPAA regulated entities remain obligated to fully comply with the HIPAA Privacy Rule’s access requirements, ensuring a baseline level of patient access in these dually regulated settings.
Breach Notification Aligned with HIPAA Breach Rule for Data Security
In a significant step towards strengthening data security within SUD programs, the Part 2 Final Rule adopts HIPAA’s Breach Notification Rule for breaches of unsecured records by Part 2 programs. It also incorporates HIPAA’s definitions of “breach” and “unsecured.” This alignment means that a Part 2 program experiencing an unauthorized acquisition, access, use, or disclosure of unsecured records that violates Part 2 will now be required to conduct a breach risk assessment. Depending on the outcome of this assessment, notification to affected individuals, HHS, and potentially the media may be mandated, mirroring the established procedures under HIPAA and reinforcing accountability for data protection in healthcare.
Defining Substance Use Disorder Counseling Notes for Specific Protection
The Part 2 Final Rule introduces a clear definition of SUD counseling notes, closely mirroring HIPAA’s definition of psychotherapy notes. SUD counseling notes are defined as notes, recorded in any medium, by a Part 2 program provider who is a SUD or mental health professional. These notes document or analyze the contents of conversations during a SUD counseling session. Consistent with HIPAA, these notes must be kept separate from the general medical record. Importantly, SUD counseling notes specifically exclude data such as medication prescription and monitoring, session start and stop times, treatment modalities and frequencies, clinical test results, and any summaries of diagnosis, functional status, treatment plans, symptoms, prognosis, and progress to date. These excluded elements are considered part of the general medical record, not SUD counseling notes.
Similar to HIPAA’s stringent protection of psychotherapy notes, the disclosure of SUD counseling notes requires specific, explicit consent from the individual patient. Part 2 permits clinicians to use their professional judgment in deciding whether to grant patients access to their SUD counseling notes, balancing patient autonomy with clinical considerations.
Data Segregation Policies Updated for Practical Implementation
The Part 2 Final Rule removes previous language that mandated segregation or segmentation of Part 2 records. HHS explicitly states that segregating or segmenting Part 2 records is not required for Part 2 programs, covered entities, and business associates that receive records under a single consent for all future TPO. However, it is critical to understand that these records remain classified as Part 2 records and are still subject to all Part 2 protections. This includes the critical restriction that these records cannot be used in legal proceedings against the patient without proper authorization. This change aims to simplify data handling processes while upholding fundamental patient privacy rights.
Penalties for Violations Mirroring HIPAA Enforcement
Enforcement of Part 2 regulations will now align with HIPAA’s robust penalty structure. Violations of Part 2 will be subject to the same civil and criminal penalties as HIPAA violations. This includes the imposition of civil money penalties, categorized into four tiers based on culpability, mirroring the HIPAA violation penalty framework. Patients also retain the right to file complaints with HHS for suspected violations of Part 2, ensuring a clear pathway for addressing privacy concerns within healthcare.
Conclusion: Preparing for the Evolving Landscape of Health Care Privacy
The Part 2 Final Rule represents a significant evolution in health care privacy regulations for SUD programs. Part 2 programs should proactively begin reviewing their existing Part 2 compliance programs to identify necessary updates in policies, procedures, patient consents, and patient notices. This period of transition presents an opportune moment to conduct comprehensive retraining for the workforce. Training should focus on the nuanced requirements for using and disclosing Part 2 records, clearly differentiating these regulations from HIPAA, especially given the newly imposed breach notification obligations for Part 2 violations. By taking these proactive steps, SUD programs can ensure they are well-prepared to navigate the updated regulatory landscape and maintain the highest standards of patient privacy in the evolving healthcare environment.
Want To Learn More?
COVID-19: CARES Act Overhauls Federal Substance Use Disorder Privacy Law
HHS Proposes to Align Federal Substance Use Disorder Law with HIPAA
For further inquiries regarding the applicability of Part 2 to your organization or the implementation of the Part 2 Final Rule, please reach out to the authors or any Partner or Senior Counsel within Foley’s Cybersecurity and Data Privacy Group or Health Care Practice Group.
