Governance & Risk Management , Healthcare , HIPAA/HITECH

HHS Rule Aligns Substance Disorder Privacy Regs With HIPAA

Final Rule for 42 CFR Part 2 Changes Aims to Improve Patient Care Coordination
HHS Rule Aligns Substance Disorder Privacy Regs With HIPAA
Image: U.S. Department of Health and Human Services

The privacy of patients treated for alcoholism, opioid addiction and other substance abuse disorders is protected by federal law, but long-standing inconsistencies in two sets of regulations can prevent doctors and ER departments from accessing the patient's relevant medical history before they prescribe medicine or treatment.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

At the same time, patients with substance abuse disorders worry about their privacy as their information is shared with numerous providers and third parties. The Department of Health and Human Services this week finalized new regulations that better align with HIPAA and are aimed at addressing these privacy concerns.

"People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records," said Xavier Becerra, HHS secretary, in a statement.

HHS's Office for Civil Rights, which enforces HIPAA, and the Substance Abuse and Mental Health Services Administration jointly released the 485-page HHS final rule on Thursday. The rule aligns the Confidentiality of Substance Use Disorder Patient Records regulations - commonly called 42 CFR Part 2 or simply Part 2 - with HIPAA.

The final rule is slated to be published in the Federal Register on Feb. 16 and to go into effect on April 16. Entities subject to the regulations have two years - until Feb. 16, 2026 - to comply.

HHS has been working on the Part 2 rule-making for about four years. The bipartisan Coronavirus Aid, Relief and Economic Security, or CARES, Act, which passed in 2020, required HHS to bring the Part 2 program into closer alignment with HIPAA privacy, breach and enforcement regulations (see: HHS Modified Some Substance Use Disorder Privacy Provisions).

The final rule modifies Part 2 to help improve coordination among providers treating patients for substance use disorders and enhancing integration of behavioral health information with other medical records to improve patient health outcomes, HHS said.

Compared with HIPAA, current Part 2 substance abuse regulations impose different privacy requirements for the handling of records for patients receiving substance disorder treatments from federally assisted programs. They require much more stringent written consents from patients for the use and disclosure of their records than does HIPAA.

To help make it easier for doctors and hospitals to access medical histories, the final rule permits use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment and healthcare operations.

Under the final rule, HIPAA-covered entities and business associates that receive these records under a single patient consent are also permitted to re-disclose the information in compliance with the HIPAA Privacy Rule, with certain exceptions.

The rule also provides new rights for patients under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures. And it restricts the use of Part 2 records and testimony in civil, criminal, administrative and legislative proceedings against patients absent patient consent or a court order.

Also under the final rule, Part 2 penalties are aligned with HIPAA by replacing criminal penalties currently in Part 2 with civil monetary fines and criminal enforcement authorities that also apply to HIPAA violations.

The rule also implements the same requirements of the HIPAA Breach Notification Rule to breaches of patient records under Part 2. And it aligns Part 2 patient notice requirements with HIPAA notice of privacy practices requirements.

"The biggest change for patients will be that they can choose to allow for greater sharing of their substance use disorder information for treatment, payment and healthcare operations without the need to constantly sign new consent forms - while the statute and regulation still protects them from their information being used against them in court or by law enforcement," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

For anyone who creates or receives Part 2 records, including providers and health plans, the final rule raises the stakes for Part 2 compliance, Greene said.

"The risk of enforcement will likely increase significantly once the compliance date arrives in two years and HHS can impose penalties under the HIPAA rules. During that time, providers may want to work with their health IT vendors to ensure their systems fully support compliance."

While the new rule allows for greater uses and disclosures if the patient consents, Part 2 programs and recipients of records still will need to lock down records if the patient has not consented to broad use and disclosure, Greene said. "Recipients of records may need to also coordinate more with the disclosing entity to understand the scope of the patient's consent."

Long Process

HHS issued a notice of proposed rule-making for the modifications to Part 2 regulations in December 2022 and received approximately 220 public comments (see: HHS Rule to Ease Record Sharing, Guard Substance Abuse Data).

HHS said the final rule adopts many of provisions contained in those comments, and certain modifications are based on the public input. HHS dropped a proposal requiring that records received under Part 2 be segmented from other health records.

Experts said the changes to Part 2 regulations - which were first implemented in 1975 and tweaked a few times over the years - are much needed.

"The Part 2 rules - created at a fundamentally different period in our healthcare system and under a completely different regulatory regime - create real challenges and confusion in today's healthcare system," said privacy attorney Kirk Nahra of the law firm WilmerHale.

"Anything that can be done to make these provisions clearer and more consistent is useful for the healthcare system and ultimately for the patients who deserve the best coordinated care," he said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.