On February 16, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) filed a final rule (the “Rule”) to revise and strengthen the Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations at 42 CFR Part 2 (“Part 2”) to increase patient privacy protections. The Rule implements requirements from the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act to align portions of Part 2 with the privacy and security rules set forth in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Rule will officially go into effect on April 16, 2024.
Entities maintaining SUD records must evaluate their current practices in relation to this new Rule and adjust their policies accordingly.
Key Changes Created By the Rule
The Rule includes certain concepts previously outlined in the Notice of Proposed Rule Making, as modified in response to public comments. A summary of the updates include:
- Patient Consent: Updated patient consent requirements include (1) permitting a single consent for future uses and disclosures for treatment, payment, and health care operations; (2) permitting HIPAA covered entities and business associates receiving such records to redisclose in accordance with the HIPAA regulations; (3) prohibiting combining consent for disclosure of records in civil, criminal, administrative, or legislative proceedings with any other patient consent; (4) requiring separate consent for the use and disclosure of SUD counseling notes; and (5) requiring each disclosure made with patient consent to include a copy of the consent or a clear explanation of the scope of the consent.
- Other Uses and Disclosures
- Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
- Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
- Penalties: Aligns penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.
- Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule to breaches of SUD records.
- Patient Notice: Aligns patient notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
- Safe Harbor: Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records during an investigation. The safe harbor also requires investigative agencies to take certain steps, including filing an annual report in the event they discover they received Part 2 records without having first obtained the requisite court order. Additionally, to qualify for the Safe Harbor protections, the Final Rule clarifies and strengthens the reasonable diligence steps that investigative agencies must follow. Specifically, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine if the provider is subject to Part 2.
- Segregation of Part 2 Data: Adds an express statement that a covered entity or business associate that holds records covered by Part 2 is not required to segregate or segment such records.
- Complaints: Provides a right for any patient to file a complaint directly with the Secretary of HHS and/or concurrently file a complaint with the Part 2 program for an alleged violation.
- SUD Counseling Notes: Similar to the manner in which psychotherapy notes are afforded additional protection under HIPAA, the Rule created a higher threshold for disclosure of SUD clinician’s notes.
- Fundraising: Established a right for patients to opt out of fundraising communications.
How Frier Levitt Can Help
It is essential that entities maintaining patient records protected by Part 2 review their policies and standard operating procedures to confirm their practices are consistent with the updated Rule. This review is an opportunity for these organizations to perform an overall compliance check related to their privacy and security generally. Contact Frier Levitt for guidance in reviewing and updating your businesses’ policies to ensure compliance with the Rule’s anticipated enactment and other applicable state and federal privacy laws.
