HHS Final Rule Aims To Bring Part 2 Into Alignment With HIPAA

In early 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule ("Final Rule") amending the regulations in 42 C.F.R. part 2 ("Part 2") which governs the confidentiality and privacy of substance use disorder (SUD) records. The amendments aim to bring Part 2 regulations more in line with the rules under the Health Insurance Portability and Accountability Act ("HIPAA"), which governs the use and disclosure of protected health information.

Background:

As noted above, Part 2 protects the privacy rights of people seeking treatment for SUD. The law is designed to reassure patients that sharing information about past or current drug use will not result in adverse consequences related to criminal proceedings or domestic proceedings, such as those related to child custody, divorce, or employment. HIPAA, on the other hand, has a much broader reach, providing, in relevant part, federal standards governing the privacy of all protected health information (as defined in HIPAA).

For those providers who practice at the intersection of HIPAA and Part 2, the differences between the regulatory frameworks of each law have long posed compliance challenges. For example, HIPAA and Part 2 maintained different requirements for SUD treatment records. Under Part 2, SUD treatment providers were not permitted to share a SUD patient's record, nor disclose any information within those records, without express written permission from the patient. Patient consent had to always be written and include explicit information about the records to be shared and list the names of individuals or entities receiving the information. This set of regulations is entirely separate from the HIPAA regulatory framework, which contains myriad exceptions allowing providers to share protected health information, including for treatment, payment and operations purposes. These competing frameworks created an unnecessary hurdle for patients and providers, stifling information sharing and care coordination.

As an acknowledgement of the issues this creates for providers and patients, HHS has sought to update Part 2 regulations to better align them with HIPAA. These efforts were limited, however, because of Part 2's governing statute, which only Congress can change. That all changed with the Coronavirus Aid, Relief, and Economic Security (CARES) Act, enacted in March 2020. Best-known for providing over $2 trillion in emergency assistance in response to the COVID-19 pandemic, the CARES Act also amended 42 U.S.C. § 290dd-2 and directed HHS to engage in rulemaking to better align Part 2 with HIPAA.

Final Rule:

In its Fact Sheet on the Final Rule, HHS highlighted the following regarding Part 2:

• Patient Consent
  • Allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.
  • Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.
• Other Uses and Disclosures
  • Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
  • Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
• Penalties: Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.
• Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2.
• Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
• Safe Harbor: Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.