Blog

By: Melissa A. Soliz and Benjamin Yeager, Coppersmith Brockelman PLC 

Introduction

During the worst days of the COVID-19 pandemic, the Trump Administration signed into law the Coronavirus Aid, Relief, and Economic Security Act of 2020 (the CARES Act).^[1] Amongst its many provisions was a promise in Section 3221 to align the stringent privacy protections for substance use disorder (SUD) records in 42 U.S.C. § 290dd-2 and 42 C.F.R. Part 2 (collectively, “Part 2”) with HIPAA.^[2]  

Congress directed the Secretary of the Department of Health and Human Services (HHS) to make necessary revisions to the Part 2 regulations to implement and enforce the CARES Act amendments by March 27, 2021. That date came and went, with directions from HHS that the Part 2 statutory changes would be delayed until the finalization of new regulations.^[3] On December 2, 2022, HHS published its Notice of Proposed Rule Making (NPRM) to revise the Part 2 regulations to implement the CARES Act amendments.^[4]

If finalized as proposed, HHS may at long last accomplish its goal of significantly aligning Part 2 with HIPAA as it applies to individuals and organizations that are HIPAA covered entities or business associates. It will also provide investigative agencies with certain liability protections regarding their management of Part 2 records. HHS proposes to require substantial compliance with the new requirements within 24 months after publication of a final rule. Additionally, for the proposed Part 2 Accounting Requirements, HHS proposes to toll the compliance date until the effective date of a final rule on the HIPAA accounting of disclosures standard, see 45 CFR 164.528. 

This blog post puts the NPRM in context and breaks down its key components to provide health care providers, health plans and their business associates with the basic information they need to understand the proposed changes to the Part 2 regulations. Comments on the NPRM are due no later than January 31, 2023 and can be submitted electronically at http://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA16.

Brief Historical Background

Part 2’s privacy protections for SUD records predated HIPAA by nearly thirty years. In 1970 and 1972, Congress passed the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act^[5] and the Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972.^[6] At the time these laws were passed, there was no comprehensive federal law to protect the privacy of health information. To encourage individuals suffering from SUDs to seek treatment without the fear of stigma and retaliation, Congress passed these laws to stringently protect the privacy of these individuals. Congress sought to do that by making treatment of these individuals invisible to everyone, unless the individual specifically consented to the disclosure of their SUD records. 

These laws were followed by implementing regulations in 1975,^[7] which were subsequently amended in 1987.^[8] Part 2 remained relatively unchanged for nearly three decades after that. In the meantime, the health care industry underwent massive changes with the passage of HIPAA and implementation of the HIPAA regulations to provide nationwide protection for all protected health information, the shift to electronic medical records and interoperability mandates, the need for integrated care and integrated delivery models, and the rise of the opioid epidemic, which swelled the ranks of those suffering from SUDs to include neighbors, co-workers, family members and friends. The Part 2 privacy barriers erected during the 20^th century with the intent of encouraging effective SUD treatment and reducing stigma and discrimination, were having the unintended effect in the 21^st century of achieving precisely the opposite result.  

In 2017, 2018 and 2020, the Substance Abuse and Mental Health Services Administration (SAMHSA) made valiant efforts to chip away at the Part 2 barriers to SUD data sharing, care coordination, and research.^[9] However, there was only so much that the agency could accomplish within its regulatory authority and without a statutory change to 42 U.SC. § 290dd-2.

That statutory change came with the passage of the CARES Act. On March 27, 2020, Congress passed the CARES Act^[10] to provide emergency assistance to individuals, families, and businesses affected by the COVID-19 pandemic. Section 3221 of the CARES Act—Confidentiality and Disclosure of Records Relating to Substance Use Disorder—substantially amended 42 U.S.C. § 290dd-2 to more closely align the Part 2 privacy standards with HIPAA’s privacy standards, breach notification requirements, and enforcement authority. Congress further directed HHS to revise the Part 2 regulations to implement these statutory amendments. On December 2, 2022, HHS published the NPRM to solicit public comment on its proposal to implement this great alignment of the SUD privacy law with HIPAA. 

Summary of Material Changes and Significance for Stakeholders

Enforcement, Penalties and Breach Reporting

HHS’ proposed changes to the Part 2 enforcement structure, penalties and breach reporting requirements are among the most significant revisions to the Part 2 regulations. 

Under the current Part 2 regulations, the Department of Justice (DOJ) is tasked with enforcing Part 2 violations with criminal penalties.^[11] According to the NPRM, DOJ has not undertaken any criminal action to enforce Part 2 as of June 2018. ^[12] And unlike HIPAA, Part 2 has no breach notification rules that would require a Part 2 program to report the unauthorized use or disclosure of unsecured Part 2 records to individuals, regulators or any other third parties.

The NPRM, if finalized, would radically change the enforcement and breach reporting structure, as required by the CARES Act amendments. First, the NPRM would shift enforcement authority to HHS to enforce Part 2 under the same civil and criminal enforcement structure used for HIPAA.^[13] For example, HHS could impose civil penalties against any person for Part 2 violations ranging from $100 to $50,000 per violation with an annual cap of $25,000 to $1.5 million (not adjusted for inflation), depending on the level of intent involved.^[14] However, the NPRM also proposes to limit civil and criminal liability for “investigative agencies,” provided that the agency (or investigator) acts with reasonable diligence and satisfies certain conditions.^[15] HHS proposes to define an “investigative agency” as “a state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.”^[16] This liability protection only extends to investigations of a Part 2 program or other lawful holders of the Part 2 record (not a patient).^[17] HHS seeks comment on whether this liability protection should be extended to others. 

Second, HHS proposes to apply the HIPAA breach notification standards to Part 2 programs with respect to breaches of unsecured Part 2 records.^[18] This means that a Part 2 program—regardless of whether the Part 2 program is also a HIPAA covered entity—would need to notify affected individuals, HHS, and media outlets (if the breach involves more than 500 residents of a given state or jurisdiction) in the event of breach of unsecured records.^[19] The NPRM would also hold Part 2 programs and other lawful holders of Part 2 records responsible for meeting the same privacy and security requirements for the protection of Part 2 records under 42 CFR 2.16, such as maintaining adequate policies and procedures to reasonably protect against unauthorized uses and disclosures.^[20]

If finalized, stakeholders should expect significantly more enforcement of the Part 2 regulations within 24 months after the effective date of the final rule.

Part 2 Applicability and Part 2 Records

Part 2 applicability refers to the type of information Part 2 protects and the types of persons and entities that are required to comply with Part 2. Part 2 protects patient identifying information that directly or indirectly identifies a patient as having (or having had) a SUD if it originates from a Part 2 program (collectively, “Part 2 information”).^[21] A part 2 program is either: (1) a person or entity, including an identifiable unit within a general medical facility, that holds itself out as providing (and provides) SUD diagnosis, treatment or referral for treatment services (collectively, “SUD services”); or (2) medical personnel or other staff whose primary function is the provision of such SUD services and who are identified as a SUD provider.^[22] Part 2’s disclosure restrictions also apply to other lawful holders of Part 2 information. Other lawful holders include qualified service organizations (QSOs), such as HIPAA business associates of Part 2 programs or other lawful holders of Part 2 information; third-party payers that receive Part 2 records from Part 2 programs; entities having direct administrative control over part 2 programs; and other individuals or entities who receive Part 2 records and who are notified of the prohibition on re-disclosure of those records.^[23]

As discussed in greater detail below, the NPRM would make significant changes to the applicability of Part 2 to health plans and HIPAA Limited Data Sets. HHS also seeks comment on another potentially significant change to a subset of Part 2 records—SUD counseling notes. HHS further proposes to make clarifying changes throughout the Part 2 regulations that Part 2’s privacy restrictions apply to the use and disclosure (as those terms are defined by HIPAA) of Part 2 records,^[24] as well as more precise use of the terms: person; patient; and individual.^[25]

Health Plans

HHS is proposing to exempt health plans from compliance with the Part 2 regulations with respect to a wide swath of Part 2 information that health plans receive from Part 2 programs on a daily basis (such as claims and encounter data). 

Currently, Part 2’s downstream disclosure restrictions apply in pertinent part to: (1) “third-party payers”^[26] (including health plans) that receive Part 2 information from part 2 programs; and (2) other persons that receive Part 2 records from Part 2 programs or other lawful holders, but only if those records are accompanied by the prohibition on redisclosure notice.^[27] HHS proposes to change the definition of “third-party payer” to expressly exclude “health plans” (as defined by HIPAA),^[28] and to clarify that the applicability provision in 42 CFR 2.12(d)(2)(i)(A) only applies to third-party payers (as defined by the amended Part 2 regulations).^[29] Thus, if finalized, Part 2’s disclosure restrictions in 42 CFR 2.12(d) would only apply to health plans that receive Part 2 records that are accompanied by the prohibition on redisclosure notice. The restrictions would no longer automatically extend to Part 2 information disclosed by Part 2 programs to health plans without the notice. 

This proposed change could significantly reduce the amount of SUD information entitled to Part 2 protection given that most administrative systems and clearinghouses cannot transmit the prohibition on redisclosure notice with claims and encounter data from Part 2 programs to health plans. Moreover, the proposed changes to the Part 2 consent requirements and redisclosure permissions should permit health plans—as HIPAA covered entities—to use and redisclose the Part 2 program records they receive for any HIPAA-permitted purpose. 

HIPAA Limited Data Sets

Under the current Part 2 regulations, Part 2 arguably does not apply to HIPAA Limited Data Sets (e.g., data sets that are stripped of direct HIPAA identifiers under 45 CFR 164.514(e)(2)) that are protected against re-identification under a HIPAA Data Use Agreement (see 45 CFR 164.514(e)(4)(ii)(C)(5)). That’s because 42 CFR 2.16 recognizes that Part 2 programs and other lawful holders of Part 2 records can render the “identifying information non-identifiable in a manner that creates a very low risk of re-identification” by “removing direct identifiers.”^[30]

In the NPRM, HHS proposes to align the Part 2 de-identification standard in 42 CFR 2.16 with the HIPAA Privacy Rule’s de-identification standard.^[31] HIPAA requires use of an expert statistician method for de-identification or removal of all direct and indirect HIPAA identifiers.^[32] If finalized as proposed, this change could have a significant impact on SUD research and quality improvement projects that are conducted with a HIPAA Limited Data Set under a HIPAA Data Use Agreement. 

SUD Counseling Notes

HHS also seeks comment on whether it should impose heightened privacy protections on a subset of Part 2 records called “SUD counseling notes.”^[33] HHS proposes to define and treat “SUD counseling notes” similar to HIPAA “Psychotherapy Notes” with respect to individual access rights and third-party disclosures.^[34] Specifically, HHS would define “SUD counseling notes” as “notes recorded (in any medium) by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the patient’s record.”^[35] If adopted, SUD counseling notes would require separate written consent prior to disclosure and would be exempt from an individual’s right of access.^[36]

The Part 2 Notice and HIPAA Notice of Privacy Practices (NPP)

HHS proposes to change the current Part 2 summary requirements for Part 2 programs and to modify current HIPAA Notice of Privacy Practices (NPP) requirements for covered entities. 

Under the current Part 2 regulations, a Part 2 program must provide written notice to a patient—at the time the patient is admitted (or as soon as the patient has the capacity to understand his or her medical status)—that the patient’s SUD records are protected by Part 2 (the “Part 2 summary”).^[37] The Part 2 summary must include: 

• A general description of the limited circumstances under which a Part 2 program may acknowledge that an individual is present or disclose outside the Part 2 program information identifying a patient as having or having had a SUD; 
• A statement that violation of the Part 2 regulations is a crime and that suspected violations may be reported to appropriate authorities, along with contact information; 
• A statement that information related to a patient’s commission of a crime on the premises of the Part 2 program or against personnel of the Part 2 program is not protected; 
• A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected; and 
• A citation to the federal law and regulations.^[38]

A Part 2 program that is also a HIPAA covered entity may combine the Part 2 summary with its HIPAA NPP or provide the Part 2 summary as a separate form.

A HIPAA NPP is much more robust than the Part 2 Summary.^[39] For example, an NPP must include all of the following:

• A prominently displayed header;
• Descriptions of all the permitted and required uses and disclosures of the patient’s PHI, including if another more stringent law materially limits a HIPAA-permitted use or disclosure;
• Separate statements for certain uses and disclosures, such as the option to opt out of fundraising communications; 
• Statements regarding the individual’s right to request certain restrictions, the right to receive confidential communications, the right of access, the right to request an amendment to PHI, right to an accounting of certain types of disclosures, and the right to receive a paper copy of the NPP;
• A covered entities’ duties, such as notifying individuals following a breach of unsecured PHI;
• A statement regarding how to file complaints and non-retaliation; and
• Other requirements, such as contact information and effective date.^[40]

In the NPRM, HHS makes the following three proposals: 

• Align the Part 2 summary requirements with relevant HIPAA NPP requirements thereby reimagining the Part 2 Summary as a more robust Part 2 Notice aka Patient Notice.^[41] HHS also proposes to add language to 42 CFR 2.2, 2.4 and 2.26 to align the Part 2 complaint process^[42] and patient right to request restrictions on how their Part 2 records are used for treatment, payment and health care operations (“TPO”) purposes^[43] with the HIPAA Privacy Rule; 
• Modify the HIPAA NPP requirements for covered entities to include certain information about Part 2, including Part 2’s restrictions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual, among other changes.^[44] Some of HHS’ proposed NPP changes reflect modifications HHS previously proposed in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement;^[45] and
• Remove the so-called inmate exception to HIPAA NPP requirements. This is the exception that allows covered entities to withhold notice from an incarcerated individual with respect to their health information privacy rights and a covered entity’s practices.^[46]

The first proposal would ensure that patients of all Part 2 programs will enjoy the same level of notice and transparency as patients of HIPAA covered entities.^[47] Specifically, HHS proposes to require that the Part 2 Notice include all of the following:

• A header nearly identical to the one required for a HIPAA NPP;
• Descriptions of the uses and disclosures that are permitted for TPO purposes, permitted without written consent, or will only be made with written consent;
• A patient’s right to request restrictions on disclosures made with prior consent for TPO purposes and when a Part 2 program must agree to a request;
• A patient’s right to obtain restrictions of disclosures of Part 2 records to a patient’s health plan for those services for which a patient has paid in full in the same manner as HIPAA (see 45 CFR 164.522);
• A patient’s right to an accounting of disclosures (see Part 2 Accounting Requirements);
• A patient’s right to obtain an electronic or non-electronic copy of the Part 2 notice upon request;
• A right to discuss the notice with a designated contact person identified by the Part 2 program; 
• Statements regarding the Part 2 program’s duties with respect to Part 2 records, including the obligation to inform patients of changes to the Part 2 Notice and breach notifications; 
• A process for patients to complain to the Part 2 program and HHS when they believe their privacy rights have been violated, as well as how to file a complaint and that a patient will not be retaliated against for filing a complaint; and
• Part 2 program contact information and the effective date of the Part 2 Notice.^[48]

HHS also proposes to:

• Give Part 2 programs the option of listing additional elements that may be included in the Part 2 Notice, such as when a Part 2 program may choose to more stringently protect Part 2 records (except as may be required by law or permitted for emergency treatment); and 
• Further align related Part 2 Notice requirements regarding revisions and implementation specifications with similar HIPAA NPP requirements.^[49]

The second proposal—modifying the HIPAA NPP—will ensure that adequate notice is given to patients regarding how covered entities may use and disclose Part 2 records and other changes identified by HHS in the NPRM.^[50] And the third proposal will ensure that correctional facilities (such as jails and prisons) that are covered entities are held to the same notice requirements as other covered entities.^[51]

Finally, HHS is seeking feedback on whether it should impose a consent or opt-out requirement on Part 2 programs and other lawful holders of Part 2 records with respect to the use of Part 2 records to create de-identified data sets or to use Part 2 records for fundraising. HHS is proposing that Part 2 programs obtain written consent for fundraising because HHS believes that fundraising is far enough outside an individual’s reasonable expectation of how their Part 2 records will be used or disclosed that Part 2 programs should obtain written consent.^[52] However, HHS is notproposing consent for de-identification activities, stating that it would be inconsistent with Congress’ intent that de-identified information from Part 2 records be disclosed for public health purposes.^[53]

Patient Consent and Downstream Uses and Redisclosures of Part 2 Records

Most importantly, HHS proposes to align with HIPAA the Part 2 consent requirements and the downstream uses and disclosures of Part 2 Records that are permitted pursuant to a patient’s consent for treatment, payment and health care operations (a “TPO consent.”)

Required Part 2 Consent Elements

HHS proposes to rewrite the Part 2 consent elements to align with current HIPAA authorization elements. Specifically:

Current (42 CFR 2.31)[54]	Proposed (42 CFR 2.31)[55]	Summary of Change
(1) The name of the patient.	(1) The name of the patient.	No change.
(2) The specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or individual(s) permitted to make the disclosure.	(2) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.	Technical alignment with HIPAA. No material change.
(3) How much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed.	(3) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.	Substantive change and alignment with HIPAA.
(4)(i) General requirement for designating recipients. The name(s) of the individual(s) or the name(s) of the entity(-ies) to which a disclosure is to be made.	(4)(i) General requirement for designating recipients. The name(s) of the person(s), or class of persons, to which a disclosure is to be made (“recipient(s)”). For a single consent for all future uses and disclosures for treatment, payment, and health care operations, the recipient may be described as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement.	Substantive change and partial alignment with HIPAA with respect to generally designating recipients; however, it is unclear as to whether HHS intends to limit the use of a TPO consent to the following types of recipients: treating providers; health plans; third-party payers; and people helping to operate a Part 2 program. It is also unclear whether a mixed-use facility that operates a Part 2 program may designate the corporate entity as a recipient of a TPO consent for purposes of authorizing redisclosure for HIPAA permitted purposes.
(4)(ii) Special instructions for entities that facilitate the exchange of health information and research institutions.Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity facilitates the exchange of health information or is a research institution, a written consent must include the name(s) of the entity(-ies) and (A) The name(s) of individual or entity participant(s); or (B) A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed. When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13(d)).	(4)(ii) Special instructions for intermediaries. Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity is an intermediary, a written consent must include the name(s) of the intermediary(ies) and (A) The name(s) of the member participants of the intermediary; or (B) A general designation of a participant(s) or class of participants, which must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being used or disclosed.	Technical changes and a substantive change to remove the requirement that the consent form contain a statement of the patient’s right to a list of disclosures made by the intermediary.  Notably, HHS is still requiring that the consent form name the recipient entity if the recipient entity is an “intermediary” (as defined by Part 2), and HHS proposes to limit the redisclosure by the intermediary to only those participants of the intermediary that are named or who have a “treating provider relationship” (as defined by Part 2) with the patient. It is unclear how this restriction would apply in instances where the intermediary is also a HIPAA business associate recipient of the Part 2 records pursuant to a TPO consent.
N/A	(4)(iii) Special instructions when designating certain recipients. If the recipient is a program, covered entity, or business associate to whom a record (or information contained in a record) is disclosed for purposes of treatment, payment, or health care operations as defined in this part, a written consent must include the statement that the patient’s record (or information contained in the record) may be redisclosed in accordance with the permissions contained in the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.	Additional content must be added to a TPO consent to provide the patient with notice of the downstream uses and redisclosures of the Part 2 record when the recipient is another Part 2 program, covered entity, or business associate.
(5) The purpose of the disclosure. In accordance with § 2.13(a), the disclosure must be limited to that information which is necessary to carry out the stated purpose.	(5) A description of each purpose of the requested use or disclosure.(i) The statement “at the request of the patient” is a sufficient description of the purpose when a patient initiates the consent and does not, or elects not to, provide a statement of the purpose.(ii) The statement, “for treatment, payment, and health care operations” is a sufficient description of the purpose when a patient provides consent once for all such future uses or disclosures for those purposes.(iii) Fundraising. If applicable, a statement that a patient consents to the use or disclosure of the patient’s records for the purpose of fundraising for the benefit of the program.	Substantive changes to align with HIPAA and to support use of a TPO consent or, if applicable, consent for fundraising.
(6) A statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer.	(6) The patient’s right to revoke the consent in writing, except to the extent that the part 2 program, or other lawful holder of patient identifying information that is permitted to make the disclosure, has already acted in reliance on it, and how the patient may revoke consent.	Technical alignment with HIPAA. No material change.
(7) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is provided.	(7) An expiration date or an expiration event that relates to the individual patient or the purpose of the use or disclosure. The statement “end of the treatment,” “none,” or similar language is sufficient if the consent is for a use or disclosure for treatment, payment, or health care operations. The statement “end of the research study” or similar language is sufficient if the consent is for a use or disclosure for research, including for the creation and maintenance of a research database or research repository.	Substantive changes to align with HIPAA.
(8) The signature of the patient and, when required for a patient who is a minor, the signature of an individual authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of an individual authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.	(8) The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who lacks the capacity to make their own health care decisions or is deceased, the signature of a person authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.	Technical changes.
(9) The date on which the consent is signed.	(9) The date on which the consent is signed.	No change.
N/A	(10) A patient’s written consent to use or disclose records for treatment, payment, or health care operations must include all of the following statements:(i) The potential for the records used or disclosed pursuant to the consent to be subject to redisclosure by the recipient and no longer protected by this part.(ii) The consequences to the patient of a refusal to sign the consent.	Additional content must be added to a TPO consent to provide the patient with notice of: (1) the downstream uses and redisclosures of the Part 2 record; and (2) if refusal to sign the TPO consent will have consequences, such as conditioning treatment or payment for treatment on the TPO consent. HHS does notpropose to prohibit the conditioning of treatment on the patient signing the TPO consent.[56]

Prohibition on Redisclosure Notice

Although HHS has made great efforts to align Part 2’s consent elements with HIPAA’s authorization elements, HHS has chosen to retain the requirement that a prohibition on redisclosure notice accompany any Part 2 disclosure made pursuant to a patient’s written consent, including a TPO consent. HHS is proposing to rebrand the “prohibition on redisclosure notice” as a “notice to accompany disclosure,” and to modify the long-form notice to notify recipients who are covered entities or business associates (or who have received the Part 2 records from a covered entity or business associate for a HIPAA-permitted purposes) that Part 2 does not prohibit these recipients from making further use or disclosure of the Part 2 record.^[57]

Downstream Uses and Redisclosures of Part 2 Information

HHS further proposes to create different redisclosure permissions for two categories of recipients of Part 2 records pursuant to a written consent:

• Part 2 programs, covered entities and business associates. HHS proposes to allow Part 2 programs, covered entities, and business associates (collectively, “HHS Regulated Entities”) that receive Part 2 records pursuant to a written consent for TPO purposes to redisclose those records for any purpose permitted by the HIPAA Privacy Rule, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.^[58] This is a significant change. If finalized, it may effectively cut off the majority of Part 2 privacy protections for Part 2 records received by HHS Regulated Entities pursuant to a patient’s written TPO consent. Indeed, HHS proposes to limit the scope of a patient’s right to revoke a TPO consent to only post-revocation disclosures by the Part 2 program. A revocation would have no effect on a recipient HHS Regulated Entities’ ability to continue to use and redisclose the Part 2 records that they received prior to revocation.^[59]

• Other lawful holders. HHS also proposes to permit a lawful holder that is not a covered entity, business associate, or Part 2 program to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent.^[60]

HHS expects these changes will “facilitate greater integration of SUD treatment information with other PHI,” “improve communication and care coordination” between provider and payers, and reduce administrative burden.^[61] HHS proposes to offset the impact such increased data sharing might have on patient privacy by ensuring that covered entities and business associates are still subject to Part 2’s more stringent privacy protections on how Part 2 records are used against patients in legal and administrative proceedings.^[62]

Special Rule for Intermediaries

Although HHS proposes to permit the use of consent forms that name a class of persons to whom a disclosure is made and to permit the redisclosure of Part 2 records received by HHS Regulated Entities for TPO purposes for any purpose permitted by the HIPAA Privacy Rule, if the disclosure is to an “intermediary,” the consent must also:

HHS proposes to remove the requirement that the consent form include a statement that patients have a right to request a list of disclosures made pursuant to the consent from the intermediary.^[64] However, these intermediaries are still required to provide patients with a list of disclosures upon request.^[65] HHS proposes to change the time period covered by this requirement from 2 years to 3 years to align it with the new accounting requirements for Part 2 programs.^[66]       

HHS thus proposes to more narrowly restrict the disclosure (and redisclosure) of Part 2 records if one or more of the recipients is an “intermediary.” HHS proposes to define an “intermediary” as “a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.”^[67] This is a functional definition that is not restricted to a title or category of business.^[68] HHS explains: “[A]n electronic health record vendor that enables entities at two different health systems to share records likely would be an intermediary. That same vendor would not be an intermediary when used by employees in different departments of a hospital to access the same patient’s records.”^[69]

HHS gives the following examples of intermediaries: “health information exchange, a research institution that is providing treatment, an accountable care organization [(ACO)], or a care management organization [(CMO)].”^[70]HHS also explains that “member participants” refers to “health care provider practices or health-related organizations.”^[71] By contrast, “a research institution that is not providing treatment or a health app that is providing individual patients with access to their records would not be considered an intermediary. [And m]ember participants of an intermediary . . . does not include individual health plan subscribers or workforce members who share access to the same electronic health record system.”^[72]

HHS also does not propose to substantively change the definition of “treating provider relationship,” which (as technically revised in the NPRM) means: “that, regardless of whether there has been an actual in-person encounter: (1) A patient is, agrees to be, or is legally required to be diagnosed, evaluated, or treated, or agrees to accept consultation, for any condition by a person; and (2) The person undertakes or agrees to undertake diagnosis, evaluation, or treatment of the patient, or consultation with the patient, for any condition.”^[73] Thus, this special rule for intermediaries will presumably continue to limit the disclosure of Part 2 records through an HIE (including an EHR that functions as a HIE), ACO, CMO and other entities when the downstream recipient is not specifically named but only generally described, and in such cases only persons within a narrowly defined treating provider relationship with the patient will be authorized to receive the data. This restriction may undermine HHS’s ultimate goal of facilitating greater integration, improved communication and care coordination, and reduced administrative burden. 

Part 2 Accounting Requirements

HHS further proposes to impose certain accounting of disclosure requirements on Part 2 programs. Specifically, the NPRM would require Part 2 programs to provide patients the right to “an accounting of all disclosures made with consent under § 2.31 in the six years prior to the date of the request (or a shorter time period chosen by the patient.”^[74] The accounting statement must meet HIPAA’s accounting of disclosure requirements found at 45 CFR 164.528(a)(2) and (b)-(d).^[75] However, if the disclosures were made for TPO purposes, then the patient is only entitled to an accounting for the disclosures made through an electronic health record up to three years prior to the date of the request.^[76] HHS proposes to toll the compliance date for TPO accounting until the effective date of a final rule on the HIPAA accounting of disclosures standard. This would ensure that Part 2 programs do not incur new compliance obligations before covered entities and business associates under the HIPAA Privacy Rule are obligated to comply.Additionally, HHS proposes requiring Part 2 programs to include a statement of the right to an accounting of electronic record disclosures for TPO purposes in the program’s NPPs.^[77]

HHS also proposes to continue to grant patients, who have consented to the disclosure of their Part 2 records through an intermediary using a general designation consent, the right to request an accounting of disclosures from the intermediary.^[78] If an intermediary receives a request from such a patient in writing, it must provide the patient with a list of all persons to which it disclosed the patient’s records pursuant to the general designation within the past 3 years.^[79] The list must be provided in no more than 30 days and must include the names of the recipients, the date the record was disclosed, and a brief description of the identifying information disclosed.^[80]

Part 2 Exceptions

HHS proposes only a couple notable changes to the Part 2 exceptions to the consent requirements. Specifically, HHS proposes to modify the exception for audits and evaluations and to create a new exception for public health disclosures. HHS also proposes to provide in 42 CFR 2.2(b)(2) that Part 2 requires the disclosure of Part 2 records to the HHS Secretary when such disclosures are necessary for Part 2 compliance investigations and enforcement of Part 2.^[81]

Audits and Evaluations

HHS proposes to retitle the audits and evaluations exception as the “management audits, financial audits, and program evaluation” exception, in an effort to more clearly describe the uses and disclosures over which it is meant to apply.^[82] HHS recognizes that there is significant overlap between these activities and health care operations^[83] and health oversight activities.^[84] HHS thus further proposes to modify the exception to clarify that Part 2 programs, covered entities and business associates are permitted to disclose Part 2 records pursuant to a TPO consent when a requesting entity is seeking records for the following activities (and without relying on this exception):

• Activities undertaken by a federal, state, or local governmental agency, or a third-party payer or health plan, in order to:
  • Identify actions the agency or third-party payer or health plan can make, such as changes to its policies or procedures, to improve care and outcomes for patients with substance use disorders who are treated by part 2 programs;
  • Ensure that resources are managed effectively to care for patients; or 
  • Determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD; or
• Reviews of appropriateness of medical care, medical necessity, and utilization of services; or 
• For quality assurance activities conducted by accreditation or similar types of organizations focused on quality assurance.^[85]

However, to the extent an activity is not a health care operation, but a health oversight activity, the requirements of this exception may apply,^[86] unless the entity making the disclosure for the health oversight activity is a HHS Regulated Entity and was itself the recipient of the Part 2 program records pursuant to a TPO consent.^[87] In those instances, the HHS Regulated Entity is permitted to redisclose the Part 2 program records for any purpose permitted by the HIPAA Privacy Rule, which would include HIPAA’s exception for health oversight activities.  

Disclosures for Public Health (New!)

Per the mandate in the CARES Act amendments, HHS proposes to create a new exception that allows Part 2 programs to disclose Part 2 records without patient consent to a public health authority so long as the record is de-identified.^[88] Although this is a “new” exception, it is of little substantive import given that Part 2 does not apply to de-identified data. Indeed, HHS clarifies in the NPRM that this new exception should not be misconstrued “as extending the protections of Part 2 to de-identified information, as such information is outside the scope of 2.12(a).”^[89]

Court Orders

Finally, HHS proposes revisions to Subpart E of the Part 2 regulations, which govern court orders that authorize the use and disclosure of Part 2 records. Many of the revisions expressly clarify that the Subpart E requirements apply to administrative and legislative proceedings, as well as criminal and civil proceedings. HHS further proposes to extend Part 2 protections over the use and disclosure of testimony relaying the information in Part 2 records.^[90]

HHS also proposes to add a new process for investigative agencies that unknowingly obtain Part 2 records during an investigation or prosecution of a Part 2 program or person holding Part 2 records, including placement of an undercover agent.^[91] Specifically, investigative agencies that discover in good faith that they unknowingly obtained Part 2 records are required to secure those records and to cease using and disclosing them until an appropriate authorization or court order is obtained. If such an authorization or court order is not obtained within 120 days of the discovery, the agency must return or destroy the Part 2 records.^[92] HHS further proposes to require investigative agencies to file an annual report with HHS regarding applications filed for Part 2 court orders after the discovery of unknowingly received Part 2 records or placement of the undercover agent.^[93]

About the Authors

Melissa (Mel) A. Soliz, a partner with Coppersmith Brockelman, is highly sought out for her deep expertise on data privacy and interoperability issues ranging from HIPAA and 42 CFR Part 2 compliance to the ONC Information Blocking Rule, TEFCA (the Trusted Exchange Framework and Common Agreement) and CMS interoperability mandates. Her practice also focuses on health information exchange and networks, health IT contracting (particularly for social determinants of health and health equity platforms), data breaches and OCR investigations, as well as clinical research compliance and contracting. Mel is President of the Arizona Society of Healthcare Lawyers (AzSHA) and a 2022 Phoenix Magazine Top Lawyer. 

Benjamin (Ben) Yeager is an associate attorney with Coppersmith Brockelman. Ben is developing his practice in health care and data privacy law. Before joining Coppersmith Brockelman, Ben completed clerkships with the Arizona Supreme Court and the Arizona Court of Appeals. During law school, he served as the Administrator of the Hope Endowment Home in Gujarat, India, a children’s home and school serving 150 children that prepares children for future careers and helps them break free from generational poverty.

By the way, you know this is not legal advice, right? Right!

Check with your attorney for legal advice applicable to your situation.

 Endnotes

^[1] Public Law 116-136, 134 Stat. 281 (March 27, 2020) (as codified at 42 USC 209dd-2).^[2] “HIPAA” collectively refers to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended. For a more detailed summary of Section 3221 of the CARES Act, please read our Coppersmith Brockelman brief, The CARES Act: Sweeping Changes to Substance Use Disorder Privacy Law (42 USC 290dd-2) (Mar. 30, 2020) (technical amendments Apr. 2, 2020).^[3] See Substance Abuse and Mental Health Services Administration (SAMSHA), Statement on 42 CFR Part 2 Amendments Process. ^[4] 87 FR 74216 (Dec. 2, 2022).^[5] Pub. L. 91-616, 84 Stat. 1848 (Dec. 31, 1970). ^[6] Pub. L. 92-255, 86 Stat. 65 (Mar. 21, 1972).^[7] 40 FR 27802 (July 1, 1975).^[8] 52 FR 21796 (June 9, 1987).^[9] See 82 FR 6052 (Jan. 18, 2017), 83 FR 239 (Jan. 3, 2018), 85 FR 42986 (July 15, 2020), 85 FR 80626 (Dec. 14, 2020). ^[10] CARES Act, Pub. L. 116-136, 134 Stat. 281 (March 27, 2020) (as codified at 42 USC 209dd-2).^[11] 42 CFR 2.3; see also 42 USC 1320d-5 and 1320d-6.^[12] 87 FR at 74225, n. 104.^[13] 87 FR at 74274.^[14] See 42 CFR 2.3(a); Title 18 of the U.S. Code; 42 USC 1320d-5 and 1320d-6.^[15] 87 FR at 74274.^[16] 87 FR at 74275.^[17] 87 FR at 74227.^[18] 87 FR at 74277; see also 45 CFR Part 164, Subpart D.^[19] 45 CFR 164.404, 406, 408, respectively.^[20] 87 FR at 74277.^[21] 42 CFR 2.12(a)(1).^[22] 42 CFR 2.11. ^[23] See, e.g., 42 CFR 2.12(d)(2).^[24] See, e.g., 87 FR at 74232.^[25] See, e.g., 87 FR at 74229–30.^[26] 42 CFR 2.11.^[27] 42 CFR 2.12(d)(2).^[28] See, e.g., 87 FR at 74231.^[29] 87 FR at 74276.^[30] 42 CFR 2.16(a)(2)(iv).^[31] 87 FR at 74277.^[32] 45 CFR 164.514(b).^[33] 87 FR at 74230.^[34] See 45 CFR 164.501. ^[35] 87 FR at 74230.^[36] See, e.g., 87 FR at 74230–31.^[37] 42 CFR 2.22(a), (c).^[38] 42 CFR 2.22(b).^[39] See 45 CFR 164.520(b).^[40] 45 CFR 164.520(b).^[41] 87 FR at 74235.^[42] 87 FR at 74274.^[43] 87 FR at 74274, 74280.^[44] 87 FR at 74235.^[45] 87 FR at 74237.^[46] 87 FR at 74237.^[47] 87 FR at 74235.^[48] See 87 FR at 74236-37.^[49] See 87 FR at 74237.^[50] 87 FR at 74235; see also id. at 74237-38.^[51] 87 FR at 74237.^[52] 87 FR at 74236.^[53] 87 FR at 74236.^[54] 42 CFR 2.31.^[55] 87 FR at 74280–81.^[56] 87 FR at 74241.^[57] 87 FR at 74241, 74281.^[58] 87 FR at 74281-82.^[59] 87 FR at 74240.^[60] 87 FR at 74251.^[61] 87 FR at 74242.^[62] 87 FR at 74242.^[63] 87 FR at 74281.^[64] 87 FR at 74241.^[65] 87 FR at 74239.^[66] 87 FR at 74239.^[67] 87 FR at 72474–75.^[68] 87 FR at 74229.^[69] 87 FR at 74229.^[70] 87 FR at 74229.^[71] 87 FR at 74229.^[72] 87 FR at 74229.^[73] 87 FR at 74275.^[74] 87 FR at 74280.^[75] 87 FR at 74280.^[76] 87 FR at 74280.^[77] 87 FR at 74279; id. at 74236.^[78] 87 FR at 74280.^[79] 87 FR at 74280.^[80] 87 FR at 74280.^[81] 87 FR at 74247.^[82] 87 FR at 74243.^[83] 87 FR at 74244.^[84] 87 FR at 74243–44.^[85] 87 FR at 74244.^[86] 87 FR at 74244.^[87] 87 FR at 74244.^[88] 87 FR at 74283.^[89] 87 FR at 74244–45.^[90] See generally 87 FR at 74245.^[91] 87 FR at 74246–47.^[92] 87 FR at 74246.^[93] 87 FR at 74247.

By: Chelsea Gulinson, Milligan Lawless, P.C.

Though overshadowed by the COVID-19 Pandemic, the Opioid Epidemic has quietly charged forward, with over 100,000 Americans dying from drug overdoses in 2021.  State, local, and tribal governments have filed thousands of lawsuits against companies and individuals responsible for producing, manufacturing, distributing, or prescribing opioids seeking to hold them accountable for their role in the Epidemic.  Novel legal theories, such as public nuisance violations, have been successful in some jurisdictions, but have failed in others.  Some verdicts have been upheld; others reversed or remanded. 

Despite this uncertain legal landscape, several Big Pharma companies have recently settled with state governments for billions of dollars and injunctive relief.  Whether such an influx of cash will truly mitigate the effects of the Opioid Epidemic on the victims—those suffering from substance use disorder and families grieving their lost loved ones—is yet to be determined.  This blog post briefly describes the current state of the Opioid Epidemic and recent developments in related litigation. 

From 1999 to 2019, almost 500,000 Americans died from a drug overdose involving an opioid.  The first wave of the Opioid Epidemic began in 1999 with increased prescriptions of opioids.  In 2010, the second wave saw rapid increases in overdose deaths involving heroin.  The third wave commenced in 2013, with drug overdose deaths overwhelmingly characterized by synthetic opioids, particularly fentanyl.^[i]

In 2019, 70,630 drug overdose deaths occurred in the United States, a 4.3% increase from 2018.  Nearly 50,000 deaths were attributable to opioids, over 36,000 involving synthetic opioids.^[ii]  In 2020, drug overdose deaths increased to nearly 100,000 Americans, a 30% increase from 2019.  The COVID-19 Pandemic, which claimed the lives of over 1 million Americans, exacerbated the Opioid Epidemic by disrupting access to prevention, treatment, and harm reduction services.  It also highlighted ongoing disparities in access to health care among minority groups.  For example, drug overdose deaths disproportionately increased among Black and American Indian/Alaskan Native persons from 2019 to 2020 due to stigmatization, criminalization, and lack of access to evidence-based treatments.^[iii] “Provisional” data from the CDC indicate that over 100,000 Americans died from a drug overdose in 2021.^[iv]

In 2020, almost 4,000 non-fatal opioid overdoses occurred in Arizona, with 1,886 opioid-related overdose deaths.  In 2021, Arizonans suffered 3,555 non-fatal opioid overdose events, and over 2,000 Arizona residents died from opioid-related overdoses.  As of September 8, 2022, nearly 2,000 non-fatal opioid overdoses have occurred, and 372 Arizona residents have died from an opioid-related overdose.^[v]

Data about opioid prescribing rates help illuminate how the Opioid Epidemic began, why it persists, and why many hold Big Pharma responsible for the Epidemic.  Of individuals who began abusing opioids in the 1960s, more than 80% started with heroin.  In contrast, of those who began abusing opioids in the 2000s, 75% started with a prescription drug, and nearly 80% of heroin users reported using prescription opioids before using heroin.^[vi]

The opioid prescribing rate began to increase steadily in 2006, peaking in 2012 at more than 255 million opioid prescriptions, with a dispensing rate of 81.3 prescriptions per 100 persons.  The national opioid dispensing rate declined between 2012 to 2020, with 43.3 opioid prescriptions per 100 persons in 2020 (still, more than 142 million opioid prescriptions).  Although 2020 saw the lowest opioid dispensing rate to date, for which we have data, dispensing rates remained high in specific hotspots across the country.  In 2020, Southern states, including Kentucky, Tennessee, Alabama, Louisiana, Mississippi, and Arkansas, saw an opioid dispensing rate between 64.1 and 82.9 opioid prescriptions per 100 persons.  And some counties saw opioid dispensing rates of over 112.5 opioid prescriptions per 100 persons.^[vii]

One of the first Opioid Epidemic lawsuits commenced in 2017, when the State of Oklahoma sued Johnson & Johnson, Purdue Pharma, and Teva Pharmaceuticals, alleging that the companies deceptively marketed opioids in Oklahoma.  After settling with Purdue Pharma and Teva Pharmaceuticals, the State dismissed all claims against Johnson & Johnson except a novel public nuisance argument.  After a 33-day bench trial, the Court held that Johnson & Johnson, “acting in concert with others, embarked on a major campaign in which they used branded and unbranded marketing to disseminate the messages that pain was being undertreated and ‘there was a low risk of abuse and a low danger’ . . . designed to reach Oklahoma doctors through multiple means and at multiple times over the course of the doctor’s professional education and career.”^[viii] The Court awarded a $572 million judgment against Johnson & Johnson.  On November 9, 2021, however, the Oklahoma Supreme Court overturned the verdict against Johnson & Johnson, holding that Oklahoma’s public nuisance law did not extend to the manufacturing, marketing, and selling of prescription opioids.^[ix]  Oklahoma later settled with Johnson & Johnson, McKesson, Cardinal, and AmerisourceBergen for $26 billion.^[x]

New Hampshire filed suit against Johnson & Johnson’s subsidiaries in 2018, alleging that the company misrepresented that their opioids were safer than alternatives in aggressive marketing to prescribers and patients.  New Hampshire also alleged that the company “disseminated misleading statements about opioids, that they promoted the false concept of pseudoaddiction and that they misrepresented that their opioids were rarely addictive when used for chronic pain.”  On September 1, 2022, Johnson & Johnson entered into a $40.5 million settlement with New Hampshire, with $21.5 million of the settlement to be used for opioid abatement purposes.  Along with the settlement payment, Johnson & Johnson agreed to a ban on selling and manufacturing opioids, promoting opioids and opioid products, and prescription savings programs, as well as lobbying restrictions and stringent enforcement provisions.^[xi]

The Ohio Multi-District Litigation – a consolidation of over 3,000 cases brought by state, local, and tribal governments – has recently held pharmacies responsible for their role in the Opioid Epidemic.  On August 17, 2022, a court ordered CVS, Walgreens, and Walmart to pay $650.5 million to two Ohio counties after a jury returned a verdict against them last November.  The jury found the defendants liable for causing a public nuisance by intentional and illegal conduct, such as oversupplying legal prescription opioids that were diverted into illicit markets.^[xii]  A spokesperson for CVS indicated the company would appeal, claiming that CVS’s pharmacists “fill legal prescriptions written by D.E.A.-licensed doctors who prescribe legal, F.D.A.-approved substances to treat actual patients in need.”  A Walmart spokesperson blamed the “real causes of the opioid crisis, like pill mill doctors, illegal drugs and regulators asleep at the switch.”^[xiii]

Pharmacies have attempted to shift blame to physicians, but the Supreme Court recently sided with two physicians convicted of unlawfully dispensing and distributing drugs and sentenced to more than 20 years in prison.  The Supreme Court vacated the physicians’ convictions and rejected the government’s mens rea standard of an “objectively reasonable good-faith effort.”  Instead, the Supreme Court held that the government “must prove beyond a reasonable doubt that the defendant knowingly or intentionally acted in an unauthorized manner.”^[xiv]

States, municipalities, and tribal nations have filed suits against various parties, including pharmaceutical companies, manufacturers, distributors, and doctors.  Big Pharma has been accused of, and found liable for, oversupplying Americans with billions of pain medications.  As settlements occur, many question whether the government should also be held responsible for its failures in preventing and combating the Epidemic.  For example, some point to the FDA’s approval of OxyContin’s revised 2001 label for “around-the-clock” pain relief.  Others find fault with the DEA due to the agency’s slow response to the significant increase in the use and diversion of opioids, failure to use available resources, and inadequate policies that did not hold registrants accountable or prevent diversion of pharmaceutical opioids.^[xv]  And although defendants have agreed to pay billions of dollars to help compensate victims, others are not confident that governments receiving the settlement funds will spend these funds effectively.  Perhaps jaded by states’ misspending of their annual proceeds from the $246 billion tobacco Master Settlement Agreement, the likelihood of fights between state and local governments, and politicians on both sides of the political spectrum, critics are rightly concerned about whether the victims of the Opioid Epidemic will see any meaningful relief.^[xvi]

---

^[i] Understanding the Epidemic, CDC, https://www.cdc.gov/drugoverdose/epidemic/index.html (last accessed Sept. 8, 2022).

^[ii] Christine L. Mattson, Ph.D. et al., Trends and Geographic Patterns in Drug and Synthetic Opioid Overdose Deaths – United States, 2013 – 2019, Morbidity and Mortality Weekly Report, CDC, Feb. 12, 2021, available at https://www.cdc.gov/mmwr/volumes/70/wr/mm7006a4.htm?s_cid=mm7006a4_w.

^[iii] Mbabazi Kariisa, PhD et al., Vital Signs: Drug Overdose Deaths, by Selected Sociodemographic and Social Determinants of Health Characteristics – 25 States and the District of Columbia, 2019-2020, Morbidity and Mortality Weekly Report, CDC, July 22, 2022, available at https://www.cdc.gov/mmwr/volumes/71/wr/mm7129e2.htm?s_cid=mm7129e2_w#suggestedcitation.

^[iv] Provisional Drug Overdose Death Counts, National Center for Health Statistics, CDC, https://www.cdc.gov/nchs/nvss/vsrr/drug-overdose-data.htm#notes (last accessed Sept. 8, 2022).

^[v] Weekly Opioid Data, Opioid Prevention, Arizona Department of Health Services, https://www.azdhs.gov/opioid/ (last accessed Sept. 8, 2022).

^[vi] Prescription Opioids and Heroin Research Report, National Institute on Drug Abuse, Rev. Jan. 2018, available at https://nida.nih.gov/download/19774/prescription-opioids-heroin-research-report.pdf?v=fc86d9fdda38d0f275b23cd969da1a1f.

^[vii] U.S. Opioid Dispensing Rate Map, CDC, available at https://www.cdc.gov/drugoverdose/rxrate-maps/index.html (last accessed Sept. 8, 2022).

^[viii] Judgment After Non-Jury Trial, State of Oklahoma ex rel. Hunter v. Purdue Pharma, L.P. et al., District Court of Cleveland County State of Oklahoma, case no. CJ-2017-816 (Aug. 26, 2019), available at https://int.nyt.com/data/documenthelper/1660-oklahoma-opioid-trial-johnson-and-johnson/79f3fe55f5fa1a75bd48/optimized/full.pdf#page=1.

^[ix] District Court’s Judgment Reversed, State of Oklahoma ex rel. Hunter v. Johnson & Johnson et al., Supreme Court of the State of Oklahoma, case no. 118,474 (Nov. 9, 2021), available at https://www.washingtonpost.com/context/oklahoma-court-overturns-465m-opioid-ruling-against-j-j/159ce2c6-f6ba-4e6a-bfaa-539702c744be/?itid=lk_inline_manual_4.

^[x] Christine Minhee, States and Localities Have $38 Billion (Ish) on the Table, available at https://www.opioidsettlementtracker.com/globalsettlementtracker (last access Sept. 9, 2022). 

^[xi] Attorney General Reaches $40.5 Million Settlement with Johnson & Johnson to Settle Opioid Claims, New Hampshire Department of Justice, Sept. 1, 2022, https://www.doj.nh.gov/news/2022/2022901-opioid-settlement.htm.

^[xii] Abatement Order, In re National Prescription Opiate Litigation, United States District Court Northern District of Ohio, case no. 1:17-md-2804 (Aug. 17, 2022), available at https://www.ohnd.uscourts.gov/sites/ohnd/files/4611.pdf.

^[xiii] Jan Hoffman, CVS, Walgreens and Walmart Must Pay $650.5 Million in Ohio Opioids Case, N.Y. Times (Aug. 18, 2022), available at https://www.nytimes.com/2022/08/17/health/opioids-cvs-walmart-walgreens.html.

^[xiv] See Siulu Ruan v. United States, Supreme Court of the United States, case no. 20-1410 (June 27, 2022), available at https://www.supremecourt.gov/opinions/21pdf/20-1410_1an2.pdf.

^[xv] Review of the Drug Enforcement Administration’s Regulatory and Enforcement Efforts to Control the Diversion of Opioids, Office of the Inspector General, U.S. Department of Justice (Sept. 2019), available at https://oig.justice.gov/reports/2019/e1905.pdf.

^[xvi] See Christine Minhee, supra note x, at https://www.opioidsettlementtracker.com/faq/#bigtobacco.

By: Erica Erman, Dickinson Wright

Behavioral health law is an incredibly important and growing area of the law. There are numerous special rules and nuances involved, which is one of the reasons most of us likely see behavioral health law as an “exception”, i.e. you can release documents except for the substance use records, etc. Many rules deal with children or vulnerable populations, oftentimes in emergency or high-risk situations, and the consequences are as significant as they get, including suicide and trauma to name only two. It is also an incredibly rewarding area of the law to practice because you have the chance to make a significant difference in so many lives where help is truly needed.

What is behavioral health?

Behavioral health covers a variety of conditions: suicide prevention, developmental disabilities, anxiety disorders, autism spectrum disorder, bipolar disorder, depression, ADHD, eating disorders, OCD, substance use and co-occurring mental disorders, PTSD, and more.

Health care law covers a huge amount of ground. Behavioral health care law encompasses health care law and then adds even more regulations and requirements in large part due to the particularly sensitive nature of behavioral health conditions.

What are some examples of Arizona state entities involved in behavioral health care?

To name a few, there is Arizona’s Medicaid agency, AHCCCS, which includes ALTCS, Arizona’s Long Term Care System, and contracts with RBHAs, Arizona’s Regional Behavioral Health Authorities, to provide services across the state. The Arizona Department of Economic Security (ADES) includes the Division of Developmental Disabilities (the DDD) which handles essential services for autism spectrum disorder. The Department of Economic Security also includes the Arizona Early Intervention Program, which is Arizona’s statewide interagency system of services and supports for families of infants and toddlers, for children from birth to 3 years of age with disabilities or delays, including those at risk for developing autism spectrum disorder. The Arizona professional regulatory boards such as the Board of Behavioral Health Examiners, Medical Board, Board of Osteopathic Examiners, and State Board of Nursing, among others, regulate behavioral health care providers.

What are a few examples of hot topics in behavioral health law?

1. Parity
   Mental health parity is the idea that mental health and substance use disorder (SUD) benefits and coverage be on par with medical and surgical benefits and coverage. That is what the Federal Parity Act (officially called the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008, and also commonly referred to as MHPAEA) is all about.

   The Parity Act prevents group health plans and health insurance issuers from imposing more restrictive limitations on mental health or SUD benefits than on medical or surgical benefits.

   Why was this Act necessary? Historically, mental health and substance use disorders have not been treated on par with traditional medical/surgical issues. There was and still is significant stigma around addiction and behavioral health issues. The Parity Act aims to make sure that those individuals who need behavioral health benefits have them at the same levels they would for a medical or surgical issue. A few important caveats: the Parity Act doesn’t apply to small employers (under 50 employees) and it only applies to plans that do offer mental health or SUD benefits. But here is where other legislation comes into play: Plans must have “essential health benefits,” which includes “behavioral health” (treatment for mental illness, substance use disorders, and developmental disabilities) under the Affordable Care Act. The ACA established mental health care as an essential health benefit. The Parity Act was passed over 11 years ago, but it is a hot topic now because enforcement of the Parity Act over the last few years has started ramping up. Much of the successful litigation to enforce the Parity Act is based in ERISA, the Employee Retirement Income Security Act, and the idea that health insurers, health plans, and plan administrators are fiduciaries under ERISA. As fiduciaries, these entities are required to make sure the provisions of the Parity Act are being followed.

   You may have heard of the landmark case Wit v. United Behavioral Health from March 2019, which identified 8 generally accepted standards of care for behavioral health and later ordered UBH to reprocess more than 60,000 claims that had been initially denied for not meeting UBH’s medical necessity guidelines.[1] This case recently made headlines again in March 2022 when the Ninth Circuit reversed the district court’s order to reprocess the claims in a surprisingly short memorandum decision that left more questions than answers. This case continues to be significant for its 8 generally accepted standards of care for behavioral health—which were not overturned—and as a signal that parity cases may in the future shift gears from focusing on ERISA to focusing on federal and state discrimination laws for evaluating whether the application (or lack thereof) of behavioral health benefits was on par with the application of medical/surgical benefits.

2. Tele-Behavioral Health: Reimbursement Considerations
   At the time of writing this blog post, the Federal Public Health Emergency (PHE) for COVID-19 is still in effect. An area garnering much interest from behavioral health providers is how tele-behavioral health will function in a post-PHE reality. Here is a short list of 5 relevant federal laws or guidance for behavioral telehealth reimbursement.

   (1) The 2008 Ryan Haight Act – this Act essentially limits prescribing controlled substances over telehealth if a provider has never examined the patient in-person before. There are several important exceptions, including that the Ryan Haight Act does not apply during a public health emergency. This Act will reemerge at the conclusion of the PHE unless there is new legislation to change it.

   (2) The SUPPORT Act – enacted in October 2018, this Act carved out an exception for reimbursement such that a patient being treated for SUD and co-occurring mental conditions does not need to live in a rural area or have an appointment at a health care facility for the provider to be reimbursed.

   (3) Consolidated Appropriations Act of 2021 (enacted in 2020) – this legislation created a permanent exception for reimbursement of mental health services, making it possible for providers to be reimbursed regardless of where their patient is located. However, the legislature put in an additional requirement that for those mental health services to be reimbursed, the patient must have an in-person visit within 6 months before the provision of telehealth. There are some narrow exceptions.

   (4) 2022 Medicare Physician Fee Schedule – CMS added onto the 6 month rule from the CAA of 2021 (above) a new requirement that after the telehealth visit, to be eligible for reimbursement, the patient needs to visit the provider in-person again within 12 months. Again, there are several exceptions. Additionally, CMS expanded the modality of services that can be provided: reimbursement is now possible for mental health services delivered via audio-only telecommunications technology.

   (5) Consolidated Appropriations Act of 2022 – this Act, which became law recently on March 15, 2022, does not add any permanent changes to the SUD and mental health provisions discussed above, but it does add a roughly 5 month extension to the temporary telehealth provisions currently in place after the PHE ends.

3. Interstate Compacts
   Arizona enacted PSYPACT – the Psychology Interjurisdictional Compact that facilitates the practice of telepsychology and temporary in person, face-to-face practice of psychology across state boundaries – several years ago. Arizona providers have greater access to telepractice now that 30 states have enacted PSYPACT with more on the way.

   One Compact you may not have heard of yet that could be very helpful for the behavioral health field in the future is the Interstate Compact for Counselor Licensure. This Compact is not yet operational, as it needs at least 10 states to enact it first, but it is close with 9 already signed on. This Compact is for Licensed Professional Counselors (LPCs) only. It specifically does not include licensed marriage and family therapists or licensed clinical social workers. Arizona currently does not have legislation pending for this Compact, but we may see legislation in the future.

Conclusion

There are many facets to behavioral health law and the above barely scratches the surface. Thanks for reading and don’t forget that after July 16, 2022, anyone can dial 9-8-8 and be connected to the National Crisis Hotline/Suicide Prevention Hotline. You can reach me at 602-889-5342 or [email protected].

---

[1] You can read more about this decision here: https://www.dickinson-wright.com/news-alerts/highlights-from-wit-united-behavioral-health-case