Have you heard? HHS is Aligning the Substance Use Disorder Privacy Protections with HIPAA

By: Melissa A. Soliz and Benjamin Yeager, Coppersmith Brockelman PLC 

Introduction

During the worst days of the COVID-19 pandemic, the Trump Administration signed into law the Coronavirus Aid, Relief, and Economic Security Act of 2020 (the CARES Act).[1] Amongst its many provisions was a promise in Section 3221 to align the stringent privacy protections for substance use disorder (SUD) records in 42 U.S.C. § 290dd-2 and 42 C.F.R. Part 2 (collectively, “Part 2”) with HIPAA.[2]  

Congress directed the Secretary of the Department of Health and Human Services (HHS) to make necessary revisions to the Part 2 regulations to implement and enforce the CARES Act amendments by March 27, 2021. That date came and went, with directions from HHS that the Part 2 statutory changes would be delayed until the finalization of new regulations.[3] On December 2, 2022, HHS published its Notice of Proposed Rule Making (NPRM) to revise the Part 2 regulations to implement the CARES Act amendments.[4]

If finalized as proposed, HHS may at long last accomplish its goal of significantly aligning Part 2 with HIPAA as it applies to individuals and organizations that are HIPAA covered entities or business associates. It will also provide investigative agencies with certain liability protections regarding their management of Part 2 records. HHS proposes to require substantial compliance with the new requirements within 24 months after publication of a final rule. Additionally, for the proposed Part 2 Accounting Requirements, HHS proposes to toll the compliance date until the effective date of a final rule on the HIPAA accounting of disclosures standard, see 45 CFR 164.528

This blog post puts the NPRM in context and breaks down its key components to provide health care providers, health plans and their business associates with the basic information they need to understand the proposed changes to the Part 2 regulations. Comments on the NPRM are due no later than January 31, 2023 and can be submitted electronically at http://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA16.

Brief Historical Background

Part 2’s privacy protections for SUD records predated HIPAA by nearly thirty years. In 1970 and 1972, Congress passed the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act[5] and the Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972.[6] At the time these laws were passed, there was no comprehensive federal law to protect the privacy of health information. To encourage individuals suffering from SUDs to seek treatment without the fear of stigma and retaliation, Congress passed these laws to stringently protect the privacy of these individuals. Congress sought to do that by making treatment of these individuals invisible to everyone, unless the individual specifically consented to the disclosure of their SUD records. 

These laws were followed by implementing regulations in 1975,[7] which were subsequently amended in 1987.[8] Part 2 remained relatively unchanged for nearly three decades after that. In the meantime, the health care industry underwent massive changes with the passage of HIPAA and implementation of the HIPAA regulations to provide nationwide protection for all protected health information, the shift to electronic medical records and interoperability mandates, the need for integrated care and integrated delivery models, and the rise of the opioid epidemic, which swelled the ranks of those suffering from SUDs to include neighbors, co-workers, family members and friends. The Part 2 privacy barriers erected during the 20th century with the intent of encouraging effective SUD treatment and reducing stigma and discrimination, were having the unintended effect in the 21st century of achieving precisely the opposite result.  

In 2017, 2018 and 2020, the Substance Abuse and Mental Health Services Administration (SAMHSA) made valiant efforts to chip away at the Part 2 barriers to SUD data sharing, care coordination, and research.[9] However, there was only so much that the agency could accomplish within its regulatory authority and without a statutory change to 42 U.SC. § 290dd-2.

That statutory change came with the passage of the CARES Act. On March 27, 2020, Congress passed the CARES Act[10] to provide emergency assistance to individuals, families, and businesses affected by the COVID-19 pandemic. Section 3221 of the CARES Act—Confidentiality and Disclosure of Records Relating to Substance Use Disorder—substantially amended 42 U.S.C. § 290dd-2 to more closely align the Part 2 privacy standards with HIPAA’s privacy standards, breach notification requirements, and enforcement authority. Congress further directed HHS to revise the Part 2 regulations to implement these statutory amendments. On December 2, 2022, HHS published the NPRM to solicit public comment on its proposal to implement this great alignment of the SUD privacy law with HIPAA. 

Summary of Material Changes and Significance for Stakeholders

Enforcement, Penalties and Breach Reporting

HHS’ proposed changes to the Part 2 enforcement structure, penalties and breach reporting requirements are among the most significant revisions to the Part 2 regulations. 

Under the current Part 2 regulations, the Department of Justice (DOJ) is tasked with enforcing Part 2 violations with criminal penalties.[11] According to the NPRM, DOJ has not undertaken any criminal action to enforce Part 2 as of June 2018. [12] And unlike HIPAA, Part 2 has no breach notification rules that would require a Part 2 program to report the unauthorized use or disclosure of unsecured Part 2 records to individuals, regulators or any other third parties.

The NPRM, if finalized, would radically change the enforcement and breach reporting structure, as required by the CARES Act amendments. First, the NPRM would shift enforcement authority to HHS to enforce Part 2 under the same civil and criminal enforcement structure used for HIPAA.[13] For example, HHS could impose civil penalties against any person for Part 2 violations ranging from $100 to $50,000 per violation with an annual cap of $25,000 to $1.5 million (not adjusted for inflation), depending on the level of intent involved.[14] However, the NPRM also proposes to limit civil and criminal liability for “investigative agencies,” provided that the agency (or investigator) acts with reasonable diligence and satisfies certain conditions.[15] HHS proposes to define an “investigative agency” as “a state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.”[16] This liability protection only extends to investigations of a Part 2 program or other lawful holders of the Part 2 record (not a patient).[17] HHS seeks comment on whether this liability protection should be extended to others. 

Second, HHS proposes to apply the HIPAA breach notification standards to Part 2 programs with respect to breaches of unsecured Part 2 records.[18] This means that a Part 2 program—regardless of whether the Part 2 program is also a HIPAA covered entity—would need to notify affected individuals, HHS, and media outlets (if the breach involves more than 500 residents of a given state or jurisdiction) in the event of breach of unsecured records.[19] The NPRM would also hold Part 2 programs and other lawful holders of Part 2 records responsible for meeting the same privacy and security requirements for the protection of Part 2 records under 42 CFR 2.16, such as maintaining adequate policies and procedures to reasonably protect against unauthorized uses and disclosures.[20]

If finalized, stakeholders should expect significantly more enforcement of the Part 2 regulations within 24 months after the effective date of the final rule.

Part 2 Applicability and Part 2 Records

Part 2 applicability refers to the type of information Part 2 protects and the types of persons and entities that are required to comply with Part 2. Part 2 protects patient identifying information that directly or indirectly identifies a patient as having (or having had) a SUD if it originates from a Part 2 program (collectively, “Part 2 information”).[21] A part 2 program is either: (1) a person or entity, including an identifiable unit within a general medical facility, that holds itself out as providing (and provides) SUD diagnosis, treatment or referral for treatment services (collectively, “SUD services”); or (2) medical personnel or other staff whose primary function is the provision of such SUD services and who are identified as a SUD provider.[22] Part 2’s disclosure restrictions also apply to other lawful holders of Part 2 information. Other lawful holders include qualified service organizations (QSOs), such as HIPAA business associates of Part 2 programs or other lawful holders of Part 2 information; third-party payers that receive Part 2 records from Part 2 programs; entities having direct administrative control over part 2 programs; and other individuals or entities who receive Part 2 records and who are notified of the prohibition on re-disclosure of those records.[23]

As discussed in greater detail below, the NPRM would make significant changes to the applicability of Part 2 to health plans and HIPAA Limited Data Sets. HHS also seeks comment on another potentially significant change to a subset of Part 2 records—SUD counseling notes. HHS further proposes to make clarifying changes throughout the Part 2 regulations that Part 2’s privacy restrictions apply to the use and disclosure (as those terms are defined by HIPAA) of Part 2 records,[24] as well as more precise use of the terms: person; patient; and individual.[25]

Health Plans

HHS is proposing to exempt health plans from compliance with the Part 2 regulations with respect to a wide swath of Part 2 information that health plans receive from Part 2 programs on a daily basis (such as claims and encounter data). 

Currently, Part 2’s downstream disclosure restrictions apply in pertinent part to: (1) “third-party payers”[26] (including health plans) that receive Part 2 information from part 2 programs; and (2) other persons that receive Part 2 records from Part 2 programs or other lawful holders, but only if those records are accompanied by the prohibition on redisclosure notice.[27] HHS proposes to change the definition of “third-party payer” to expressly exclude “health plans” (as defined by HIPAA),[28] and to clarify that the applicability provision in 42 CFR 2.12(d)(2)(i)(A) only applies to third-party payers (as defined by the amended Part 2 regulations).[29] Thus, if finalized, Part 2’s disclosure restrictions in 42 CFR 2.12(d) would only apply to health plans that receive Part 2 records that are accompanied by the prohibition on redisclosure notice. The restrictions would no longer automatically extend to Part 2 information disclosed by Part 2 programs to health plans without the notice. 

This proposed change could significantly reduce the amount of SUD information entitled to Part 2 protection given that most administrative systems and clearinghouses cannot transmit the prohibition on redisclosure notice with claims and encounter data from Part 2 programs to health plans. Moreover, the proposed changes to the Part 2 consent requirements and redisclosure permissions should permit health plans—as HIPAA covered entities—to use and redisclose the Part 2 program records they receive for any HIPAA-permitted purpose. 

HIPAA Limited Data Sets

Under the current Part 2 regulations, Part 2 arguably does not apply to HIPAA Limited Data Sets (e.g., data sets that are stripped of direct HIPAA identifiers under 45 CFR 164.514(e)(2)) that are protected against re-identification under a HIPAA Data Use Agreement (see 45 CFR 164.514(e)(4)(ii)(C)(5)). That’s because 42 CFR 2.16 recognizes that Part 2 programs and other lawful holders of Part 2 records can render the “identifying information non-identifiable in a manner that creates a very low risk of re-identification” by “removing direct identifiers.”[30]

In the NPRM, HHS proposes to align the Part 2 de-identification standard in 42 CFR 2.16 with the HIPAA Privacy Rule’s de-identification standard.[31] HIPAA requires use of an expert statistician method for de-identification or removal of all direct and indirect HIPAA identifiers.[32] If finalized as proposed, this change could have a significant impact on SUD research and quality improvement projects that are conducted with a HIPAA Limited Data Set under a HIPAA Data Use Agreement. 

SUD Counseling Notes

HHS also seeks comment on whether it should impose heightened privacy protections on a subset of Part 2 records called “SUD counseling notes.”[33] HHS proposes to define and treat “SUD counseling notes” similar to HIPAA “Psychotherapy Notes” with respect to individual access rights and third-party disclosures.[34] Specifically, HHS would define “SUD counseling notes” as “notes recorded (in any medium) by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the patient’s record.”[35] If adopted, SUD counseling notes would require separate written consent prior to disclosure and would be exempt from an individual’s right of access.[36]

The Part 2 Notice and HIPAA Notice of Privacy Practices (NPP)

HHS proposes to change the current Part 2 summary requirements for Part 2 programs and to modify current HIPAA Notice of Privacy Practices (NPP) requirements for covered entities. 

Under the current Part 2 regulations, a Part 2 program must provide written notice to a patient—at the time the patient is admitted (or as soon as the patient has the capacity to understand his or her medical status)—that the patient’s SUD records are protected by Part 2 (the “Part 2 summary”).[37] The Part 2 summary must include: 

  • A general description of the limited circumstances under which a Part 2 program may acknowledge that an individual is present or disclose outside the Part 2 program information identifying a patient as having or having had a SUD; 
  • A statement that violation of the Part 2 regulations is a crime and that suspected violations may be reported to appropriate authorities, along with contact information; 
  • A statement that information related to a patient’s commission of a crime on the premises of the Part 2 program or against personnel of the Part 2 program is not protected; 
  • A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected; and 
  • A citation to the federal law and regulations.[38]

A Part 2 program that is also a HIPAA covered entity may combine the Part 2 summary with its HIPAA NPP or provide the Part 2 summary as a separate form.

A HIPAA NPP is much more robust than the Part 2 Summary.[39] For example, an NPP must include all of the following:

  • A prominently displayed header;
  • Descriptions of all the permitted and required uses and disclosures of the patient’s PHI, including if another more stringent law materially limits a HIPAA-permitted use or disclosure;
  • Separate statements for certain uses and disclosures, such as the option to opt out of fundraising communications; 
  • Statements regarding the individual’s right to request certain restrictions, the right to receive confidential communications, the right of access, the right to request an amendment to PHI, right to an accounting of certain types of disclosures, and the right to receive a paper copy of the NPP;
  • A covered entities’ duties, such as notifying individuals following a breach of unsecured PHI;
  • A statement regarding how to file complaints and non-retaliation; and
  • Other requirements, such as contact information and effective date.[40]

In the NPRM, HHS makes the following three proposals: 

  • Align the Part 2 summary requirements with relevant HIPAA NPP requirements thereby reimagining the Part 2 Summary as a more robust Part 2 Notice aka Patient Notice.[41] HHS also proposes to add language to 42 CFR 2.2, 2.4 and 2.26 to align the Part 2 complaint process[42] and patient right to request restrictions on how their Part 2 records are used for treatment, payment and health care operations (“TPO”) purposes[43] with the HIPAA Privacy Rule; 
  • Modify the HIPAA NPP requirements for covered entities to include certain information about Part 2, including Part 2’s restrictions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual, among other changes.[44] Some of HHS’ proposed NPP changes reflect modifications HHS previously proposed in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement;[45] and
  • Remove the so-called inmate exception to HIPAA NPP requirements. This is the exception that allows covered entities to withhold notice from an incarcerated individual with respect to their health information privacy rights and a covered entity’s practices.[46]

The first proposal would ensure that patients of all Part 2 programs will enjoy the same level of notice and transparency as patients of HIPAA covered entities.[47] Specifically, HHS proposes to require that the Part 2 Notice include all of the following:

  • A header nearly identical to the one required for a HIPAA NPP;
  • Descriptions of the uses and disclosures that are permitted for TPO purposes, permitted without written consent, or will only be made with written consent;
  • A patient’s right to request restrictions on disclosures made with prior consent for TPO purposes and when a Part 2 program must agree to a request;
  • A patient’s right to obtain restrictions of disclosures of Part 2 records to a patient’s health plan for those services for which a patient has paid in full in the same manner as HIPAA (see 45 CFR 164.522);
  • A patient’s right to an accounting of disclosures (see Part 2 Accounting Requirements);
  • A patient’s right to obtain an electronic or non-electronic copy of the Part 2 notice upon request;
  • A right to discuss the notice with a designated contact person identified by the Part 2 program; 
  • Statements regarding the Part 2 program’s duties with respect to Part 2 records, including the obligation to inform patients of changes to the Part 2 Notice and breach notifications; 
  • A process for patients to complain to the Part 2 program and HHS when they believe their privacy rights have been violated, as well as how to file a complaint and that a patient will not be retaliated against for filing a complaint; and
  • Part 2 program contact information and the effective date of the Part 2 Notice.[48]

HHS also proposes to:

  • Give Part 2 programs the option of listing additional elements that may be included in the Part 2 Notice, such as when a Part 2 program may choose to more stringently protect Part 2 records (except as may be required by law or permitted for emergency treatment); and 
  • Further align related Part 2 Notice requirements regarding revisions and implementation specifications with similar HIPAA NPP requirements.[49]

The second proposal—modifying the HIPAA NPP—will ensure that adequate notice is given to patients regarding how covered entities may use and disclose Part 2 records and other changes identified by HHS in the NPRM.[50] And the third proposal will ensure that correctional facilities (such as jails and prisons) that are covered entities are held to the same notice requirements as other covered entities.[51]

Finally, HHS is seeking feedback on whether it should impose a consent or opt-out requirement on Part 2 programs and other lawful holders of Part 2 records with respect to the use of Part 2 records to create de-identified data sets or to use Part 2 records for fundraising. HHS is proposing that Part 2 programs obtain written consent for fundraising because HHS believes that fundraising is far enough outside an individual’s reasonable expectation of how their Part 2 records will be used or disclosed that Part 2 programs should obtain written consent.[52] However, HHS is notproposing consent for de-identification activities, stating that it would be inconsistent with Congress’ intent that de-identified information from Part 2 records be disclosed for public health purposes.[53]

Patient Consent and Downstream Uses and Redisclosures of Part 2 Records

Most importantly, HHS proposes to align with HIPAA the Part 2 consent requirements and the downstream uses and disclosures of Part 2 Records that are permitted pursuant to a patient’s consent for treatment, payment and health care operations (a “TPO consent.”)

Required Part 2 Consent Elements

HHS proposes to rewrite the Part 2 consent elements to align with current HIPAA authorization elements. Specifically:

Current (42 CFR 2.31)[54]Proposed (42 CFR 2.31)[55]Summary of Change
(1) The name of the patient.(1) The name of the patient.No change.
(2) The specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or individual(s) permitted to make the disclosure.(2) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.Technical alignment with HIPAA. No material change. 
(3) How much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed.(3) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.Substantive change and alignment with HIPAA. 
(4)(i) General requirement for designating recipients. The name(s) of the individual(s) or the name(s) of the entity(-ies) to which a disclosure is to be made.  (4)(i) General requirement for designating recipients. The name(s) of the person(s), or class of persons, to which a disclosure is to be made (“recipient(s)”). For a single consent for all future uses and disclosures for treatment, payment, and health care operations, the recipient may be described as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement.Substantive change and partial alignment with HIPAA with respect to generally designating recipients; however, it is unclear as to whether HHS intends to limit the use of a TPO consent to the following types of recipients: treating providers; health plans; third-party payers; and people helping to operate a Part 2 program. It is also unclear whether a mixed-use facility that operates a Part 2 program may designate the corporate entity as a recipient of a TPO consent for purposes of authorizing redisclosure for HIPAA permitted purposes.  
(4)(ii) Special instructions for entities that facilitate the exchange of health information and research institutions.Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity facilitates the exchange of health information or is a research institution, a written consent must include the name(s) of the entity(-ies) and (A) The name(s) of individual or entity participant(s); or (B) A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed. When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13(d)).(4)(ii) Special instructions for intermediaries. Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity is an intermediary, a written consent must include the name(s) of the intermediary(ies) and (A) The name(s) of the member participants of the intermediary; or (B) A general designation of a participant(s) or class of participants, which must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being used or disclosed. Technical changes and a substantive change to remove the requirement that the consent form contain a statement of the patient’s right to a list of disclosures made by the intermediary.  Notably, HHS is still requiring that the consent form name the recipient entity if the recipient entity is an “intermediary” (as defined by Part 2), and HHS proposes to limit the redisclosure by the intermediary to only those participants of the intermediary that are named or who have a “treating provider relationship” (as defined by Part 2) with the patient. It is unclear how this restriction would apply in instances where the intermediary is also a HIPAA business associate recipient of the Part 2 records pursuant to a TPO consent.
N/A(4)(iii) Special instructions when designating certain recipients. If the recipient is a program, covered entity, or business associate to whom a record (or information contained in a record) is disclosed for purposes of treatment, payment, or health care operations as defined in this part, a written consent must include the statement that the patient’s record (or information contained in the record) may be redisclosed in accordance with the permissions contained in the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient. Additional content must be added to a TPO consent to provide the patient with notice of the downstream uses and redisclosures of the Part 2 record when the recipient is another Part 2 program, covered entity, or business associate. 
(5) The purpose of the disclosure. In accordance with § 2.13(a), the disclosure must be limited to that information which is necessary to carry out the stated purpose.(5) A description of each purpose of the requested use or disclosure.(i) The statement “at the request of the patient” is a sufficient description of the purpose when a patient initiates the consent and does not, or elects not to, provide a statement of the purpose.(ii) The statement, “for treatment, payment, and health care operations” is a sufficient description of the purpose when a patient provides consent once for all such future uses or disclosures for those purposes.(iii) Fundraising. If applicable, a statement that a patient consents to the use or disclosure of the patient’s records for the purpose of fundraising for the benefit of the program. Substantive changes to align with HIPAA and to support use of a TPO consent or, if applicable, consent for fundraising. 
(6) A statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer. (6) The patient’s right to revoke the consent in writing, except to the extent that the part 2 program, or other lawful holder of patient identifying information that is permitted to make the disclosure, has already acted in reliance on it, and how the patient may revoke consent.Technical alignment with HIPAA. No material change.
(7) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is provided.(7) An expiration date or an expiration event that relates to the individual patient or the purpose of the use or disclosure. The statement “end of the treatment,” “none,” or similar language is sufficient if the consent is for a use or disclosure for treatment, payment, or health care operations. The statement “end of the research study” or similar language is sufficient if the consent is for a use or disclosure for research, including for the creation and maintenance of a research database or research repository. Substantive changes to align with HIPAA. 
(8) The signature of the patient and, when required for a patient who is a minor, the signature of an individual authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of an individual authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.(8) The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who lacks the capacity to make their own health care decisions or is deceased, the signature of a person authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law. Technical changes. 
(9) The date on which the consent is signed.(9) The date on which the consent is signed. No change. 
N/A(10) A patient’s written consent to use or disclose records for treatment, payment, or health care operations must include all of the following statements:(i) The potential for the records used or disclosed pursuant to the consent to be subject to redisclosure by the recipient and no longer protected by this part.(ii) The consequences to the patient of a refusal to sign the consent.Additional content must be added to a TPO consent to provide the patient with notice of: (1) the downstream uses and redisclosures of the Part 2 record; and (2) if refusal to sign the TPO consent will have consequences, such as conditioning treatment or payment for treatment on the TPO consent. HHS does notpropose to prohibit the conditioning of treatment on the patient signing the TPO consent.[56]

Prohibition on Redisclosure Notice

Although HHS has made great efforts to align Part 2’s consent elements with HIPAA’s authorization elements, HHS has chosen to retain the requirement that a prohibition on redisclosure notice accompany any Part 2 disclosure made pursuant to a patient’s written consent, including a TPO consent. HHS is proposing to rebrand the “prohibition on redisclosure notice” as a “notice to accompany disclosure,” and to modify the long-form notice to notify recipients who are covered entities or business associates (or who have received the Part 2 records from a covered entity or business associate for a HIPAA-permitted purposes) that Part 2 does not prohibit these recipients from making further use or disclosure of the Part 2 record.[57]

Downstream Uses and Redisclosures of Part 2 Information

HHS further proposes to create different redisclosure permissions for two categories of recipients of Part 2 records pursuant to a written consent:

  • Part 2 programs, covered entities and business associates. HHS proposes to allow Part 2 programs, covered entities, and business associates (collectively, “HHS Regulated Entities”) that receive Part 2 records pursuant to a written consent for TPO purposes to redisclose those records for any purpose permitted by the HIPAA Privacy Rule, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.[58] This is a significant change. If finalized, it may effectively cut off the majority of Part 2 privacy protections for Part 2 records received by HHS Regulated Entities pursuant to a patient’s written TPO consent. Indeed, HHS proposes to limit the scope of a patient’s right to revoke a TPO consent to only post-revocation disclosures by the Part 2 program. A revocation would have no effect on a recipient HHS Regulated Entities’ ability to continue to use and redisclose the Part 2 records that they received prior to revocation.[59]
  • Other lawful holders. HHS also proposes to permit a lawful holder that is not a covered entity, business associate, or Part 2 program to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent.[60]

HHS expects these changes will “facilitate greater integration of SUD treatment information with other PHI,” “improve communication and care coordination” between provider and payers, and reduce administrative burden.[61] HHS proposes to offset the impact such increased data sharing might have on patient privacy by ensuring that covered entities and business associates are still subject to Part 2’s more stringent privacy protections on how Part 2 records are used against patients in legal and administrative proceedings.[62]

Special Rule for Intermediaries

Although HHS proposes to permit the use of consent forms that name a class of persons to whom a disclosure is made and to permit the redisclosure of Part 2 records received by HHS Regulated Entities for TPO purposes for any purpose permitted by the HIPAA Privacy Rule, if the disclosure is to an “intermediary,” the consent must also:

HHS proposes to remove the requirement that the consent form include a statement that patients have a right to request a list of disclosures made pursuant to the consent from the intermediary.[64] However, these intermediaries are still required to provide patients with a list of disclosures upon request.[65] HHS proposes to change the time period covered by this requirement from 2 years to 3 years to align it with the new accounting requirements for Part 2 programs.[66]       

HHS thus proposes to more narrowly restrict the disclosure (and redisclosure) of Part 2 records if one or more of the recipients is an “intermediary.” HHS proposes to define an “intermediary” as “a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.”[67] This is a functional definition that is not restricted to a title or category of business.[68] HHS explains: “[A]n electronic health record vendor that enables entities at two different health systems to share records likely would be an intermediary. That same vendor would not be an intermediary when used by employees in different departments of a hospital to access the same patient’s records.”[69]

HHS gives the following examples of intermediaries: “health information exchange, a research institution that is providing treatment, an accountable care organization [(ACO)], or a care management organization [(CMO)].”[70]HHS also explains that “member participants” refers to “health care provider practices or health-related organizations.”[71] By contrast, “a research institution that is not providing treatment or a health app that is providing individual patients with access to their records would not be considered an intermediary. [And m]ember participants of an intermediary . . . does not include individual health plan subscribers or workforce members who share access to the same electronic health record system.”[72]

HHS also does not propose to substantively change the definition of “treating provider relationship,” which (as technically revised in the NPRM) means: “that, regardless of whether there has been an actual in-person encounter: (1) A patient is, agrees to be, or is legally required to be diagnosed, evaluated, or treated, or agrees to accept consultation, for any condition by a person; and (2) The person undertakes or agrees to undertake diagnosis, evaluation, or treatment of the patient, or consultation with the patient, for any condition.”[73] Thus, this special rule for intermediaries will presumably continue to limit the disclosure of Part 2 records through an HIE (including an EHR that functions as a HIE), ACO, CMO and other entities when the downstream recipient is not specifically named but only generally described, and in such cases only persons within a narrowly defined treating provider relationship with the patient will be authorized to receive the data. This restriction may undermine HHS’s ultimate goal of facilitating greater integration, improved communication and care coordination, and reduced administrative burden. 

Part 2 Accounting Requirements

HHS further proposes to impose certain accounting of disclosure requirements on Part 2 programs. Specifically, the NPRM would require Part 2 programs to provide patients the right to “an accounting of all disclosures made with consent under § 2.31 in the six years prior to the date of the request (or a shorter time period chosen by the patient.”[74] The accounting statement must meet HIPAA’s accounting of disclosure requirements found at 45 CFR 164.528(a)(2) and (b)-(d).[75] However, if the disclosures were made for TPO purposes, then the patient is only entitled to an accounting for the disclosures made through an electronic health record up to three years prior to the date of the request.[76] HHS proposes to toll the compliance date for TPO accounting until the effective date of a final rule on the HIPAA accounting of disclosures standard. This would ensure that Part 2 programs do not incur new compliance obligations before covered entities and business associates under the HIPAA Privacy Rule are obligated to comply.Additionally, HHS proposes requiring Part 2 programs to include a statement of the right to an accounting of electronic record disclosures for TPO purposes in the program’s NPPs.[77]

HHS also proposes to continue to grant patients, who have consented to the disclosure of their Part 2 records through an intermediary using a general designation consent, the right to request an accounting of disclosures from the intermediary.[78] If an intermediary receives a request from such a patient in writing, it must provide the patient with a list of all persons to which it disclosed the patient’s records pursuant to the general designation within the past 3 years.[79] The list must be provided in no more than 30 days and must include the names of the recipients, the date the record was disclosed, and a brief description of the identifying information disclosed.[80]

Part 2 Exceptions

HHS proposes only a couple notable changes to the Part 2 exceptions to the consent requirements. Specifically, HHS proposes to modify the exception for audits and evaluations and to create a new exception for public health disclosures. HHS also proposes to provide in 42 CFR 2.2(b)(2) that Part 2 requires the disclosure of Part 2 records to the HHS Secretary when such disclosures are necessary for Part 2 compliance investigations and enforcement of Part 2.[81]

Audits and Evaluations

HHS proposes to retitle the audits and evaluations exception as the “management audits, financial audits, and program evaluation” exception, in an effort to more clearly describe the uses and disclosures over which it is meant to apply.[82] HHS recognizes that there is significant overlap between these activities and health care operations[83] and health oversight activities.[84] HHS thus further proposes to modify the exception to clarify that Part 2 programs, covered entities and business associates are permitted to disclose Part 2 records pursuant to a TPO consent when a requesting entity is seeking records for the following activities (and without relying on this exception):

  • Activities undertaken by a federal, state, or local governmental agency, or a third-party payer or health plan, in order to:
    • Identify actions the agency or third-party payer or health plan can make, such as changes to its policies or procedures, to improve care and outcomes for patients with substance use disorders who are treated by part 2 programs;
    • Ensure that resources are managed effectively to care for patients; or 
    • Determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD; or
  • Reviews of appropriateness of medical care, medical necessity, and utilization of services; or 
  • For quality assurance activities conducted by accreditation or similar types of organizations focused on quality assurance.[85]

However, to the extent an activity is not a health care operation, but a health oversight activity, the requirements of this exception may apply,[86] unless the entity making the disclosure for the health oversight activity is a HHS Regulated Entity and was itself the recipient of the Part 2 program records pursuant to a TPO consent.[87] In those instances, the HHS Regulated Entity is permitted to redisclose the Part 2 program records for any purpose permitted by the HIPAA Privacy Rule, which would include HIPAA’s exception for health oversight activities.  

Disclosures for Public Health (New!)

Per the mandate in the CARES Act amendments, HHS proposes to create a new exception that allows Part 2 programs to disclose Part 2 records without patient consent to a public health authority so long as the record is de-identified.[88] Although this is a “new” exception, it is of little substantive import given that Part 2 does not apply to de-identified data. Indeed, HHS clarifies in the NPRM that this new exception should not be misconstrued “as extending the protections of Part 2 to de-identified information, as such information is outside the scope of 2.12(a).”[89]

Court Orders

Finally, HHS proposes revisions to Subpart E of the Part 2 regulations, which govern court orders that authorize the use and disclosure of Part 2 records. Many of the revisions expressly clarify that the Subpart E requirements apply to administrative and legislative proceedings, as well as criminal and civil proceedings. HHS further proposes to extend Part 2 protections over the use and disclosure of testimony relaying the information in Part 2 records.[90]

HHS also proposes to add a new process for investigative agencies that unknowingly obtain Part 2 records during an investigation or prosecution of a Part 2 program or person holding Part 2 records, including placement of an undercover agent.[91] Specifically, investigative agencies that discover in good faith that they unknowingly obtained Part 2 records are required to secure those records and to cease using and disclosing them until an appropriate authorization or court order is obtained. If such an authorization or court order is not obtained within 120 days of the discovery, the agency must return or destroy the Part 2 records.[92] HHS further proposes to require investigative agencies to file an annual report with HHS regarding applications filed for Part 2 court orders after the discovery of unknowingly received Part 2 records or placement of the undercover agent.[93]

About the Authors

Melissa (Mel) A. Soliz, a partner with Coppersmith Brockelman, is highly sought out for her deep expertise on data privacy and interoperability issues ranging from HIPAA and 42 CFR Part 2 compliance to the ONC Information Blocking Rule, TEFCA (the Trusted Exchange Framework and Common Agreement) and CMS interoperability mandates. Her practice also focuses on health information exchange and networks, health IT contracting (particularly for social determinants of health and health equity platforms), data breaches and OCR investigations, as well as clinical research compliance and contracting. Mel is President of the Arizona Society of Healthcare Lawyers (AzSHA) and a 2022 Phoenix Magazine Top Lawyer. 

Benjamin (Ben) Yeager is an associate attorney with Coppersmith Brockelman. Ben is developing his practice in health care and data privacy law. Before joining Coppersmith Brockelman, Ben completed clerkships with the Arizona Supreme Court and the Arizona Court of Appeals. During law school, he served as the Administrator of the Hope Endowment Home in Gujarat, India, a children’s home and school serving 150 children that prepares children for future careers and helps them break free from generational poverty.

By the way, you know this is not legal advice, right? Right!

Check with your attorney for legal advice applicable to your situation.


 Endnotes

[1] Public Law 116-136, 134 Stat. 281 (March 27, 2020) (as codified at 42 USC 209dd-2).[2] “HIPAA” collectively refers to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended. For a more detailed summary of Section 3221 of the CARES Act, please read our Coppersmith Brockelman brief, The CARES Act: Sweeping Changes to Substance Use Disorder Privacy Law (42 USC 290dd-2) (Mar. 30, 2020) (technical amendments Apr. 2, 2020).[3] See Substance Abuse and Mental Health Services Administration (SAMSHA), Statement on 42 CFR Part 2 Amendments Process[4] 87 FR 74216 (Dec. 2, 2022).[5] Pub. L. 91-616, 84 Stat. 1848 (Dec. 31, 1970)[6] Pub. L. 92-255, 86 Stat. 65 (Mar. 21, 1972).[7] 40 FR 27802 (July 1, 1975).[8] 52 FR 21796 (June 9, 1987).[9] See 82 FR 6052 (Jan. 18, 2017)83 FR 239 (Jan. 3, 2018)85 FR 42986 (July 15, 2020)85 FR 80626 (Dec. 14, 2020)[10] CARES Act, Pub. L. 116-136, 134 Stat. 281 (March 27, 2020) (as codified at 42 USC 209dd-2).[11] 42 CFR 2.3see also 42 USC 1320d-5 and 1320d-6.[12] 87 FR at 74225, n. 104.[13] 87 FR at 74274.[14] See 42 CFR 2.3(a); Title 18 of the U.S. Code42 USC 1320d-5 and 1320d-6.[15] 87 FR at 74274.[16] 87 FR at 74275.[17] 87 FR at 74227.[18] 87 FR at 74277see also 45 CFR Part 164, Subpart D.[19] 45 CFR 164.404406408, respectively.[20] 87 FR at 74277.[21] 42 CFR 2.12(a)(1).[22] 42 CFR 2.11[23] See, e.g.42 CFR 2.12(d)(2).[24] See, e.g.87 FR at 74232.[25] See, e.g.87 FR at 74229–30.[26] 42 CFR 2.11.[27] 42 CFR 2.12(d)(2).[28] See, e.g.87 FR at 74231.[29] 87 FR at 74276.[30] 42 CFR 2.16(a)(2)(iv).[31] 87 FR at 74277.[32] 45 CFR 164.514(b).[33] 87 FR at 74230.[34] See 45 CFR 164.501[35] 87 FR at 74230.[36] See, e.g.87 FR at 74230–31.[37] 42 CFR 2.22(a)(c).[38] 42 CFR 2.22(b).[39] See 45 CFR 164.520(b).[40] 45 CFR 164.520(b).[41] 87 FR at 74235.[42] 87 FR at 74274.[43] 87 FR at 7427474280.[44] 87 FR at 74235.[45] 87 FR at 74237.[46] 87 FR at 74237.[47] 87 FR at 74235.[48] See 87 FR at 74236-37.[49] See 87 FR at 74237.[50] 87 FR at 74235see also id. at 74237-38.[51] 87 FR at 74237.[52] 87 FR at 74236.[53] 87 FR at 74236.[54] 42 CFR 2.31.[55] 87 FR at 74280–81.[56] 87 FR at 74241.[57] 87 FR at 7424174281.[58] 87 FR at 74281-82.[59] 87 FR at 74240.[60] 87 FR at 74251.[61] 87 FR at 74242.[62] 87 FR at 74242.[63] 87 FR at 74281.[64] 87 FR at 74241.[65] 87 FR at 74239.[66] 87 FR at 74239.[67] 87 FR at 72474–75.[68] 87 FR at 74229.[69] 87 FR at 74229.[70] 87 FR at 74229.[71] 87 FR at 74229.[72] 87 FR at 74229.[73] 87 FR at 74275.[74] 87 FR at 74280.[75] 87 FR at 74280.[76] 87 FR at 74280.[77] 87 FR at 74279; id. at 74236.[78] 87 FR at 74280.[79] 87 FR at 74280.[80] 87 FR at 74280.[81] 87 FR at 74247.[82] 87 FR at 74243.[83] 87 FR at 74244.[84] 87 FR at 74243–44.[85] 87 FR at 74244.[86] 87 FR at 74244.[87] 87 FR at 74244.[88] 87 FR at 74283.[89] 87 FR at 74244–45.[90] See generally 87 FR at 74245.[91] 87 FR at 74246–47.[92] 87 FR at 74246.[93] 87 FR at 74247.