How the CARES Act Final Rule is Changing 42 CFR Part 2 Compliance
By: Melissa Soliz and Katherine Hyde, Coppersmith Brockelman PLC
Last year, the Department of Health and Human Services (HHS) made some significant changes to 42 CFR Part 2 (Part 2)’s privacy protections for substance use disorder (SUD) records. Part 2 programs and other lawful holders of SUD records have less than one year left to get ready for the upcoming compliance deadline on February 16, 2026.
In February 2024, HHS published the final rule modifying Part 2 to implement Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (the “CARES Act Final Rule”).[1] The CARES Act Final Rule was effective April 16, 2024, but the compliance deadline is delayed until February 16, 2026. Early voluntary compliance is permitted. Below, we summarize some of the most important rule changes for health care providers, health plans, and health information networks/exchanges (HIN/HIEs).
Enforcement Structure
One of the most significant changes is the addition of a robust complaint, breach reporting, and penalty enforcement structure that leverages HIPAA’s civil/criminal penalties and the HIPAA Enforcement Rule (see 164 CFR Part 160, Subparts C, D, and E). This change significantly raises the risks associated with Part 2 noncompliance by giving HHS and state attorneys general new enforcement authority. HHS has actively conducted compliance reviews and investigations through OCR and regularly exercises its civil enforcement authority.
Breach Reporting
The requirements of the HIPAA Breach Notification Rule are now applicable to Part 2 programs. Specifically, HHS finalized changes to the Part 2 regulations to require that the Breach Notification Rule “shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a covered entity with respect to breaches of unsecured protected health information.”[2] HHS also finalized the HIPAA definition of “breach” in Section 2.11. However, in the commentary to the CARES Act Final Rule, HHS explains that Part 2 programs are required to report not only HIPAA breaches, but the unauthorized use or disclosure of Part 2 records in violation of Part 2.[3] Notably, this expanded breach reporting requirement does not apply to other lawful holders of Part 2 records (including Qualified Service Organizations) that are not Part 2 programs.
Applicability and Scope
Neither the CARES Act nor the CARES Act Final Rule make changes to the applicability of Part 2 to Part 2 programs. However, the CARES Act Final Rule does:
- Change the scope of applicability of Part 2’s use and disclosure restrictions to health plans by excluding health plans (as defined by HIPAA) from the definition of “third-party payer”;[4]
- Clarifies the applicability of Part 2 provisions to other lawful holders of Part 2 records as well as the types of individuals and entities who may qualify as a qualified service organization (QSO);[5]
- Adopts the HIPAA de-identification standard;[6] and
- Creates a new subset of Part 2 records, called SUD counseling notes, that have heightened protection akin to HIPAA’s protection for psychotherapy notes.[7]
Part 2 Notice
Since its inception, Part 2 has required Part 2 programs to give patients notice of Part 2’s confidentiality requirement upon their admission to the Part 2 program. This is sometimes referred to as a “Part 2 summary” or “Part 2 notice.” In the CARES Act Final Rule, HHS finalized requirements to align the Part 2 notice requirements with HIPAA as well as changes to Part 2’s enforcement structure.[8] The changes are tantamount to a complete rewrite of the Part 2 notice requirements. Consequently, Part 2 programs will need to rewrite their Part 2 notices on or before the February 16, 2026 compliance deadline. For HIPAA-regulated entities, the Part 2 notice may be combined with the HIPAA Notice of Privacy Practices (NPP).
A Future TPO Consent
A patient may now execute a single Part 2-compliant consent that covers all future uses and disclosures of Part 2 records for treatment, payment, or health care operations (TPO) purposes, unless revoked (a “future TPO consent”).[9] When such a future TPO consent is executed, a Part 2 program or HIPAA-regulated entity may use and disclose those Part 2 records as permitted by HIPAA for TPO purposes, unless revoked.[10] Additionally, HIPAA-regulated entity recipients of the Part 2 records pursuant to such a TPO consent may further disclose those Part 2 records in accordance with HIPAA (that is, for other HIPAA-permitted purposes beyond TPO), except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.[11] Disclosures by non-HIPAA regulated entities recipients, however, are limited to the purposes provided for in the consent.[12]
Part 2 Consent Elements
HHS has finalized the Part 2 consent elements to partially (but not fully) align with HIPAA authorization elements.[13] A Part 2 consent continues to remain materially different from a HIPAA authorization and may be combined with a HIPAA authorization to form a combined Part 2 consent/HIPAA authorization. Importantly, in the CARES Act Final Rule, HHS revised the definition of “intermediary” to exclude HIPAA-regulated entities.[14] As a result, the special consent requirements and limitations applicable to intermediaries and redisclosures through intermediaries do not apply if the intermediary is a HIPAA-regulated entity.[15] Special consent element rules (or options) also apply:
- To future TPO consents;[16]
- For the use and disclosure of SUD counseling notes;[17]
- To use and disclose Part 2 records in proceedings against the patient;[18]
- For uses and disclosures to prevent multiple enrollments in a withdrawal management or maintenance treatment program;[19]
- To elements in the criminal justice system which have referred patients;[20] and
- For disclosures to prescription drug monitoring programs.[21]
Notice to Accompany Disclosure and Copy/Explanation of Consent
HHS continues to require that certain procedural requirements be followed with respect to consent-based disclosures of Part 2 records. Specifically, HHS continues to require that a “prohibition on redisclosure notice” accompany consent-based disclosures of Part 2 records, but has rebranded this as a “notice to accompany disclosure.” [22] HHS also added a new requirement to transmit a copy of the patient’s consent or clear explanation of the scope of consent with “each disclosure” of the patient’s Part 2 records.[23] HHS added this procedural requirement to enable Part 2 record recipients that are HIPAA-regulated entities to identify whether the Part 2 records were disclosed pursuant to a TPO consent (and thus qualify for redisclosure for HIPAA-permitted purposes, except in proceedings against the patient) or something less or different than a TPO consent.
Conclusion
The CARES Act Final Rule will allow patients to more broadly consent to the use and redisclosure of their Part 2 records, which potentially could enable patients to take better advantage of the benefits of whole person care and advancements in interoperability. Whether these benefits are realized will depend on whether health care providers, health plans, HIN/HIEs and their technology vendors are able to build the technology systems that are capable of identifying, segmenting, and segregating Part 2 records and deploying consent management functionality that meets the requirements of the Part 2 data sharing rules.
[1] 89 FR 12472 (Feb. 16, 2024).
[2] 42 CFR 2.16(b).
[3] 89 FR at 12496.
[4] 42 CFR 2.11 and 2.12(d)(2)(i).
[5] See 42 CFR 2.11 (definitions of QSO and lawful holder).
[6] 42 CFR 2.16(a)(1)(i)(E).
[7] 42 CFR 2.11 and 2.31(b).
[8] 42 CFR 2.22.
[9] 42 CFR 2.33(a).
[10] 42 CFR 2.33(a)(2).
[11] 42 CFR 2.33(b)(1).
[12] 42 CFR 2.33(b)(2).
[13] 42 CFR 2.31.
[14] 42 CFR 2.11.
[15] See 42 CFR 2.31(a)(4)(ii) and 2.24.
[16] See generally 42 CFR 2.31(a).
[17] 42 CFR 2.31(b).
[18] 42 CFR 2.31(d).
[19] 42 CFR 2.34
[20] 42 CFR 2.35.
[21] 42 CFR 2.36.
[22] 42 CFR 2.32(a).
[23] 42 CFR 2.32(b).