On February 16, 2024, the US Department of Health and Human Services (HHS), through the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA), published the Final Rule modifying the Confidentiality of SUD Patient Records regulations at Final Rule, 42 CFR Part 2 (Part 2). The Final Rule implements the confidentiality provisions of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which required HHS to bring Part 2 into closer alignment with the Health Insurance Portability and Accountability Act of 1996 Rules and the Health Information Technology for Economic and Clinical Health Act.
It is important to note that Part 2 generally applies to Part 2 programs and those who receive Part 2 records as permitted by patient consent or otherwise permitted by Part 2. “Part 2 programs” are individuals, entities, or identified units in a general medical facility that are federally assisted and “hold themselves out” as providing SUD diagnosis, treatment, or referral of treatment.[1] Before the Final Rule, Part 2 programs subject to Part 2 faced roadblocks in sharing Part 2 records with non-Part 2 providers and others, even for purposes generally seen as permissible under HIPAA to address care coordination, care management, and social determinants of health. The hope is that this long-awaited Final Rule will promote appropriate use and disclosures under Part 2 similar to what is permissible under HIPAA while ensuring that additional patient protections in use of SUD records against patients in legal proceedings, investigations, or prosecutions remain in place.
Highlights of some of the major changes included in the Final Rule are below.
Consent, use and disclosure, and accounting of disclosures
Perhaps the biggest change that will go into effect is that Part 2 programs will be able to have a single patient consent for all future uses and disclosures for TPO until a patient revokes such consent in writing. Furthermore, HIPAA-covered entities and business associates that receive Part 2 records from the patient consent can redisclose Part 2 records in accordance with HIPAA as long as such records are not being redisclosed for legal proceedings against the patient without specific patient consent or a court order. The Final Rule prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other purpose. In addition, a separate consent is required for the use and disclosure of SUD counseling notes.
The Final Rule also adds a right to an accounting of all disclosures made with the patient’s consent for up to three (3) years prior to the date that a patient requests such accounting. There will also be an accounting of disclosure requirement that uniquely applies to disclosures for TPO made through an electronic health record (EHR). The effective date for compliance with the accounting of disclosure requirement is delayed until there is a final HIPAA rule to address accounting for TPO disclosures made through an EHR.
Many who receive Part 2 records will also welcome the fact that HHS expressly states that data segmentation and record segregation is not required by Part 2 programs, covered entities, or business associates that have received records based on a single consent for all future TPO.
What happens with Part 2 breaches now?
The Final Rule applies the same requirements of the HIPAA Breach Notification Rule to Part 2 programs and breaches of records under Part 2. This includes breach notification to patients regarding Part 2 records held on behalf of a Part 2 program by a qualified service organization (QSO) or a business associate. Notably, HHS stated that it did not believe it had the authority to apply breach notification requirements to QSOs as they apply to business associates under the HIPAA Breach Notification Rule.
Penalties for failure to comply with Part 2
Before the Final Rule, any Part 2 violations could lead to criminal penalties. Many justifiably noted that while such penalties could be considered significant, there actually was little to any public awareness that criminal penalties had ever been imposed for Part 2 violations. In the Final Rule, HHS now has stated that it anticipates taking a similar approach to addressing noncompliance under Part 2 as for HIPAA violations, ranging from voluntary compliance and corrective action to civil and criminal penalties. Therefore, there will finally be “teeth” to enforce Part 2 compliance.
Lastly, patients will be able to file a complaint with HHS for Part 2 violations, similarly to how patients can file complaints for HIPAA violations.
Notice to patients of federal confidentiality requirements
Part 2 programs will be required to make changes to their notice to patients of Part 2 requirements and make notices that are similar to what is currently seen with HIPAA Notice of Privacy Practices requirements. The notice will, in part, notify patients of their right to a list of disclosures (once that Part 2 requirement is in effect) and their right to elect not to receive any fundraising communications by opting out to receive such communications.
Compliance and next steps
HHS will provide technical assistance in implementing the Final Rule using resources related to behavioral health from the SAMHSA-sponsored Center of Excellence for Protected Health Information. Individuals and entities will be required to comply with the Final Rule by February 16, 2026, but can start compliance as soon as April 16, 2024. HHS will also undertake outreach efforts and create guidance materials to aid in compliance with the new requirements, including instructions for filing breach reports as necessary.
Nixon Peabody will continue to monitor the guidance from HHS.
- SAMHSA and the Office of the National Coordinator for Health Information Technology created a handout in 2018 to help providers determine whether and how Part 2 applies to them.
[back to reference ]