Update to Federal Substance Use Disorder Treatment Records Privacy Regulations – Part 2

On February 16, 2024, the U.S. Department of Health and Human Services, through its Office for Civil Rights and its Substance Abuse and Mental Health Services Administration (“SAMHSA”), published the long-awaited Final Rule modifying the regulations at 42 C.F.R. Part 2—known as the Part 2 regulations or simply Part 2—that govern the privacy of substance use disorder (“SUD”) treatment records. The Final Rule brings Part 2 more in line with the regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). The changes take effect on April 16, 2024, but those subject to Part 2 have a grace period until February 16, 2026 to comply with the changes.

Since HIPAA is generally more permissive than Part 2, it is important at the outset of this post to emphasize that the modified Part 2 remains stricter than HIPAA, particularly with regard to disclosure requirements. The balance to be struck in any update of Part 2 is between maintaining strict protections on the privacy of SUD records while addressing the real concern that Part 2’s strict requirements—e.g., requiring a circumstance-specific patient consent prior to each disclosure of SUD records to different providers involved in the patient’s care—may make it difficult for those providers to obtain a complete record for patients who received SUD treatment.

By way of brief background, a final rule was published in July 2020 that took a few, mostly minor, steps toward easing the strict requirements of Part 2, including, e.g., permitting a SUD patient to consent to disclosure of Part 2 records to any entity without naming a specific person/entity as the recipient for the disclosure. These steps followed earlier efforts in 2017 and 2018 to modify Part 2 in a way that increased flexibility while maintaining protection for SUD records (e.g., easing restrictions on disclosing patient identifying information within a health care system in the 2017 final rule and clarifying payment, health care operations, and audit/evaluation-related disclosures in the 2018 final rule).

In March 2020, while the 2020 final rule was well underway but still a few months before it was published, the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act amended the law underlying the Part 2 regulations (i.e. 42 U.S.C. §§ 290dd-2) to align Part 2 more closely with HIPAA’s Privacy Rule. The CARES Act required promulgation of regulations amending Part 2 to take effect no earlier than the end of March 2021 but the proposed rulemaking leading to the recent Final Rule wasn’t published until December 2022. Hence my use of “long-awaited” in to first sentence of this post.

I encourage the reader to review the Final Rule for a thorough explanation of what has changed and what remains the same as compared to the proposed rulemaking, including a summary-by-section, responses to stakeholder comments to the proposed rulemaking, the new regulatory text, but below are some highlights from among the modifications:

• Patient Consent – As noted above, Part 2 consents, even after the regulatory modifications in 2017, 2018, and 2020, continued to prohibit the use of a single, universal, prior consent (e.g., signed at intake) that would remain in effect essentially indefinitely. It is fair to say that, for many Part 2 programs the most anticipated regulatory change in the Final Rule is the ability to use a single consent for all future uses and disclosures of Part 2 information for treatment, payment, and health care operations (collectively, “TPO” – see below). Critically, while the HIPAA regulations permit disclosure for TPO without an authorization, Part 2 still requires a consent before disclosing SUD treatment records for TPO. Further, each disclosure made pursuant to a TPO consent must be accompanied by a copy of that consent along with one of the two required statements. The consent requirements are here. Part 2 now includes regulations requiring specific consent related to SUD counseling notes, akin to HIPAA’s requirements related to psychotherapy notes.
• Records Separation – If a part 2 program or a HIPAA covered entity or business associate receives SUD treatment records pursuant to a TPO consent, as discussed above, Part 2 no longer requires that the recipient keep the records separated or else risk rendering the entire record subject to Part 2.
• TPO – An important aspect of the HIPAA regulations is the ability to disclose protected health information without the need to obtain patient authorization if such disclosures are for treatment, payment, or health care operations (commonly referred to by the shorthand, “TPO”). As discussed above, the Final Rule includes updates to Part 2 that permit disclosure based on a single TPO consent for uses and disclosures for TPO until such time as the consenting patient revokes the consent.
• De-identification – Part 2 now incorporates the HIPAA de-identification standard and thus data may be disclosed if there is no reasonable basis to believe that the information can be used to identify a particular patient.
• Redisclosure – Once Part 2 records are disclosed to a covered entity, business associate, or another Part 2 program pursuant to the now-permitted single consent for all future TPO uses, such recipient may use and disclose those records pursuant to HIPAA until/unless that consent is revoked.
• Breach Notification – Part 2 programs must adopt policies and procedures consistent with the HIPAA Breach Notification Rule specifically for breaches of unsecured Part 2 records.
• Patient Notice – Part 2 programs must adopt a Patient Notice similar in form and substance to the HIPAA Notice of Privacy Practices but tailored to address Part 2 requirements related to uses, disclosures, and patient rights.
• Patient Complaints – Patients may now file a complaint directly with the Secretary of Health and Human Services alleging a violation of the Part 2 regulations by a Part 2 program, a covered entity, a business associate, or other listed categories of entities. The Patient Notice discussed above must alert Part 2 patients to this right.
• Patient Right to Restrict – While patients could always tailor their consents (e., ask for changes to a consent form before signing it), the Final Rule now grants patients the right, among other things, to (1) request restrictions on disclosures of part 2 records for TPO purposes, and (2) obtain restrictions on disclosures to health plans for services paid in full.
• Further Alignment with HIPAA
  • Part 2 enforcement is no longer via title 18 criminal penalties, but instead via the civil and criminal penalties implemented by the HIPAA Enforcement Rule.
  • Part 2 has adopted the HIPAA definitions for a number of terms including the constituent parts of TPO, covered entity, business associate, and breach.

While I recognize that these changes are likely welcome news to many Part 2 programs, it is important that programs consult with legal counsel to ensure compliance while updating affected policies, procedures, forms, and training.