Earlier this week, the United States Department of Health and Human Services (“HHS”) released a Notice of Proposed Rulemaking (“NPRM”) that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. These modifications, which implement provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, are intended to align Part 2’s currently stringent rules more closely with health information privacy rules promulgated under the Health Insurance Portability and Accountability Act (“HIPAA”), improving the ability of entities subject to Part 2’s restrictions to use, disclose, and redisclose SUD-related information.
The changes generally fall into three categories: (1) proposals that expressly implement the CARES Act amendments to 42 U.S.C. § 290dd-2, the statute that Part 2 implements; (2) proposals that HHS deems necessary to further align Part 2 with HIPAA; and (3) proposals that HHS deems necessary to clarify the full scope of activities regulated under Part 2. The most significant changes are those to the rules governing consent to use, disclose, and redisclose Part 2 records, which would generally be relaxed under the NPRM and more aligned with HIPAA with respect to treatment, payment, and health care operations (“TPO”) activities.
HHS believes these changes would (1) facilitate greater integration of SUD treatment information within other protected health information; (2) improve communication and care coordination between providers and others in the health care system, such as payers; (3) enhance the ability to comprehensively diagnose and treat the whole patient; and (4) facilitate the exchange of Part 2 records between Part 2 programs.
Comments are due 60 days after publication of the NPRM in the Federal Register. HHS proposes that the final rule would take effect 60 days after publication and that enforcement of the new Part 2 rules and modified HIPAA provision regarding Notices of Privacy Practices would begin 24 months after publication of a final rule. HHS requests comment on whether this would be sufficient time for entities to come into compliance with revised regulations, including revising policies and procedures, training workforce, and completing other implementation requirements. For the proposed requirements regarding accountings of disclosures, HHS proposes to toll the compliance date for Part 2 programs until a final HIPAA rule on accountings of disclosures takes effect.
CARES Act Amendments
Enacted in March 2020, the CARES Act made significant changes to the Part 2 statute to more closely align Part 2 with HIPAA regulations. Specifically, section 3221 of the CARES Act amended 42 U.S.C. § 290dd-2 (the confidentiality of SUD records statute implemented by Part 2 regulations) so that once written patient consent is obtained, the contents of a Part 2 record “may be used or disclosed by a covered entity, business associate, or a program subject to this section for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.” Further, the CARES Act amendment provides that any information disclosed in accordance with the above may then be redisclosed in accordance with HIPAA. This is a significant change from the current Part 2 rules, which prohibit redisclosure of Part 2 records unless the individual has expressly consented to such redisclosure. The CARES Act directed HHS to promulgate regulations implementing these amendments, which the NPRM aims to accomplish.
The NPRM contains several significant changes to current Part 2 rules. Some of the most potentially impactful proposals are summarized below.
A. Consent and Redisclosure
The most impactful changes proposed in the NPRM are those implementing the CARES Act’s amendments regarding consent for the use, disclosure, and redisclosure of Part 2 records. Implementing these amendments, the NPRM proposes that if a patient provides valid consent to a use or disclosure of their records, the recipient may further use or disclose such records in accordance with the following rules:
- When disclosed for TPO activities to a Part 2 program, covered entity, or business associate, the recipient may further use or disclose those records as permitted by HIPAA, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.
- When disclosed with consent given once for all future TPO activities to a Part 2 program that is not a covered entity or business associate, the recipient may further use or disclose those records consistent with the consent.
- When disclosed for payment or health care operations activities to a lawful holder that is not a covered entity, business associate, or Part 2 program, the recipient may further use or disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the consent. The NPRM does not propose to define the terms “contractors, subcontractors, and legal representatives” but seeks comment on whether doing so would be helpful.
Ultimately, the key impact of these changes is enhanced flexibility when using, disclosing, and redisclosing Part 2 records for TPO purposes, and the ability to receive written consent from a patient once for all future TPO uses and disclosures. This represents a significant relaxation of current Part 2 rules.
In addition, the NPRM proposes numerous changes to the requirements for a valid Part 2 written consent. These changes would align the content requirements for a valid Part 2 written consent with those for a valid HIPAA authorization, including a statement of the right to revoke consent.
HHS asked a number of questions regarding consents, communicating to recipients about consent or revocation of consent, and the negative impacts on confidentiality and privacy from the proposed permission for disclosure of Part 2 data for TPO with consent.
B. Enforcement and Penalties
Currently, Part 2 provides for criminal enforcement. In accordance with the CARES Act amendments, the NPRM proposes to provide for both civil and criminal penalties and align Part 2 enforcement with HIPAA enforcement. Specifically, the NPRM proposes to apply sections 1176 and 1177 of the Social Security Act to violations of Part 2 in the same manner as they apply to a covered entity or business associate for violating HIPAA. This would include the civil monetary penalty tiers established by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. HHS will have civil enforcement authority.
The NPRM also proposes various provisions regarding the liability of investigative agencies that may receive Part 2 records while investigating or prosecuting a Part 2 program or other person holding Part 2 records. These include a proposed safe harbor for investigative agencies that conduct reasonable diligence but nonetheless unknowingly receive Part 2 records without first obtaining the required court order.
In addition, HHS requests comment on whether a safe harbor is appropriate for SUD providers that unknowingly hold records subject to Part 2 and unknowingly disclose them, violating Part 2.
To enable alignment of Part 2 rules with HIPAA rules, the NPRM proposes to add definitions of terms that are relevant due to the alignment of Part 2 with HIPAA requirements. In some areas, HHS has modified definitions or the wording of certain phrases to match the corresponding language in HIPAA (e.g., changing “disclosure and use” to “use and disclosure”). One potentially noteworthy change is the proposed exclusion of HIPAA-covered health plans from the definition of “third-party payer.” The result of this change would be that Part 2’s disclosure restrictions continue to apply to a narrower set of entities, such as grant-funded programs.
HHS also seeks comment on whether it would be helpful to create an express definition of “lawful holder” and what such a definition should encompass.
D. Uses and Disclosures
Unlike HIPAA, many current Part 2 requirements only mention disclosures of Part 2 records and, with a few exceptions, generally do not mention uses of Part 2 records. The NPRM proposes to make various changes throughout the Part 2 rules to clarify that the rules indeed apply to both uses and disclosures. HHS proposes to adopt a definition of “use” that is consistent with HIPAA’s definition. HHS seeks comment on whether this change would substantively expand the scope of applicable requirements and prohibitions in an unintended manner.
Part 2 rules currently provide that complaints of Part 2 violations should be sent to the U.S. Attorney for the judicial district in which the violation occurs, and reports of any violation by an opioid treatment program may be directed to the U.S. Attorney and the Substance Abuse and Mental Health Services Administration.
The NPRM proposes to require that Part 2 programs establish a process to receive complaints regarding the Part 2 program’s compliance with Part 2 regulations. It also proposes to prohibit intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against a patient for filing a complaint or otherwise exercising a right provided for under Part 2. Further, the NPRM proposes to prohibit requiring individuals to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services. These requirements are generally similar to HIPAA provisions concerning complaints.
The NPRM proposes to apply the HITECH Act breach notification provisions currently implemented in the HIPAA Breach Notification Rule to Part 2 programs. Specifically, in the event of a breach of unsecured Part 2 records, Part 2 programs would be required to notify HHS, affected patients, and, in some cases, media outlets. Part 2 programs would also be required to establish and implement policies and procedures addressing notification in the event of a breach of unsecured Part 2 records.
HIPAA only requires notification in the event of a breach of unsecured protected health information. Similarly, under the NPRM, notification would only be required in the event of a breach of unsecured records. The NPRM proposes to apply the same concept to this term, defining it as a record that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.
Since covered entities (and business associates) are already subject to HIPAA’s breach notification requirements applicable to protected health information, these proposed changes are more likely to impact Part 2 programs that are not covered entities, which should be a fairly small group. HHS requests comment on whether it should apply these new Part 2 breach notification requirements to qualified service organizations as well as they are essentially Part 2’s analog to HIPAA business associates and often receive and maintain a significant amount of Part 2-covered information.
G. Requirements for Intermediaries
Patients have a right under Part 2 to receive a list of entities to which an intermediary has disclosed the patient’s Part 2 records pursuant to a general designation. Currently, Part 2 only requires a list of such disclosures made in the last two years; the NPRM proposes to extend this to three years. While Part 2 currently does not define “intermediary,” the NPRM proposes to expressly define this term as “a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.” Examples include a health information exchange, a research institution that is providing treatment, an accountable care organization, and a care management organization.
HHS requests comment on whether the separate requirement for intermediaries to provide a list of disclosures is necessary considering the accounting of disclosures requirements proposed in the NPRM.
Currently, Part 2 applies security requirements to Part 2 programs and lawful holders. In the NPRM, HHS states that it would consider the surrounding facts and circumstances to evaluate the extent a recipient of Part 2 records has a duty and ability to reasonably protect Part 2 records against unauthorized uses and reasonably anticipated threats or hazards. HHS requests comment on examples of lawful holders that may not be appropriately held liable for compliance with Part 2’s administrative requirements, such as implementing policies and procedures to protect against unauthorized use or disclosure.
HHS also seeks comment on the extent to which Part 2 programs refer to the HIPAA Security Rule as guidance for safeguarding Part 2 records. It also seeks comment on whether Part 2 should be amended to adopt the same or similar requirements as the HIPAA Security Rule.
I. Notices of Privacy Practices
The CARES Act directed HHS to modify HIPAA’s requirements regarding Notices of Privacy Practices and specify new requirements for covered entities and Part 2 programs with respect to Part 2 records that also constitute PHI. These requirements would apply to entities that are subject to both Part 2 and HIPAA, including covered entities that are Part 2 programs, as well as covered entities that simply receive Part 2 records from a Part 2 program.
To implement these CARES Act provisions, the NPRM proposes to amend both the Part 2 patient notice requirements at 42 C.F.R. § 2.22 as well as HIPAA’s Notice of Privacy Practices requirements at 45 C.F.R. § 164.520. The NPRM proposes to revise Part 2’s patient notice requirements to substantially align them with HIPAA’s requirements for Notices of Privacy Practices with respect to both content and structure.
J. Individual Rights
The NPRM also proposes to create two patient rights in alignment with individual rights granted under HIPAA. Specifically, the NPRM proposes to create a right for patients (1) to receive an accounting of certain disclosures of their records, and (2) to request restrictions on disclosures of records for TPO, and obtain restrictions on disclosures to health plans for services paid in full by the patient. However, HHS does not intend to formally apply the former before the effective date of the modified HIPAA accounting of disclosures provision mandated by the HITECH Act.
The NPRM notes that HIPAA generally provides individuals a right to access their protected health information in a designated record set. A covered entity’s Part 2 records are generally considered part of the designated record set, whether the Part 2 program is a covered entity or merely a recipient of Part 2 records. However, HIPAA’s right of access excludes psychotherapy notes, which, in some instances, may also be considered Part 2 records. HHS is considering whether to create a similar term that is specific to the notes of SUD counseling sessions by a Part 2 program professional. Such notes would be Part 2 records but could not be disclosed based on a general consent for TPO. Instead, they could only be disclosed with a separate written consent. HHS requests comment on the benefits and burdens on this proposal to create additional privacy protection for SUD counseling notes that are maintained primarily for use by the originator of the notes.
The NPRM proposes to adopt HIPAA’s de-identification standards at 45 C.F.R. § 164.514 where Part 2 rules address the use or disclosure of non-identifiable information. The NPRM also proposes to require Part 2 programs and lawful holders to implement formal policies and procedures to address de-identification of Part 2 information in accordance with HIPAA’s de-identification standards. In addition, the NPRM proposes to expressly permit disclosures to public health authorities as long as the records are de-identified in accordance with HIPAA standards.
While HHS considered an opt-in approach to de-identification (i.e., consent would be required to de-identify Part 2 records), it ultimately decided against such an approach, determining that an opt-in approach would create a barrier to de-identification that may ultimately negatively affect patient privacy.
L. Required Disclosures to the Secretary
The NPRM proposes to require disclosures to the Secretary of HHS to investigate or determine a person’s compliance with Part 2. Currently, Part 2 does not require disclosure of Part 2 records in any circumstances.
The NPRM has wide-ranging implications for the full spectrum of stakeholders in the health care industry and aims to enhance flexibility in using and sharing Part 2 records. Stakeholders should analyze the potential impact of the NPRM on their operations and submit comments to HHS, which are due 60 days after the NPRM’s publication in the Federal Register. Crowell & Moring has extensive experience with Part 2 and can advise you on understanding the implications of these proposed changes on your business.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.