Changes to the Substance Use Disorder Confidentiality Regulation: Implications for Stakeholders

Manatt, Phelps & Phillips, LLP
Contact

Manatt, Phelps & Phillips, LLP

Last week, the Department of Health and Human Services (HHS) released a final rule intended to implement a 2020 modification to the federal substance use disorder (SUD) privacy statute. The final rule more closely aligns the Confidentiality of Substance Use Disorder Patient Records regulations under 42 CFR Part 2 with the regulatory requirements under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. HHS indicated that the changes are intended to improve care coordination for patients seeking or undergoing SUD treatment, ease patient privacy concerns, and break down barriers to information sharing by easing compliance complexities and providing patients with additional rights.

Unlike HIPAA, which applies to nearly all personal information held by health care providers and health plans, Part 2 applies to a limited class of SUD providers, called Part 2 programs (federally-assisted providers that hold themselves out as providing SUD services). However, the regulation has an important impact on the privacy of individuals with substance use disorders, many of whom receive services from providers that are subject to the regulation.

In contrast to HIPAA, which allows disclosures of protected health information (PHI) under a range of circumstances without patient authorization, the new final rule leaves in place the requirement that Part 2 programs generally must obtain patient consent prior to disclosing Part 2 information for purposes of treatment, payment, and health care operations. The final rule does, however, make substantial changes to how such consent may be obtained, and how information may be re-disclosed, resulting in significant impacts on a variety of actors in the health care system.

What the Rule Means for Part 2 Programs

The changes to the enforcement regime have important ramifications to Part 2 programs. The final rule applies civil and criminal penalties applicable under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act to Part 2 violations. This represents a significant change to the federal enforcement regime, which previously had only permitted criminal penalties for Part 2 violations. As a result, Part 2 programs are more likely to face financial penalties for failing to comply with Part 2.

Since Part 2 programs typically are HIPAA-covered entities, the imposition of HIPAA requirements under Part 2 is unlikely to have a significant impact on Part 2 programs. However, the rule also imposes new obligations on Part 2 programs that exceed what is required under HIPAA. For instance, programs will need to issue revised notices of privacy practices that contain terms not required under HIPAA. The programs will need to meet these new obligations by the February 2026 compliance date.

The final rule’s increased flexibility regarding consent also may result in Part 2 programs more frequently sharing information with other organizations. Part 2 programs, however, must require a separate consent form for uses and disclosures of information for civil, criminal, administrative, and legislative investigations and proceedings, as well as disclosures that involve SUD counseling notes – the latter of which aligns with HIPAA’s treatment of psychotherapy notes.

What the Rule Means for Electronic Health Record (EHR) Vendors and Health Information Exchanges (HIEs)

Vendors designing EHR systems and HIEs tasked with the lawful exchange of patient health information will benefit from the streamlined consent provisions in the final rule. The rules are designed to permit the use of a single form under which a patient can consent to future disclosures of Part 2 information for purposes of treatment, payment, and health care operations, as defined under HIPAA. HIEs have long cited Part 2 consent as a barrier to exchanging the full scope of patient health information necessary to provide and coordinate care, and the streamlined consent requirements are designed to mitigate these operational complexities.

Under the final rule, consent forms may now:

  • Use a description of a class of persons who may receive the information, rather than requiring the name of every potential recipient on the form who is not a treating provider.
  • Permit a patient to consent to disclosures for “treatment, payment and health care operations” using a single form, with an allowed expiration date of “none.”

Notably, the final rule redefines the term “intermediary” to exclude business associates and covered entities. Since HIEs and EHR vendors are almost always business associates, the rule means that the additional limitations on intermediaries typically will not apply to HIEs and EHR vendors.

What the Rule Means for Recipients of Part 2 Information

The final rule’s provisions are particularly important to recipients of Part 2 information, such as health plans and other providers who may exchange information with Part 2 programs. Under the rule, if a recipient receives Part 2 information for purposes of treatment, payment or health care operations, and such recipient is a HIPAA covered entity or business associate, such recipient may redisclose the information so long as such redisclosure complies with HIPAA and the information was not shared for use in a civil, criminal, administrative, or legislative proceeding against the patient. HHS also modified the definition of “third-party payers” to exclude health plans, effectively exempting health plans from having to abide by all Part 2 requirements with respect to Part 2 information they receive.

The final rule further holds that Part 2 programs, covered entities, and business associates that receive records based on a single consent for all treatment, payment and health care operations are not required to segregate Part 2 records from other data they receive. While this may potentially ease an administrative barrier for recipients of data, those recipients still must ensure that Part 2 records are not used in proceedings against patients, meaning that those recipients still must have a process for separating out Part 2 records in cases where they receive certain subpoenas and other demands for data.

What the Final Rule Means for Patients

Patients who agree to sign consent forms may see their information exchanged more frequently as a result of the rule, and as a result patients may find that others who care for them – such as primary care providers – may be more likely to know about their SUD treatment. At the same time, the rule attempts to keep in place protections against the use of Part 2 data in civil, criminal or administrative proceedings against patients, reflecting the longstanding goal of ensuring that patients should not be punished for discussing illegal drug use with health care professionals.

Patients have some limited new rights under the rule, including a more expansive right to request an accounting of disclosures. However, it will be at least two years before Part 2 programs must provide such rights. Moreover, the SUD anti-discrimination requirements enacted as part of the Coronavirus Aid, Relief, and Economic Security Act have yet to be promulgated in regulation; ultimately, these may be the most important new protections for patients.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Manatt, Phelps & Phillips, LLP

Written by:

Manatt, Phelps & Phillips, LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Manatt, Phelps & Phillips, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide