The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration (SAMHSA) released its anticipated Final Rule last week. The Final Rule revises standards for the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 C.F.R. Part 2 (Part 2). It includes some welcome Part 2 amendments to better align Part 2 with the Health Insurance Portability and Accountability Act (HIPAA), but it also brings increased enforcement risks to an operationally tricky regulatory scheme (which has largely been ignored given the lax reporting and enforcement obligations to date). If you have not thought through how to implement Part 2 obligations, now is the time, as you may see increased enforcement under the Final Rule.
We have been anticipating the arrival of this Final Rule since the Notice of Proposed Rule Making was issued in 2022. Prior to last week’s release, the last round of Part 2 changes in 2020 were intended to revise Part 2 to align certain provisions with the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). HHS indicated that those revisions were “interim and transitional standards” to be followed until the finalization of the 2022 Notice of Proposed Rulemaking. Now that the wait is over, we provide you with a high-level summary of the Final Rule and a checklist of suggested action items.
Summary of Final Rule
As a quick refresher, this Final Rule stems from the CARES Act, which required HHS to revise Part 2 to more closely align with other federal regulatory standards (specifically, HIPAA) to improve care coordination access to care.
Below is a summary of key provisions of the Final Rule:
Patient Consent
- One Consent for Future Use. Patients may now execute one consent for a Part 2 program to engage in all future uses and disclosures of SUD records for treatment, payment, and health care operations. This consent is not required to have an expiration date and will remain valid until it is revoked by the patient. The key here is future use/disclosure, which is a difficult standard to operationalize, particularly with electronic health records that are already not set up for Part 2 compliance.
- Compound Authorization. Part 2 programs may not combine patient consent for the use and disclosure for civil, criminal, administrative, or legislative proceedings with patient consent for other uses and/or disclosures of SUD records. Additionally, patient consent is required for a Part 2 provider to give testimony about the contents of a patient’s SUD record in a civil, criminal, administrative, or legislative investigation or proceeding.
- SUD Counseling Notes. Similar to HIPAA’s handling of psychotherapy notes, the Final Rule requires separate patient consent for the use and disclosure of SUD counseling notes. SUD counseling notes are “notes recorded (in any medium) by a [Part2] program provider who is an SUD or mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the patient’s record.”
If a mental health care provider qualifies as both a Part 2 program and a covered entity under HIPAA, SUD counseling notes will be both psychotherapy notes under HIPAA and part of the patient’s SUD records.
This is another difficult standard to operationalize, as HIPAA prohibits the combination of an authorization for the use and/or disclosure of psychotherapy notes with any other consent or authorization, including a SUD counseling notes consent.
- Append Disclosure. With each disclosure of SUD records made pursuant to a patient’s consent, the Part 2 program must include a copy of the patient’s consent or a clear explanation of the scope of the consent.
For electronic disclosures, this will require a new API/data flow, and HIM teams should consider how to operationalize and append disclosures with the consent or explanation. This is not a workflow currently contemplated in most Electronic Health Record (EHR) platforms.
TPO Redisclosure. Celebrate! The Final Rule allows Part 2 programs, covered entities, and business associates that have received SUD records via valid consent to subsequently use and/or disclose those records for treatment, payment, or healthcare operations (TPO) to redisclose those records as permitted by HIPAA. However, these entities must still comply with the Part 2 prohibition of redisclosure for any legal or administrative investigation or proceedings against a patient unless the entity has obtained a patient’s written consent or a court order.
However, entities that are not covered entities or business associates under HIPAA must obtain patient consent for further use and disclosure of SUD records. Thus, the TPO exception is not available.
Part 2 Patient Notice. The Part 2 Patient Notice requirements now align with HIPAA Notice of Privacy Practices (NPP) requirements. However, elements of a HIPAA-compliant NPP that are inapplicable to Part 2 programs may be removed. HHS has indicated it will be providing additional guidance on NPP revisions yet in 2024.
Separation/Segregation of SUD Counseling Notes. The Final Rule expressly states that the separation or segregation of SUD counseling notes is not required. However, to receive heighted SUD counseling notes protections (described above), notes must be maintained in the patient’s record but only accessible to the treating clinician preparing the notes. Notes maintained in an EHR or other record management system that are accessible by multiple individuals on the clinician’s team would not qualify as SUD counseling notes.
De-Identification. Citing the standards as “workable and understandable,” the Final Rule replaces prior Part 2 de-identification standards with those established by HIPAA.
Patient Rights. Two patient rights were introduced by the Final Rule: the right to obtain an accounting of disclosures and the right to request restrictions on uses and/or disclosures. These rights generally follow their HIPAA counterparts.
The Final Rule carves out Part 2 programs and HIPAA covered entities and business associates from the definition of an “intermediary.” Under the Final Rule, intermediaries must provide a list of persons to which their Part 2 records have been disclosed if that patient consented to the disclosure of their records using a general designation. Any patient request to exercise this right must be submitted to the intermediary in writing and is limited to disclosures made by the intermediary within the past 3 years. The intermediary will have 30 days from the date of receipt of the written request to respond to the patient and must provide: (i) the names of any entities to which a disclosure of the patient’s SUD records were made, (ii) the date of disclosure, and (iii) a brief description of the patient identifying information disclosed.
HHS notes that the exclusion of business associates from the definition of an “intermediary” is designed to promote the inclusion of SUD records in electronic Health Information Exchange (HIE) systems. Historically, HIE vendors have restricted the ability to exchange SUD records via their platforms because of Part 2’s special consent requirements.
Breach Notification. The HIPAA Breach Notification Rule requirements will now apply to any breach of SUD records.
Penalties. The Final Rule broadened penalties Part 2 compliance violations to include civil enforcement authority. In line with the HIPAA Enforcement Rule, this means that any person that violates any provision of Part 2 will be subject to the Civil Money Penalties (CMPs) set forth in Sections 1176 and 1177 of the Social Security Act.
Recommended Action Items
Part 2 providers have until the third quarter of 2025 to operationalize these requirements, but take action sooner rather than later, as operationalizing some of these requirements will require pushing EHR developers to finally address Part 2 compliance requirements, including new workflows.
In addition, it is time to start evaluating your compliance program to identify necessary updates to your policies, procedures, and internal and external documentation. To prevent compliance deadline creep, we recommend taking the following actions:
- If your organization is both a covered entity and a Part 2 program, we recommend waiting until the release of those requirements to make any changes to your Part 2 Patient Notice. If your organization is not a covered entity or a business associate, we recommend revising your Part 2 Patient Notice to comply with the Final Rule.
- Create or Revise Patient Consent Documents to include the following:
- Reflect your organization’s intent to use and/or disclose SUD records for treatment, payment, and health care operations purposes;
- Account for the use and disclosure of SUD records for civil, criminal, administrative, or legislative proceedings; and
- Address the use and disclose of SUD counseling notes.
- Assess processes for handling patient rights requests and update regarding handling SUD records to comply with the Final Rule.
- Consider whether Part 2 and SUD counseling notes are appropriately segregated consistent with the Final Rule.
- Revisit your organization’s policies and procedures to determine the required updates to your organization’s processes and operations to comply with and take advantage of the Final Rule (e.g., de-identification and breach notification, etc.), create a timeline, and dedicate appropriate resources to implementing the same.