Earlier this year, federal agencies teamed up to issue two rules that will require healthcare providers to update certain policies related to the use and disclosure of health information and to update their Notice of Privacy Practices (NPP).

First, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) issued a rule titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (“2024 HIPAA Privacy Rule”). Second, on February 8, 2024, HHS through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR announced a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations (“2024 Part 2 Rule”).

HIPAA Privacy Rule to Support Reproductive Health Care Privacy

The 2024 HIPAA Privacy Rule, which went into effect on June 25, 2024, is intended to “strengthen privacy protections for highly sensitive PHI about the reproductive health care of an individual, and directly advances the purposes of HIPAA by setting minimum protections for PHI and providing peace of mind that is essential to individuals’ ability to obtain lawful reproductive health care.” The 2024 HIPAA Privacy Rule defines “reproductive health care” as “health care … that affects the health of an individual in matters relating to the reproductive system and its functions and processes.”

Covered entities have 180 days after the effective date to comply with the 2024 HIPAA Privacy Rule’s provisions, except for the requirement to update the NPP. HHS aligned the compliance date for the NPP changes required by the 2024 HIPAA Privacy Rule with the compliance date for the 2024 Part 2 Rule (see below). Covered entities now have until February 16, 2026, to update their NPPs.

Prohibited use and disclosure. The 2024 HIPAA Privacy Rule prohibits covered entities and business associates from using or disclosing PHI for either of the following activities:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided, or
• The identification of any person for the purpose of conducting such investigation or imposing such liability.

Attestation requirement. The 2024 HIPAA Privacy Rule also includes a new requirement for covered entities to obtain an attestation from the person or entity seeking the PHI in the following specific situations to attest that the PHI is not being used or disclosed in a manner potentially related to reproductive health care:

• Health oversight activities (45 CFR 164.512(d))
• Judicial and administrative proceedings (45 CFR 164.512(e))
• Law enforcement purposes (45 CFR 164.512(f))
• Coroners and medical examiners (45 CFR 164.512(g)(1)

The Final Rule includes details on what is required as part of this attestation, and the OCR has developed a model attestation (downloadable PDF) to assist covered entities with compliance.

2024 Part 2 Rule – Confidentiality of Substance Use Disorder Information regulations

The 2024 Part 2 Rule implements the confidentiality provisions of section 3221 of the CARES Act (enacted March 27, 2020), which required HHS to align certain aspects of Part 2 with HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH). The Part 2 statute protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”

Some of the more significant changes made by the 2024 Part 2 Rule include the following:

Patient consent. The 2024 Part 2 Rule allows a single consent for all future uses and disclosures for treatment, payment, and health care operations. It also allows covered entities and business associates that receive records under the single consent to redisclose the records in accordance with the HIPAA regulations. But, the 2024 Part 2 Rule prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with a patient consent for any other use or disclosure. The rule requires a separate patient consent of the use and disclosure of substance use disorder counseling notes. Each disclosure made with patient consent must include a copy of the consent or a clear explanation of the scope of the consent. (Please note that HIPAA uses the term “authorization,” not consent.)

Other uses and disclosures. The 2024 Part 2 Rule permits disclosure of patient records without patient consent to public health authorities, provided that the records disclosed are de-identified according to HIPAA standards. The rule also restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients without patient consent or a court order.

Safe harbor for investigative agencies. The 2024 Part 2 Rule creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. In order to demonstrate “reasonable diligence” before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locater and check a provider’s Patient Notice or HIPAA NPP to determine whether the provider is subject to Part 2.

Segregation of information. The 2024 Part 2 Rule includes an express statement that segregating or segmenting Part 2 records is not required, meaning that Part 2 records can be maintained as part of an electronic health record or other comprehensive patient record system. However, the rule also creates a new definition, SUD Counseling Notes, for a clinician’s notes analyzing the conversation in a counseling session that the clinician voluntarily maintains separately from the rest of the patient’s treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad consent for treatment, payment and healthcare operations. This is analogous to the HIPAA protections for psychotherapy notes. A provider may therefore be required to redact or exclude SUD Counseling Records from a use or disclosure.

Key deadlines and next steps for covered entities

Covered entities have until December 23, 2024, to comply with all provisions of the 2024 HIPAA Privacy Rule, except for updating their policies and NPPs related to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy and the 2024 Part 2 final rule pertaining to the Confidentiality of Substance Use Disorder Information. Providers are encouraged to begin updating their applicable policies and procedures and training employees well before the December 23, 2024, compliance date and ensure their NPPs are updated by February 16, 2026.