Aligning Substance Abuse Confidentiality Regulations With HIPAA to Enhance Compliance

March 29, 2023 - Since 1975, the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 CFR part 2 (Part 2) have protected the confidentiality of individuals suffering from substance use disorder. These key protections aim to ease fears of discrimination and prosecution that may dissuade individuals from seeking life-saving treatment.

Part 2 has undergone several revisions over the years. Most recently, in 2020, section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act required the HHS Secretary to align certain aspects of Part 2 with HIPAA and the HITECH Act.

In an effort to implement these provisions, HHS and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) in November 2022, outlining the ways in which it planned to align Part 2 with HIPAA. Once finalized, these updates will ideally improve care coordination and streamline enforcement processes.

Below, HealthITSecurity will dive into current compliance considerations for providers under Part 2, how they differ from HIPAA, and how the final rule may change compliance obligations for covered entities.

How Part 2, HIPAA Differ

Part 2 protects “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States,” the law’s text states.

In other words, it safeguards the confidentiality of patients suffering from substance use disorder, specifically when the treatment records are maintained by a federally assisted program.

These protections attempt to shield patients from adverse consequences related to issues like criminal proceedings or domestic proceedings such as divorce, employment, or child custody, the Office of the National Coordinator for Health Information Technology (ONC) and SAMHSA explained in a fact sheet.

Under these regulations, Part 2 programs are not allowed to disclose any information that would identify someone as having had a SUD unless they received written consent. It is important to note that Part 2 programs are also HIPAA-covered entities and are subject to the same privacy and security obligations, along with the more stringent Part 2 requirements.

“Part 2 goes above and beyond what HIPAA requires from a privacy perspective and imposes additional restrictions on the use and disclosure of patient information receiving substance use disorder treatment from Part 2 programs,” said Vicki Tankle, partner at Reed Smith and member of the firm’s Life Sciences Health Industry Group.

“Those providers contend with their HIPAA compliance and then need to always keep in mind the Part 2 requirements, which are in many cases far more strict than HIPAA.”

For example, under HIPAA, providers can permissively use and disclose protected health information (PHI) for the purposes of treatment, payment, and healthcare operations (TPO). But under Part 2, providers cannot disclose SUD records for TPO purposes without written consent. What’s more, providers often must get written consent for each TPO disclosure, leading to additional administrative burdens.

“From a privacy standpoint and from a compliance program standpoint, it is really tricky for these providers, as they are often navigating both compliance with HIPAA and Part 2,” Tankle added.

“Part 2 is a lot more stringent, so streamlining the rules will definitely bring some more operational compliance ease for these providers.”

Proposed Changes Aim to Reduce Compliance Complexities

The NPRM aims to address these compliance challenges by streamlining use and disclosure allowances and aligning them with HIPAA.

“Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra said in a press release accompanying the NPRM.

“This proposed rule would improve coordination of care for patients receiving treatment while strengthening critical privacy protections to help ensure individuals do not forego life-saving care due to concerns about records disclosure.”

SAMHSA summarized the proposed changes, which include:

• Permitted use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and [healthcare] operations.
• Permitted redisclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions.
• New patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
• Expanded prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.
• New HHS enforcement authority, including the imposition of civil money penalties for violations of Part 2.
• Updated breach notification requirements to HHS and affected patients.
• Updated HIPAA Privacy Rule Notice of Privacy Practices requirements to address uses and disclosures of Part 2 records and individual rights with respect to those records.

Essentially, the changes are focused on easing compliance inconsistencies and broadening permissions, specifically in relation to TPO uses and disclosures and redisclosures.

“Instead of having separate patient consents for each TPO use or disclosure, the proposal would modify that requirement to permit a general recipient type of designation,” Tankle explained.

“If finalized, it will still require consent for treatment, payment, and healthcare operations, but the difference is that it will just make it a little easier for providers.”

Additionally, the proposed rule contained language that would explicitly apply the HIPAA Breach Notification Rule to Part 2 programs, solidifying breach reporting requirements under Part 2. The proposed rule would also subject Part 2 programs to HIPAA’s comprehensive de-identification requirements, ensuring that deidentified records cannot be traced back to a specific individual.

What’s more, HIPAA’s civil penalties would apply to Part 2, streamlining the enforcement process. Rather than reporting violations to SAMHSA and the US Attorney for the judicial district in which the violation occurred, complaints would be directed to HHS, in a similar fashion to how typical HIPAA violations are reported.

“From a care coordination perspective, things will hopefully speed up,” Tankle added. “It will also allow the patient to have their providers work on an ongoing basis to coordinate their care collaboratively. Right now, that's definitely an obstacle for providers and patients in this space.”

What’s Next?  

The comment period for the NPRM is now closed, and providers are now awaiting a final rule. If finalized as is, the rule will ideally ease compliance burdens while clarifying breach notification and enforcement processes.

“What will be difficult from a compliance standpoint is that these providers have stood up Part 2 compliance programs to comply with the more stringent standards that Part 2 allows,” Tankle noted.

“And so, they will have to unwind some of those really stringent, multifaceted Part 2 compliance programs that right now are built onto their HIPAA compliance programs.”

Part 2 programs are almost always also HIPAA-covered entities and are familiar with the enforcement and compliance mechanisms required of them by HIPAA. Even so, there will likely be a learning curve when it comes to adjusting compliance programs.

“While there will be operational compliance hurdles to overcome in aligning those programs, at the end of the day, I think providers will welcome these changes to streamline compliance requirements.”