On February 16, 2024, the federal Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued the long-awaited final rule intended to align the use and disclosure requirements for substance use disorder records covered by 42 CFR Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health Act (HITECH) Rules. The Final Rule implements the confidentiality provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which was originally enacted in March 2020. Entities will have until February 2026 to establish compliance under the Final Rule, though entities do not need to wait 2 years to take advantage of the new flexibilities it provides.
As was initially set forth in the December 2022 proposed rule, the Final Rule does allow Part 2 Programs to secure a single written consent from patients for all future uses of their information for treatment, payment and health care operations (TPO) purposes. Once such information is disclosed to a HIPAA Covered Entity or Business Associate, pursuant to the patient’s consent, the information can subsequently be used and disclosed for any purpose permitted by HIPAA; however, the Part 2-based prohibition on using the information in any legal proceedings against the patient remains in effect. While the Final Rule does not require the segregation of Part 2 information from other health information, this critical protection is still required under Part 2. Thus, Covered Entity and Business Associate recipients will need to maintain systems to implement this confidentiality protection, as well as complying with any restrictions on further disclosure that patients have requested. Through a Notice to Accompany Disclosure, which must also include a copy of the patient’s consent or an explanation of its scope, Part 2 Programs must alert Covered Entity and Business Associate recipients to the protections required under 42 CFR Part 2.
The Final Rule clarifies that patients of Part 2 Programs have a right to request restrictions on disclosure of their information for TPO purposes. Similar to HIPAA, a Part 2 Program is not required to agree to such requests, unless the request is related to disclosures to the patient’s health plan for services paid out of pocket by the patient in full. The Final Rule says that Programs should make “every reasonable effort” to comply with a patient’s request for restrictions and Programs should not condition treatment on the patient providing a broad TPO consent unless the Part 2 Program has capacity to fulfill patients’ requests for restrictions on uses and disclosures for TPO.
The Final Rule simplifies the requirements for written patient consent, though there are still some key differences between HIPAA’s rule for patient authorizations, and those applicable to Part 2 Programs. The patient may name a class of persons as the recipient, including “my treating providers, health plans, third-party payers, and those helping operate this business”, which facilitates the single-consent proposal. When Part 2 patient information is disclosed for TPO activities to a Covered Entity or Business Associate, such recipient may further disclose the records in accordance with the HIPAA regulations, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient. When information is disclosed to a Part 2 Program that is not a Covered Entity or Business Associate in accordance with a patient consent that is given once for all future TPO activities, the Part 2 Program may further disclose the information consistent with the patient’s consent.
With respect to the amount and types of information to be disclosed, the consent form must be specific to Part 2 records so that it identifies the information in a specific and meaningful fashion; a reference to “my medical records” would be insufficient for this purpose. The consent must also include statements informing patients about the potential for the records that are used or disclosed pursuant to the consent to be subject to redisclosure by the recipient and no longer protected by Part 2, except for the restriction on uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient. If the Part 2 Program intends to use a patient’s information for fundraising purposes, the patient must be given an opportunity to opt out of such uses.
The Final Rule also provides some clarification on the role of Qualified Service Organizations (QSO) to Part 2 Programs, a concept that is similar to but still distinct from the role of Business Associates to HIPAA Covered Entities. The revised definition of QSO includes a Business Associate to a Part 2 Program that is also a HIPAA Covered Entity. The requirement to have a written QSO agreement remains for Business Associates that have access to records created by a Covered Entity that is also a Part 2 Program, as opposed to a Covered Entity that is only a recipient of Part 2 records pursuant to patient consent.
The Final Rule still leaves some questions unanswered and a few proposals will not be finalized until OCR finalizes its pending HIPAA proposed rule, issued in January 2021. While civil and criminal penalties will align with HIPAA rules, the Final Rule does not identify the agency responsible for enforcement. The federal Department of Health and Human Services also intends to align compliance dates for required changes to the Part 2 Patient Notice and the HIPAA Notice of Privacy Practices and has tolled the requirement for Part 2 Programs to account for disclosures pending promulgation of the HITECH Act modifications to the HIPAA privacy rule, which will require HIPAA Covered Entities to account for TPO disclosures made from an electronic health record.
OCR and SAMHSA have promised additional guidance solidifying these proposals and we expect more clarification when OCR finalizes its pending HIPAA proposed rule. Though challenges remain, this Final Rule has delivered on the CARES Act promise of removing barriers to interoperability of Part 2 information.