Major Changes Proposed to Substance Use Disorder Confidentiality Law

IN DEPTH
In March 2020, Congress included within the CARES Act an amendment to the Public Health Service Act that directed HHS to modify Part 2, which applies to substance use disorder patient records (Part 2 records) created by certain federally assisted substance use disorder treatment programs (Part 2 programs). HHS has now published a notice of proposed rulemaking to alleviate the compliance challenges resulting from differences in requirements for PHI and Part 2 records.

HHS has proposed a 24-month timeframe for compliance after the final rule is published. This encompasses the 60-day window for a rule to become effective after publication and an extended 22-month timeframe before enforcement.

BACKGROUND
In the early 1970s, Congress passed several laws to support substance use disorder treatment programs. Recognizing the potential stigma associated with obtaining treatment for alcohol and drug use disorders and the potential legal consequences for individuals that admit the use of illicit drugs in receiving treatment, Congress created confidentiality protections for individuals seeking care through federally assisted alcohol and drug treatment programs. These protections were memorialized under 42 CFR Part 2, which has remained largely unchanged over the past 50 years except for a few modifications in the last decade to permit certain redisclosures by recipients of Part 2 records. Despite these modifications, Part 2 still generally requires Part 2 programs and lawful holders to obtain prior written consent before disclosing (or redisclosing) records related to a patient’s treatment to any third party, with exceptions only for medical emergencies, research, program audits and limited court-ordered disclosures.

When HHS promulgated the standards for the privacy of PHI under HIPAA in 2000 (25 years after Part 2 was first promulgated), HHS took a more permissive approach to the use and disclosure of PHI. Under the HIPAA Privacy Rule, health care providers can use and disclose PHI for treatment, payment and health care operations without first obtaining consent from patients. This allows treating providers to consult with other health care providers in the provision of care to an individual, and to disclose medical records to a patient’s health plan as necessary to obtain payment for health care without obtaining the patient’s authorization. The HIPAA Privacy Rule did not preempt more stringent state and federal laws, however, leaving Part 2’s restrictive policies concerning Part 2 records intact. As a result, treatment programs covered by Part 2 that are also covered entities under HIPAA must comply with Part 2’s more stringent use and disclosure restrictions with respect to Part 2 records.

The HIPAA Privacy Rule also includes several requirements related to patient rights that are either absent or different from 42 CFR Part 2, including requirements to respond to patient requests to access and amend their records, or requests for an accounting of certain disclosures. HIPAA also created an administrative enforcement regime to penalize violations of HIPAA with civil monetary penalties. Conversely, Congress did not create an administrative enforcement regime under Part 2, leaving the responsibility of enforcement to US attorneys. As a result, there have been few compliance actions taken under 42 CFR Part 2.

In the CARES Act of 2020, Congress recognized these discrepancies between Part 2 and HIPAA, and concluded that Part 2 was preventing Part 2 providers from adequately coordinating medical care with other providers and health plans. Congress also authorized HHS to harmonize some of the patient rights and protections under Part 2 with those under HIPAA, and to issue civil money penalties for violations of Part 2 in accordance with the HIPAA civil monetary penalty regime.

Overview of Changes
HHS has proposed the following major changes, further discussed below, to 42 CFR Part 2, which would:

• Create a new pathway for treatment, payment and health care operations (TPO) pursuant to a single prior written consent from the patient.
• More clearly align Part 2 record compliance with HIPAA requirements by replacing definitions and disclosure processes to match HIPAA.
• Amend the enforcement provision of Part 2 to mirror the enforcement measures under HIPAA, giving HHS the authority to issue civil monetary penalties. This change also incorporates a limitation on civil and criminal liabilities for uses and disclosures of Part 2 records improperly received by investigative agencies, as long as the agency acted with reasonable diligence when requesting the Part 2 records.
• Apply the breach notification provisions and requirements from the Breach Notification Rule to Part 2 records, requiring Part 2 programs to adopt formal policies and procedures to protect against the unauthorized use or disclosure of unsecured Part 2 records.
• Require Part 2 programs and HIPAA covered entities to notify patients of their compliance with federal confidentiality regulations for substance use disorder treatment records by updating their Notices of Privacy Practices (NPPs).
• Remove the requirement under HIPAA to make a good-faith effort to obtain a written acknowledgment of the receipt of an NPP.
• Create and clarify existing patient rights regarding complaint processes and requests for an accounting of disclosure or restrictions on disclosure of their PHI.
• Update the standard for the de-identification of Part 2 records.

We discuss these modifications further below.

General Consent to Use and Disclose Part 2 Records for Treatment, Payment and Health Care Operations
The Proposed Rule proposes to create a new pathway for TPO pursuant to a single prior written consent from the patient. Although Part 2 programs must still obtain a written consent to disclose Part 2 records, the consent may permit all future uses and disclosures for TPO by “treating providers, health plans, third-party payers and people helping to operate” the Part 2 program. The written consent must otherwise meet the requirements for Part 2 consents, including a requirement to list the name or class of persons authorized to make the disclosure, provide a description of the information to be used or disclosed, and include the patient’s written or electronic signature.

However, unlike other Part 2 written consents, a general consent for TPO can last indefinitely with no expiration date, provided that the consent indicates that it will not expire. Additionally, the general consent must include statements indicating that 1) patient records disclosed to other Part 2 programs, covered entities or business associates may be further disclosed without the patient’s consent in accordance with the HIPAA Privacy Rule, except for uses and disclosures for civil, criminal, administrative and legislative proceedings against the patient, 2) redisclosures pursuant to the consent may no longer be protected by Part 2, and 3) any consequences to the patient of a refusal to sign the general consent.

The proposed new general consent would be valuable to Part 2 programs because it would allow them to obtain permissions to disclose Part 2 records for TPO within initial patient registration materials, as opposed to having to obtain a written consent for each individual disclosure. The Proposed Rule further establishes that Part 2 programs could condition a patient’s treatment on the patient agreeing to a general consent to disclose Part 2 records as needed to make referrals to other providers, obtain payment from a health plan or conduct a quality review of services provided. The general consent would also be valuable to other Part 2 programs, covered entities and business associates that receive Part 2 records, as it would generally allow these recipients to use and disclose the information like any other PHI they maintain, subject to the HIPAA Privacy Rule and any applicable state laws.

In accordance with the provisions in the CARES Act, though, the Proposed Rule prohibits Part 2 programs, covered entities, business associates, intermediaries or other lawful holders from disclosing records to initiate or substantiate criminal charges against a patient, to conduct a criminal investigation of a patient, or to offer the Part 2 records in any civil, criminal, administrative or legislative proceedings against a patient absent the patient’s consent or a special court order. The requirements for a court order under Part 2 are different than the requirements under the HIPAA Privacy Rule for disclosing PHI in response to civil, criminal, or administrative proceedings or criminal investigations.

With the Proposed Rule maintaining these remaining discrepancies between the HIPAA Privacy Rule and Part 2, covered entities, business associates and intermediaries will need to continue to maintain procedures for specially protecting the confidentiality of Part 2 records. It may be easier, however, to maintain different procedures for uses and disclosures in response to civil, criminal or administrative proceedings, as responding to these types of requests typically requires more manual effort. For example, disclosures to law enforcement are typically one-off disclosures rather than day-to-day treatment or payment disclosures through an electronic health record or health information exchange.

New Enforcement Actions for Part 2 Violations
The only enforcement actions previously available for Part 2 record violations were criminal actions by the US attorney of the applicable jurisdiction. The potential criminal liability was limited to a fine of $5,000 per violation for individuals or $10,000 per violation for organizations in accordance with Title 18 of the US Code. Under the CARES Act, Congress granted HHS the authority to issue civil money penalties for Part 2 violations, moving towards alignment with enforcement of HIPAA violations.

Through this Proposed Rule, the current limited enforcement provisions listed above would be replaced entirely to reference the enforcement actions in Sections 1176 (civil penalties) and 1177 (criminal penalties) of the Social Security Act, as implemented by the HIPAA Enforcement Rule. Under this change, violations of Part 2 requirements by Part 2 programs would be subject to potential civil monetary penalties up to $50,000 per violation depending on the level of culpability. (You can read more about HIPAA’s civil monetary penalties structure in our prior On the Subject discussing OCR’s 2019 Notice of Enforcement Discretion regarding penalties under HIPAA.) This authority also grants state attorneys general authority to bring civil enforcement actions, such as seeking an injunction against the offender or damages for those harmed. Additionally, the criminal enforcement actions previously available for Part 2 violations would be replaced by Section 1177 actions, including imprisonment up to 10 years or fines up to $250,000 depending on the severity and intent of the violation. This change also means that business associates and covered entities would be subject to enforcement actions by HHS for Part 2 violations in addition to HIPAA violations.

HHS notes that this proposed change incorporates limitations for potential civil and criminal liabilities that investigative agencies, and those acting on their behalf, might incur. Recognizing the increased risk associated with violating Part 2, the Proposed Rule creates a safe harbor for investigators if they unknowingly receive Part 2 records without following the proper processes, creating an incentive for them to fix the error. Investigative agencies and their agents must act with “reasonable diligence” in determining if Part 2 applies to records or programs before requesting records or seeking a court order. Investigative agencies that do not use reasonable diligence would be precluded from remedying the violation by seeking a court order to use or disclose such Part 2 records.

Stakeholders should be aware of the impact of this expanded enforcement framework, which will make enforcement of violations of Part 2 more likely, with higher potential civil monetary penalties. The Proposed Rule does not make clear whether the Substance Abuse and Mental Health Services Administration (SAMHSA), the division of HHS that is currently responsible for issuing regulations within 42 CFR Part 2, or the Office for Civil Rights (OCR), the division of HHS that enforces HIPAA, will be responsible for imposing civil monetary penalties for violations of Part 2 against Part 2 programs that are not covered entities or business associates. However, the Proposed Rule explicitly states that Part 2 programs or lawful holders of Part 2 records that are also covered entities or business associates will be subject to enforcement by OCR for violations of both HIPAA and/or Part 2.

Notice of Privacy Practices Requirements
Part 2 programs previously had to provide patients with notification of the program’s obligations to comply with 42 CFR Part 2. This included a written summary that the Part 2 program would provide to the patient, which was less comprehensive than the corresponding Notice of Privacy Practices (NPP) requirements in the HIPAA Privacy Rule. In addition to requiring harmonization of the notice requirement with HIPAA’s NPP requirement, the CARES Act also directed HHS to modify the current NPP requirements to address Part 2 records that are transmitted to or maintained by covered entities. To implement this directive, the Proposed Rule modifies the requirements under § 2.22 for Part 2 confidentiality notices (Patient Notices) and the requirements under 45 CFR §164.520 for NPPs. Additionally, HHS elected to re-propose policies from an earlier unfinalized 2021 HIPAA rulemaking that include eliminating the requirement for covered entities to obtain a written acknowledgment from patients that they had received a copy of the NPP.

45 CFR § 164.520 updates. HHS proposed changes to 45 CFR § 164.520 to require covered entities that receive Part 2 records to address the confidentiality requirements for Part 2 records within their NPP, and included additional proposals by OCR to modify the NPP requirements for all covered entities under the HIPAA Privacy Rule. These proposals would require covered entities to make updates to the Header, Uses and Disclosures, Statement of Rights, Covered Entity’s Duties and other sections of the NPP as follows:

• Header: Covered entities that interact with Part 2 records but are not Part 2 programs are instructed to specifically state in their NPP header whether the covered entity is receiving or maintaining Part 2 records.
• Uses and Disclosures: As directed by the CARES Act, the Proposed Rule requires that the NPP of a covered entity subject to Part 2 include a statement prohibiting the use of Part 2 records or testimony in certain proceedings or the use of Part 2 information for fundraising efforts without consent.
• Statement of Rights: HHS proposed to require covered entities to include a notice regarding patients’ rights to inspect and obtain a copy of PHI free of charge and the right to discuss the NPP with a designated contact person identified by the respective covered entity.
• Covered Entity’s Duties: The HIPAA Privacy Rule required covered entities to explain their duty under HIPAA to maintain the privacy of PHI. The Proposed Rule proposes to expand this statement to include the covered entity’s duty to comply with Part 2 where applicable. Additionally, the Proposed Rule would modify the provision that allows a covered entity to change the terms of the NPP without further notice to instead limit NPP changes that do not require further notice to those that are not “material” or “contrary to law.” The Proposed Rule does not define “material” or provide examples of what HHS would consider a material change. The NPP must describe how the covered entity will provide individuals with the revised notice following a material change.
• Inmate Exclusion: The HIPAA Privacy Rule currently does not require covered entities to provide inmates with a copy of the NPP. HHS proposed removing this exception, as HHS believe incarcerated persons are entitled to receive an NPP.
• Proposals from prior HIPAA coordinated care rulemaking: HHS additionally incorporated into the Proposed Rule changes to the NPP it previously proposed in its rulemaking entitled “Proposed Rule to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement.” These proposals include the requirement to include the e-mail address for a designated person who could answer questions about the NPP, adding a permission for individuals to direct copies of PHI to third parties when PHI is not in an electronic health record pursuant to an authorization, and removing the requirement for a covered entity to obtain a written acknowledgment of the individual’s receipt of the NPP. You can read more about these proposals in our prior On the Subject for this rulemaking.

42 CFR § 2.22 Updates. HHS proposed changes to 42 CFR § 2.22 to align the Part 2 notice requirements with HIPAA and include specific requirements for each “key element” of the Part 2 notice. This includes the Header, Uses and Disclosures, Individual Rights, and Duties of Part 2 Programs. Additionally, this change reiterates the need for Part 2 programs that accept federal financial assistance to provide appropriate accommodations for patients with disabilities to make communication effective. The updated Patient Notice content requirements include the following:

• Header: HHS proposes to add a header to the Patient Notice. This would nearly match the NPP header.
• Uses and Disclosures: Within the Uses and Disclosures section, Part 2 programs would be required to include descriptions of each use and disclosure that may be made without patient consent and uses and disclosures that can only be made with written consent. Additionally, the rule proposed adding information to the notice regarding uses and disclosures for TPO stemming from the new general consent pathway, discussed above. The Proposed Rule would also require notice, and specific patient consent, from patients to use Part 2 records for fundraising purposes.
• Individual Rights: The Proposed Rule aims to mirror the statement of rights under the Patient Notice with those under the NPP, including a notice of patients’ right to request restrictions of disclosures for TPO use and disclosures to a patient’s health plans when paying in full for services, a notice of the right to an accounting of disclosures, a notice of the right to obtain a copy of the notice and the right to discuss the notice with a designated contact person.
• Part 2 Program’s Duties: The rule proposes incorporating notice of a Part 2 program’s compliance responsibilities, similar to the statements required of covered entities in the NPP. This would also include a new duty to notify affected patients following a breach, as discussed below.
• Complaints: The Proposed Rule creates a process for individuals to submit complaints for non-compliance, and Part 2 programs must detail that process within their Patient Notices.
• Contact, Implementation, and Version Information: The Proposed Rule requires the Patient Notice to include contact information and details on prior versions of the notice and indicate how the Patient Notice will be disseminated to patients, including details on emergency situations.

Although Part 2 programs previously have had to provide and maintain privacy practice notices, the requirements proposed under 45 CFR §164.520 and 42 CFR § 2.22 are much more detailed and specific. Part 2 programs will need to update their Patient Notices and their processes for providing the notices to patients. Covered entities should also be aware of the new requirements for NPPs and update their NPPs as required. However, HHS’s efforts to align Part 2 record and PHI protection will add some clarity for covered entities that also maintain Part 2 programs, as the unaligned NPP and Patient Notice requirements raised questions for Part 2 programs about how to draft and present a privacy notice to Part 2 patients.

Breach Notification Processes
Part 2 does not currently require Part 2 programs to notify patients following an unauthorized use or disclosure of their Part 2 records. The Proposed Rule introduces a breach notification process for Part 2 programs.

Some Part 2 programs are not covered entities under HIPAA because they only accept out-of-pocket payments from patients and do not engage in HIPAA-standardized transactions. Despite not accepting payment from Medicare or Medicaid, these cash pay providers nevertheless meet the definition of “federally assisted” and are therefore Part 2 programs if they have a license to prescribe and/or dispense medication-assisted treatment to patients. Part 2 programs that are not covered entities under HIPAA are not currently required to notify patients in the event of a breach affecting Part 2 records under federal law, but may be required to do so under applicable state law.

The proposed breach notification process would mandate programs that maintain Part 2 records, and other “lawful holders,” to comply with the existing Breach Notification Rule under HIPAA. Part 2 providers that are not covered entities, and therefore not currently subject to HIPAA’s Breach Notification Rule requirements, will need to create breach notification policies and procedures. These stakeholders will also need to take into consideration the impact of being subject to Breach Notification Rule requirements. The Breach Notification Rule has certain triggers for notification of broader authorities, such as the secretary of HHS and the media, in addition to patient notification. OCR investigates all breach notifications disclosing breaches affecting 500 or more individuals, and under the Proposed Rule any Part 2 programs that submit breach notifications involving 500 or more individuals would also be subject to such investigation by OCR.

New Patient Rights
The Proposed Rule creates new patient rights under Part 2 that align rights provided under HIPAA: 1) a right to an accounting of disclosures and 2) a right to request restrictions on disclosures for TPO.

Patients would have a right to request an accounting of disclosures of Part 2 records made by the Part 2 program up to six years prior to the date of the request. Additionally, the Proposed Rule would require Part 2 programs to be capable of providing an accounting of TPO disclosures made through an electronic health record by the Part 2 program up to three years prior to the date of request. This proposed right to request an accounting of TPO disclosures would mirror Congress’s directive under the Health Information Technology for Economic and Clinical Health (HITECH) Act from 2009. Notably, HHS has not yet finalized the HITECH modifications for accountings of disclosures due to significant stakeholder feedback to a proposed rule issued by OCR in 2011. Accordingly, HHS intends to toll the effective date of its accounting of disclosures proposals for Part 2 until the effective date of modifications to the accounting of disclosures under HIPAA pursuant to HITECH. Importantly, there are no plans under the current regulatory agenda for HHS to re-propose the HITECH modifications. As a result, it may be a significant period of time before the accounting of disclosures for treatment, payment and health care operations disclosures becomes effective.

Additionally, under the Proposed Rule, patients would have a right to request restrictions on uses or disclosures of records otherwise permitted under Part 2. Consistent with a patient’s right to request restrictions under the HIPAA Privacy Rule, the Part 2 program is not required to agree to a requested restriction, except in cases when a patient requests a restriction of disclosure of records about the patient to a health plan if 1) the disclosure is for the purposes of payment or healthcare operations and not otherwise required by law and 2) the record pertains solely to a healthcare item or service for which the patient, or person other than a patient’s health plan, has paid the Part 2 program in full. Part 2 programs that deny a request for restrictions would still be subject to all applicable state or other laws that impose greater restrictions on disclosures than those that Part 2 requires.

Standard of De-Identification
Under the Proposed Rule, HHS would modify the current de-identification standard under Part 2 from “rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers)” to the de-identification standard of the HIPAA Privacy Rule. Accordingly, the de-identification standard would become more stringent, and Part 2 programs that are not covered entities under HIPAA would need to use the HIPAA safe harbor or expert determination methods to render patient identifying information non-identifiable under Part 2.

Notably, Congress indicated in Section 3221(k) of the CARES Act that it was the “sense of Congress” that the definition of “health care operations” as applied to permissible uses and disclosures of Part 2 Records under the general consent pathway “shall not include” the portion of the HIPAA definition that permits covered entities to de-identify Part 2 information or create limited data sets. HHS declined to follow this non-binding language in the Act. In the Proposed Rule, HHS established that it “believes that requiring patient consent for de-identification activities…may negatively affect patient privacy by increasing permissible but unnecessary uses and disclosures of identifiable Part 2 records in circumstances when de-identified records would serve the intended purpose.” Accordingly, the Proposed Rule does not require Part 2 programs to obtain express consent from individuals prior to de-identifying their information or creating limited data sets.

Potential Areas Ripe for Comment
The Proposed Rule raises many issues that are ripe for stakeholder comment, including the following:

• The standards by which lawful holders, intermediaries and other recipients of Part 2 records pursuant to the general consent for treatment, payment and health care operations disclosures will identify or differentiate records disclosed to them pursuant to the general consent from records disclosed pursuant to a specific consent.
• The wisdom of further modifying the HIPAA Notice of Privacy Practices to include even more content than the current requirements under HIPAA, when patients may not read or understand such notices.
• The risk that an influx of civil monetary penalties under the new enforcement framework will create additional barriers of entry for persons and entities wishing to provide Part 2 programs.
• HHS’s reference to the potential adoption of the HITECH Act’s accounting of disclosure provision for treatment, payment and health care operations disclosures through an electronic health record, despite significant stakeholder opposition to the policy.

If you would like assistance preparing comments to these proposed modifications to Part 2, please contact one of the authors or your regular McDermott lawyer.