The US Department of Health and Human Services, Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration issued a Final Rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 C.F.R. Part 2 (Part 2), applicable to certain federally assisted SUD treatment programs (Part 2 Programs), and to SUD patient records (Part 2 Records).

The effective date of the Final Rule is April 16, 2024, and entities have until February 16, 2026, to comply.

The Final Rule includes several changes to align Part 2 more closely with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which applies to protected health information, and to reduce administrative burdens, as summarized below:

• Single Consent for Treatment, Payment and Health Care Operations (TPO). The Final Rule now permits a single consent for all future uses and disclosures of Part 2 Records for TPO and aligns the required elements of the consent form with those required for a valid HIPAA authorization. Further, unless and until revoked, a recipient Part 2 Program, and a HIPAA regulated entity (i.e., a covered entity or business associate) receiving Part 2 Records under such a consent may use and disclose those records for TPO as permitted by HIPAA. Also, a HIPAA regulated entity may further disclose those records in accordance with HIPAA. Previously, Part 2 required the patient to issue a new consent for each disclosure.
• Separate Consents for Counseling Session Notes. The Final Rule adopts requirements for the disclosure of SUD counseling notes that are similar to the HIPAA Privacy Rule’s protections around the disclosure of psychotherapy notes, requiring a separate consent for the disclosure of SUD counseling notes and specifically prohibiting combining a consent for disclosure of SUD
  counseling notes with a consent for disclosure of any other type of health information (other than psychotherapy notes). SUD counseling notes are the notes of a Part 2 Program provider documenting or analyzing the contents of conversation during a SUD counseling session and that are separated from the rest of the patient’s SUD and medical records, excluding medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
• Copy of Consent. A copy of the patient’s consent, or a clear explanation of the scope of the consent, must be provided with the record(s) being disclosed.
• Broader Description of Recipient Permitted. The Final Rule clarifies how recipients (by name or “class of persons”, etc.) may be designated in a consent to use and disclose Part 2 Records, which is a departure from the prior, more stringent requirement that each recipient be specifically listed.
• Expands Part 2 Records Protection in Legal Proceedings. The Final Rule expands restrictions on the use and disclosure of Part 2 Records and testimony to civil, administrative, and legislative proceedings against patients absent the patient’s consent or a court’s order. The previous rule’s protections were limited to criminal proceedings.
• Breach Notification. Breaches of Part 2 Records will be subject to the same notification requirements of the HIPAA Breach Notification Rule. While HIPAA’s breach notification requirements for breaches affecting 500 or more individuals are well known, HIPAA also has reporting requirements for breaches involving fewer than 500 individuals. Under the HIPAA Breach Notification Rule, regulated entities must maintain a log of small breaches and annually report these small breaches to OCR no later than 60 days after the end of each calendar year. Previously, only Part 2 Programs that were also HIPAA regulated entities were required to report breaches pursuant to the HIPAA Breach Notification Rule’s requirements. Under the Final Rule, Part 2 Programs must report all breaches according to the requirements of the HIPAA Breach Notification Rule. 
• Expands Penalties. Violations of Part 2 will now be subject to the same civil and criminal enforcement authorities that apply to HIPAA violations. Ordinarily, OCR updates the penalty structure annually to account for inflation. However, OCR has not yet issued a final rule confirming the new penalty amounts for 2024. Based on the last update (October 2023), the penalty amounts are calculated as follows:

• Disclosures to Public Health Authorities. Part 2 Programs are now permitted to disclose to public health authorities de-identified patient information that meets the HIPAA standards for de-identification, without the need for patient consent, in accordance with the HIPAA Privacy Rule. 
• Notice of Privacy Practices (NPP). The patient notice required under Part 2 were modified to better align with the HIPAA NPP requirements at 45 CFR 164.520 so that HIPAA regulated entities and Part 2 Programs may provide a single NPP to patients. HIPAA regulated entities that are also Part 2 Programs must now meet additional NPP content requirements including, but not limited to: (i) inclusion of certain enumerated disclosures in the NPP header; (ii) a statement that a patient may provide a single consent for all future uses and disclosures for TPO purposes; (iii) a statement advising that when the consent provided is a single consent for all future uses and disclosures for treatment, payment, and health care operations, a Part 2 program, covered entity, or business associate may use and disclose those records for treatment, payment, and health care operations as permitted by the HIPAA regulations, until such time as the patient revokes such consent in writing; and (iv) information regarding the patient’s rights with respect to their Part 2 records.

To prepare for the changes in the Final Rule, Part 2 Programs and HIPAA regulated entities should: (i) revise their consent and authorization forms, NPPs, and policies and procedures as necessary to comply with the requirements of the Final Rule; (ii) retrain workforce members on Part 2’s requirements and limitations around uses and disclosures of Part 2 records, and the differences between Part 2 and HIPAA; and (iii) prepare incident response plans that are responsive to the requirements of the HIPAA Breach Notification Rule so that the organization is prepared to address breach notification obligations appropriately in the event it suffers a data incident.