February 1, 2023

Volume XIII, Number 32

Advertisement

January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

HHS Proposes to Align Federal Substance Use Disorder Law with HIPAA

Proposed changes to the federal substance use disorder law will increase provider efficiency and alignment with the Health Insurance Portability and Accountability Act (HIPAA). In a move that seeks to decrease administrative burdens on patients and providers while beefing up enforcement capabilities, the Department of Health and Human Services (HHS) issued its long awaited Notice of Proposed Rulemaking (Proposed Rule) for the proposed changes to 42 C.F.R. Part 2 (Part 2), the regulation governing the confidentiality of substance use disorder patient records. The changes have been expected since 2020 when Congress directed HHS to amend Part 2 in the CARES Act. The Proposed Rule’s impact will be a net positive for substance use disorder providers already required to comply with HIPAA. However, cash-pay providers required to comply with Part 2 but not regulated by HIPAA will be required to comply with HIPAA’s Privacy Rule and Breach Notification Rule.

“HHS understands how critical it is for patients to better align the Part 2 rules and program with HIPAA. This proposed rule helps decrease burdens on patients and providers, improves coordination and increases access to care and treatment, while protecting confidentiality of treatment records.” - OCR Director Melanie Fontes Rainer (Nov. 28, 2022)

Here are six key takeaways from the Proposed Rule.

  1. Single patient consent for all treatment, payment, and operations disclosures. The most anticipated change to Part 2 is the easing of the ability to share Part 2 records for purposes of treatment, payment, and health care operations (TPO). Part 2 programs will be able to obtain a single consent from a patient that permits disclosure for all future TPO uses and disclosures. The proposed rule will allow patients flexibility when identifying recipients. For example, it will be permissible to list categories of recipients on the consent, such as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement. Once the consent, which will look similar to a HIPAA authorization, is obtained, Part 2 programs, covered entities, and business associates that receive Part 2 records pursuant to a written consent for TPO purposes may redisclose the records in any manner permitted by the HIPAA Privacy Rule, except for certain proceedings against the patient.

  2. Part 2 violations will be subject to the HIPAA Breach Notification Rule. The proposed rule would add breach notification requirements to Part 2 through a cross-reference to the HIPAA Breach Notification Rule. This change would require Part 2 programs to notify HHS, affected patients, and in some cases the media, of a breach of unsecured Part 2 records in accordance with the HIPAA Breach Notification Rule. While the majority of Part 2 programs are also covered entities that will already be familiar with these requirements, any Part 2 programs not currently subject to HIPAA will need to develop a robust privacy compliance program and train their workforce to identify disclosures that may trigger a breach notification requirement.

  3. Self-pay patients have the right to restrict disclosures to health plans. Similar to HIPAA, the proposed rule would require Part 2 programs to permit patients to request restrictions on the use or disclosure of Part 2 information to carry out TPO. This includes instances when the patient has signed a written consent for the disclosures. Part 2 programs are not required to agree to these restrictions, except in the event the patient has requested to restrict disclosure of records to a health plan for payment or health care operations purposes where the record pertains solely to a health care item or service for which the patient or someone on the patient’s behalf, other than the health plan, has paid the Part 2 program in full.

  4. Part 2’s Patient Notice requirements are aligned with HIPAA’s Notice of Privacy Practices. The proposed rule would ensure that patients of Part 2 programs are afforded the same level of notice and transparency as is provided to individuals through HIPAA’s Notice of Privacy Practices (NPP). Currently, Part 2 programs are required to provide a written “summary” of Part 2’s restrictions to patients, but Part 2 does not require such programs to provide a comprehensive NPP to patients. Under the proposed rule, the Part 2 patient notice (Patient Notice) would address the same key elements as the HIPAA NPP, including a description of the permitted uses and disclosures of Part 2 records (and when separate consent is required). The Patient Notice would also need to inform patients of the complaint process and the patient’s right to revoke their consent for the Part 2 program to disclose records in certain circumstances.

    Notably, the proposed rule would modify both Part 2’s Patient Notice requirements and HIPAA’s NPP requirements. Certain covered entities that are not Part 2 programs but receive and maintain Part 2 records (and are thus subject to Part 2 requirements for those records) would need to add a provision to their NPP that references the restrictions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual. Current NPP requirements would continue to apply, without change, to covered entities that do not maintain or receive Part 2 records.

  5. New Part 2 accounting of disclosures requirements tolled until the issuance of the long-awaited HIPAA final rule on accountings. HHS proposes to incorporate HIPAA’s accounting requirements into Part 2. The proposed rule would also incorporate the requirements in the HITECH Act that disclosures for TPO purposes be included in the accounting only where such disclosures are made through an electronic health record. The compliance date for the Part 2 accounting requirement would be tolled until the effective date of a (long awaited) final rule on the HIPAA accounting of disclosures standard.

  6. HHS will have the authority to enforce Part 2 through civil penalties. The CARES Act replaced the previous criminal enforcement authority for violations of Part 2 with a reference to the statutory penalties that apply to HIPAA violations. The proposed rule would update the Part 2 regulations to reflect this change, creating for the first time a civil enforcement authority that may be exercised by HHS in addition to the Department of Justice’s longstanding criminal enforcement authority. The Proposed Rule notes that there have been no criminal actions undertaken to enforce Part 2. Given that HHS has significant experience investigating and enforcing HIPAA violations through civil penalties, we would expect to see HHS take a similar approach with regard to Part 2.

Make Your Voice Heard

Public comments on the Proposed Rule are due 60 days after publication of the Proposed Rule in the Federal Register, which is expected on December 2, 2022. Note that the current Part 2 rules remain in effect while HHS undertakes this rulemaking process.

© 2023 Foley & Lardner LLPNational Law Review, Volume XII, Number 334
Advertisement
Advertisement
Advertisement

About this Author

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney
Associate

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

617-502-3211
Adam Hepworth,  Health Care Attorney, Foley Law Firm
Associate

Adam J. Hepworth is an associate and health care business lawyer with Foley & Lardner LLP. He is a member of the firm’s Health Care Industry Team.

Prior to joining Foley, Mr. Hepworth was a law clerk for Judge Harris L. Hartz on the United States Court of Appeals for the Tenth Circuit. He also interned in the San Francisco City Attorney’s health group and externed in the Civil Division of the United States Attorney’s Office in San Jose. Before he attended law school he was a policy intern for Sierra Health Foundation, where he worked on...

213-972-4604
Sunny Levine Health Care Lawyer Foley Lardner
Associate

Sunny J. Levine is a health care lawyer with Foley & Lardner LLP, and member of the firm’s Telemedicine & Digital Health and Health Care Industry Teams working with hospitals and health systems, physician practice groups, and technology companies across the country. Sunny’s practice focuses on federal and state regulatory compliance and business issues in the health care industry. She also works with companies offering highly regulated consumer products, such as medical marijuana and alcohol beverages.

Telemedicine & Digital Health Experience

Sunny’s practice...

813.462.7712
Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

813-225-4129
Advertisement
Advertisement
Advertisement