Update February 13, 2024 – HHS announced its Final Rule related to the confidentiality of substance abuse disorder patient records. The goal of the Final Rule is to increase care coordination among providers, strengthen confidentiality, and enhance the integration of behavioral health information with other medical records. See Substance Abuse Treatment and HIPAA are Better Aligned.

Patient privacy is central to quality health care. However, when a patient suffers from substance abuse disorder (SUD), confidentiality may be even more critical because of social stigma. People in treatment for substance abuse disorder face negative consequences ranging from social isolation and job loss to arrest and prosecution. Federal rules ensuring privacy for substance abuse patients was seen as a way to encourage treatment.

Strict treatment record rules protecting substance abuse patients pre-date HIPAA by almost twenty years. Called “the Part 2 regulations”, the rules were created in 1975, before the internet and before electronic health records were the norm. There were no other, broader privacy and security standards for health information.

In the 70’s, most substance abuse health issues were put in the broad category of “alcohol and drug abuse”. Today we understand “substance abuse disorder” differently and the opioid crisis grabs headlines across the country. But public health experts agreed, then and now, that patients need privacy protection to be encouraged to enter and remain in treatment.

Today Part 2 is overseen by the Substance Abuse and Mental Health Services Administration (SAMHSA) in the U.S. Department of Health and Human Services (HHS). The Office for Civil Rights, also within HHS oversees HIPAA. Are they talking?

HIPAA, SAMHSA and HIPAA Part 2 Regulations

Part 2 regulations (from 1975) and HIPAA have not been coordinated and sometimes conflict, causing confusion. The HHS website advises providers that if they comply with HIPAA and another, more restrictive privacy rule, they must follow the more restrictive one.

HIPAA was first passed in 1996 although it’s been updated many times since. The Privacy Rule became law in 2003 and the Security Rule in 2005; the HITECH Act in 2009 provided incentives for health care providers to use electronic health records, and created the Breach Notification Rule. The Omnibus Final Rule became law in 2013 – there were no major changes, but it clarified some gray areas and updated requirements around tech advances like the use of mobile devices. Although enacted at different times, all are connected and known together as HIPAA.

Part 2 provides more protections for treatment records than HIPAA does. For example, under HIPAA, authorization from the patient is not required to use or disclose protected health information (PHI) when the purpose is for treatment, payment or health care operations. On the other hand, with limited exceptions, Part 2 requires patient consent for disclosures of treatment records, even for purposes of treatment, payment or health care operations. The consent must be in writing.

Another difference relates to privacy protections for patient records in criminal and civil legal proceedings. Part 2 requires a specific court order for the disclosure of information in response to a subpoena, search warrant, or law enforcement request. This is because, unlike other types of protected health information, SUD records may expose a patient to criminal liability or other negative legal consequences.

Part 2 has been clarified and amended several times, as recently as 2018. The central core of protections remained, although changes were made to better align with HIPAA and clarify protections around electronic records.

A more complete summary comparing HIPAA and Part 2 can be found here.

The Opioid Crisis

The national opioid crisis is one reason the government wants to take another look at how Part 2 interacts with HIPAA. HHS is under pressure to do more to alleviate the crisis. Along with research, education and encouraging compassionate care, making common sense changes to outdated rules is one way to help.

Over 130 people die every day after overdosing on opioids according to the Centers for Disease Control and Prevention (the CDC). The CDC also estimates that the total economic burden of prescription opioid misuse in the United States is $78.5 billion a year, including the costs of healthcare, lost productivity, addiction treatment, and criminal justice involvement. Families are heartbroken and countless communities across the country are ravaged by the effects of addiction.

Proposed HIPAA Part 2 Rule Changes

This week SAMHSA proposed a rule to loosen restrictions on treatment records, aligning the Part 2 regulations more closely with HIPAA.

A Fact Sheet on the Proposed Rule was published on August 22, 2019. It describes ten changes, and the reasons for each.

Five of them are:

  • Allows a non-Part 2 provider to maintain SUD information in the individual’s medical record, provided the information was willingly given by the patient (currently Part 2 requires SUD information to be segregated).
  • Declared emergencies resulting from natural disasters (e.g., hurricanes) that disrupt treatment facilities and services will meet the definition for a “bona fide medical emergency,” for the purpose of disclosing SUD records without patient consent.
  • Permits providers who do not provide opioid treatments to access a central registry of patients who have enrolled in treatment programs. This is intended to help prevent accidental overdoses. Enrollment in an opioid treatment program would include consent to have treatment information shared with the central registry.
  • Disclosures for the purpose of “payment and health care operations” are permitted with written consent, in connection with a list of 17 examples.
  • Disclosures for research under Part 2 will be permitted by a HIPAA covered entity or business associate to individuals and organizations who are neither HIPAA covered entities, nor subject to the Common Rule (re: Research on Human Subjects).

Reasons given for making changes to Part 2: they are needed to reduce confusion, enhance information-sharing, bring the older rules up to date with technology, and align with HIPAA. On the side of caution about changes: privacy is sacrosanct and the stigma around substance abuse disorder has not lessened much in 45 years. Advocates for substance abuse patients want to ensure continued strong privacy protections to strengthen successful treatment.

When Will HIPAA Part 2 Change?

The new proposed SAMHSA rule must still go through a public comment period, review and revisions. Regulation changes can take months, or a year before they’re put into place. History has shown that HHS rulemaking can take a long time. When will this happen? Stay tuned.

Free HIPAA Checklist
What best describes you?