Coordination of care in behavioral health just got easier. Up to now, two sets of regulations (under SAMHSA and HIPAA) sometimes conflicted, confusing healthcare providers. Last week, the U.S. Department of Health and Human Services (HHS) announced a new final rule to reduce conflicts and promote coordinated care.
Historically, strict treatment record rules protecting substance abuse patient confidentiality pre-date HIPAA by almost twenty years. Called “the Part 2 regulations”, the rules were created in 1975, before the internet and electronic health records were the norm. At the time, there were no broader privacy and security standards for health information.
HIPAA was first passed in 1996 and has been updated and enhanced since then, but the conflicts between Part 2 and HIPAA have just been resolved. For more background, see HIPAA, SAMHSA, and the Opioid Crisis.
HHS, through its Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), has now finalized modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”), which protect the privacy of patients’ SUD treatment records.
The new final rule:
- increases coordination among providers treating patients for SUDs,
- strengthens confidentiality protections through civil enforcement, and
- enhances integration of behavioral health information with other medical records to improve patient health outcomes.
This final rule started as a “proposed rule” in 2019 when HHS published a Notice of Proposed Rulemaking (NPRM). The public was allowed to comment on the proposal, and some of those comments were incorporated.
For a summary of the changes in the final rule, see HHS’ Fact Sheet on Part 2 Alignment with HIPAA. Below are excerpts from the Fact Sheet.
Major Changes in the New Part 2 Rule
- Patient Consent
- Allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.
- Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records per HIPAA regulations.
- Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
- Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients absent patient consent or a court order.
- Breach Notification: This applies the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2.
- Patient Notice: Aligns Part 2 Patient Notice requirements with the HIPAA Notice of Privacy Practices requirements.
- Safe Harbor: Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before demanding records during an investigation. The safe harbor requires investigative agencies to take specific steps if they discover they received Part 2 records without having obtained the requisite court order.
Substantive Changes to Part 2 Informed by Public Comments
In addition to finalizing modifications to Part 2 that were initially proposed, the final rule includes other changes informed by public comments. Some of those include:
- Safe Harbor: Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
- Complaints: Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
- SUD Counseling Notes: Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that requires specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.
- Patient Consent:
- Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
- Requires a separate patient consent for using and disclosing SUD counseling notes.
- Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.
What Has Not Changed in Part 2
Patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written patient consent or a court order.
Records obtained in an audit or evaluation of a Part 2 program cannot be used to investigate or prosecute a patient absent the patient’s written consent or a court order that meets Part 2 requirements.
What Comes Next
The final rule will not be enforced immediately. Organizations and persons subject to Part 2 must comply with the final rule two years after its publication in the Federal Register. It is still unpublished but is expected to be published on February 16, 2024. HHS will conduct outreach and develop guidance on complying with the new requirements, such as filing breach reports when required.
OCR plans to finalize changes to the HIPAA Notice of Privacy Practices (NPP) to address the uses and disclosures of protected health information protected by Part 2, along with other changes to the NPP requirements, in an upcoming final rule modifying the HIPAA Privacy Rule.