What providers should know about changes to substance use confidentiality regulations
Click Here to Manage Email Alerts
On Feb. 16, HHS, through its Office for Civil Rights and Substance Abuse and Mental Health Services Administration, published its final rule amending federal regulations protecting confidentiality of substance use disorder treatment records.
The final rule modified 42 Code of Federal Regulations Part 2 to align certain aspects of the regulations with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The Part 2 amendments aim to increase coordination among providers, strengthen the confidentiality of Part 2 records through enforcement, and improve health outcomes through the integration of behavioral health information with other medical records.
The amended Part 2 regulations more closely align with HIPAA in allowing for increased care coordination among providers treating patients for SUD. Part 2 providers will also face increased enforcement under the amended regulatory scheme and will have an affirmative obligation to report breaches of Part 2 records to patients and the Office of Civil Rights as required under HIPAA. However, the alignment of Part 2 with HIPAA is not absolute. A number of additional protections still apply to Part 2 records.
The final rule went into effect on April 16; however, compliance is not required until Feb. 16, 2026. Nevertheless, providers may want to consider voluntarily implementing beneficial changes now. The following is a summary of key regulatory modifications that Part 2 providers need to be aware of as they move toward compliance with the final rule.
Consent for uses and disclosures for treatment, payment and health care operations
Prior to the final rule, Part 2 included wide-ranging prohibitions on the use and disclosure of Part 2 records without written consent from the patient. The final rule amended these consent requirements, particularly in terms of uses and disclosures of Part 2 information for treatment, payment and health care operations (TPO) purposes.
Rather than requiring separate consents for each use or disclosure for TPO purposes, the amended Part 2 regulations now allow providers to use and disclose Part 2 information for TPO purposes by way of a single patient consent authorizing all future uses and disclosures. Although not fully aligned with HIPAA’s permissive use and disclosure provisions for TPO, the amended Part 2 regulations significantly streamline the process for SUD providers.
These new consent provisions will allow providers, as well as their business associates and qualified service organizations, to collaborate more efficiently and effectively with other providers. However, this streamlined TPO consent process does not extend to uses and disclosures for civil, criminal, administrative and legislative proceedings against the patient. To that end, under the amended regulations, a written consent for TPO purposes must include the statement that the patient’s record (or information contained in the record) may be redisclosed in accordance with the permissions contained in the HIPAA regulations, except for uses and disclosures for civil, criminal, administrative and legislative proceedings against the patient.
Another important change under the final rule gives patients the right to request restrictions on disclosures of Part 2 records for TPO purposes. Except in limited circumstances, providers are not required to agree to all patient requests for restrictions, although providers are encouraged to make reasonable efforts to do so.
Additional changes to the patient consent provisions of note are the final rule’s new requirement that all disclosures made with patient consent include a copy of the consent or a clear explanation of its scope. This new requirement is in addition to the amended redisclosure statement requirements set out in the final rule, which require providers to include an explicit statement indicating that the records being disclosed are Part 2 records. Additionally, Part 2 records that are deidentified pursuant to the HIPAA privacy standards are now permitted to be disclosed to public health authorities without patient consent.
SUD counseling notes
The final rule also includes a definition of “SUD counseling notes,” which tracks with the definition of “psychotherapy notes” under HIPAA.
Under the amended Part 2 regulations, a Part 2 record will be considered “SUD counseling notes” if the records are notes recorded by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a counseling session, which records are separated from the rest of the patient’s medical record. Certain types of records are excluded from the definition of SUD counseling notes, including medication prescription and monitoring; counseling session start and stop times; the modalities and frequencies of the treatment furnished; the results of clinical tests; and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date. Similar to psychotherapy notes under HIPAA, subject to limited exceptions, SUD counseling notes will require a separate written consent from the patient.
Notices and individual rights
Like patients’ rights under HIPAA, the final rule includes various patient rights that will now also apply to Part 2 records. These include the right to:
- file complaints directly with the secretary of HHS for violations of Part 2;
- receive a notice of their rights and the program’s privacy practices;
- an accounting of certain disclosures made within the last 3 years;
- opt out of the receipt of fundraising communications; and
- request restrictions on disclosures.
As a result, Part 2 providers will need to update their notice of privacy practices to bring them into compliance with the final rule.
Breach notification requirements and penalties
Another substantial alignment of the Part 2 requirements with HIPAA is the final rule’s extension of the HIPAA breach notification requirements to Part 2 programs and records. Under HIPAA, a breach is generally an impermissible use or disclosure that compromises the privacy or security of protected health information. Once a breach has been discovered, HIPAA requires that notification to regulatory authorities and individuals be made. These HIPAA breach notification rules now apply to Part 2 programs and records. In addition, the final rule replaces Part 2’s rarely enforced criminal penalties under Title 18 of the U.S. Code with the often-enforced HIPAA criminal and civil penalty structure. Violators of Part 2 under the final rule will now be subject to the same criminal and civil penalty structure used for HIPAA violations, meaning increased and more consistent enforcement of the privacy and confidentiality protections set out in both HIPAA and Part 2.
Segregation of Part 2 data
The final rule expressly states that segregating or segmenting Part 2 records is not required. The final rule does not preclude voluntary use of data segmentation or tracking to protect sensitive data from improper disclosure or redisclosure.
What hasn’t changed
Importantly, the primary purpose of the Part 2 regulations remains to “ensure that a patient receiving treatment for a substance use disorder in a Part 2 program is not made more vulnerable by reason of the availability of their record than an individual with a substance use disorder who does not seek treatment.”
Despite easing restrictions regarding consent for TPO purposes, a specific patient consent or Part 2-compliant court order is still required for uses or disclosures of Part 2 records and testimony in civil, criminal, administrative and legislative proceedings against patients.
The final rule emphasizes that most uses and disclosures under Part 2 are permissive and not mandatory. These protections will help lessen patients’ concerns regarding criminal repercussions from openly sharing about their SUD and allow health care providers to develop the most appropriate treatment plan.
As providers know, confidentiality is the cornerstone of any treatment relationship. Protecting patient privacy and confidentiality builds trust between providers and patients and helps facilitate access to and improve the quality of health care services. By maintaining more stringent protections for Part 2 information, patients receiving SUD services can be more comfortable sharing information about past and current substance use without fear of the information being disclosed and potentially used against them by police, landlords, employers, judges, social workers or family members. While helping to mitigate these concerns as a barrier to accessing care, the amended Part 2 regulations will also allow for increased collaboration and care coordination, leading to better treatment outcomes.
References:
- Confidentiality of substance use disorder (SUD) patient records. https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records. Accessed Oct. 1, 2024.
- Part 2 — Confidentiality of substance use disorder patient records. https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2. Accessed Oct. 1, 2024.