The Department of Health and Human Services (“HHS”) has proposed amendments to the Confidentiality of Substance Use Disorder Patient Records Rule, 42 CFR part 2 (the “Part 2 Rule”) with a comment deadline of January 31. The proposed amendments are intended to improve the Part 2 Rule in a number of respects, but they will also significantly raise risk for entities that create or receive substance use disorder (“SUD”) records that are subject to the rule (“Part 2 Records”). The proposed amendments would add new breach notification obligations and provide for increased enforcement and penalties for non-compliance. We recommend that entities that are subject to the Part 2 Rule consider submitting comments by the January 31st deadline, both supporting improvements to the rule and identifying areas where compliance will be difficult, if not impossible.
The Part 2 Rule sets forth strict privacy and security obligations on SUD records created by certain federally assisted programs (“Part 2 Programs”). It is more stringent than HIPAA, generally requiring patient consent for disclosures of Part 2 Records for treatment, payment, and health care operations. This has caused challenges for both patients, Part 2 Programs, and recipients of Part 2 Records. The restrictions on consent forms (currently requiring the naming of a specific entity, rather than a class of entities) have purportedly led to patients becoming overwhelmed with multiple consent documents. A primary challenge for Part 2 programs has been sufficiently locking down Part 2 records, with limitations of electronic health record (“EHR”) systems often making this difficult if not impossible.
Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) directs HHS to substantially revise the Part 2 Rule in a number of respects. Most significantly, it directs that:
- patients can provide a general consent for the use and disclosure of their Part 2 Records for treatment, payment, and health care operations, after which the information may be redisclosed in the same manner as other protected health information as permitted by the HIPAA regulations;
- patients have a right to an accounting of certain disclosures of their Part 2 Records;
- the HIPAA Breach Notification Rule will apply to violations of the Part 2 Rule;
- violations of the Part 2 Rule will be subject to HIPAA’s civil and criminal penalties; and
- Absent the patient’s consent, Part 2 Records may not be disclosed or used in any civil, criminal, administrative, or legislative proceeding against the patient.
HHS’s proposed amendments to the Part 2 Rule (the “Proposed Rule”) would make the most substantial changes to the regulation since HHS first promulgated the rule in 1975, including:
- Modifying consent requirements to permit identification of a class of persons authorized to receive Part 2 Records, rather than requiring a specific name, and to permit a general patient consent for treatment, payment, and health care operations;
- Making changes throughout the Part 2 Rule to better conform its language to the HIPAA regulations, such as referring throughout to “use and disclosure” (although the Part 2 Rule defines “use” and “disclosure” differently than under HIPAA);
- Adding an accounting of disclosures requirement for certain disclosures of Part 2 Records, including those made for treatment, payment, and health care operations through an electronic health record;
- Applying the HIPAA Breach Notification Rule to breaches of unsecured Part 2 Records; and
- Applying HIPAA civil and criminal penalties to violations of the Part 2 Rule.
Of note, we are not aware of an instance in which the Part 2 Rule has been enforced in the over 45 years that it has been in effect. We expect that this is because enforcement was primarily limited to prosecution by US attorneys, with such prosecutors unlikely to spend their limited time and resources on enforcing the Part 2 Rule unless violations were particularly egregious. This is likely to change after the Proposed Rule becomes finalized, with breach notification requirements bringing Part 2 Rule violations to the attention of HHS, and HHS likely to impose civil monetary penalties for some violations (potentially in conjunction with HIPAA violations).
We encourage Part 2 Programs and other recipients of Part 2 Records to comment in support of many of the proposed changes, such as the revisions to the Part 2 Rule’s consent requirements and changes that better reconcile the Part 2 Rule and HIPAA. We believe that these changes will have a positive impact on regulated entities while also relieving patients of “consent fatigue.” Patients will retain substantial control over how their SUD records are used and disclosed and can more easily authorize the use and disclosure of their records for treatment and care coordination while still confident that they are safeguarded by restrictions on the use or disclosure of their records in adverse civil or criminal proceedings.
With the risk of enforcement likely to increase significantly, however, we encourage Part 2 Programs and recipients of Part 2 Records to identify any challenges that they will continue to face in operationalizing compliance with the Part 2 Rule. For example, if EHR systems make it difficult to adequately lock down Part 2 Records, we recommend bringing this to HHS’s attention. We are aware of instances where SUD information can be marked as confidential but remains available to other EHR users through medical or problem lists, with the Part 2 Program unable to exclude SUD information from such functionalities. Additionally, features such as centralized appointment scheduling may make appointments with Part 2 Programs viewable by schedulers in other parts of a health system. Another issue may be that a recipient of Part 2 Records may not have visibility into what consent document the patient signed, making it difficult to track what SUD information may be treated like other protected health information and what SUD information must be further locked down. Entities may find compliance further complicated by the proposed amendments, having to maintain three separate buckets of information: (1) protected health information that is not subject to the Part 2 Rule; (2) SUD information that may not be used or disclosed for treatment, payment, and health care operations; and (3) SUD information that may be used and disclosed for treatment, payment, and health care operations but may not be disclosed to law enforcement or courts in certain circumstances.
Finally, we encourage entities to request that Congress and HHS consider: (1) further changes to allow uses and disclosures of Part 2 Records where necessary to ensure patient safety, such as in problem and medication lists to avoid adverse drug reactions or inappropriate prescription of opioids; (2) requiring certified EHR technology to fully support part 2 compliance so that information can be readily identified as Part 2 Records and facilities, units, or individuals can be readily identified as Part 2 Programs, with resulting Part 2 Records automatically locked down in compliance with the Part II Rule; and (3) exercise enforcement discretion not to bring enforcement actions against regulated entities for violations caused by EHR’s technical limitations until technology is in place to ease compliance challenges.