While the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are most frequently associated with federal medical privacy, they are not the only game in town. For almost 50 years, the federal government has had even more stringent privacy protections for substance use disorder (SUD) records. In February 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) revised the Confidentiality of Substance Use Disorder Patient Records rule at 42 C.F.R. part 2 to bring part 2 into closer alignment with HIPAA. While somewhat overshadowed by subsequent OCR rulemaking, the recent changes to part 2 are the most significant to that regulation in its long history, the risks under part 2 may be about to increase significantly, and an important question remains about how to interpret the new amendments.
Decades before Congress enacted HIPAA, it enacted confidentiality protections for alcohol abuse treatment records in 1970 and drug abuse treatment records in 1972. These statutes led to the initial publication of the part 2 rule in July 1, 1975.
Part 2 provides for the confidentiality of SUD records created by a federally assisted “program,” known as a “part 2 program.” There are three types of “programs” under part 2:
(1) A person (other than a general medical facility) that holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment (such as a facility specializing in SUD treatment or behavioral health); or
(2) An identified unit within a general medical facility that holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment (such as an addiction treatment or inpatient psychiatric unit of a general hospital that holds itself out as providing SUD services); or
(3) Medical personnel or other staff in a general medical facility whose primary function is the provision of SUD diagnosis, treatment, or referral for treatment and who are identified as such providers (such as an emergency department clinician who is known to primarily perform SUD screenings or provide SUD detoxification services).
A program is federally assisted if:
(1) It is conducted in whole or in part by a U.S. department or agency;
(2) It is being carried out under a license, certification, registration, or other authorization granted by any U.S. department or agency, including: (i) a participating provider in the Medicare program; (ii) authorization to conduct maintenance treatment or withdrawal management; or (iii) registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of substance use disorders;
(3) It is supported by funds provided by any U.S. department or agency by being: (i) a recipient of federal financial assistance in any form, including financial assistance that does not directly pay for the SUD services; or (ii) conducted by a state or local government unit which, through general or special revenue sharing or other forms of assistance, receives federal funds which could be (but are not necessarily) spent for the SUD program; or
(4) It is assisted by the IRS through the allowance of income tax deductions for contributions to the program or through the granting of tax exempt status to the program.
Part 2 applies to a “record,” which is any information created, received, or acquired by a part 2 program and relating to a patient. Part 2 restricts the use or disclosure of records that would identify a patient has having or having had a SUD and contain SUD information obtained by a part 2 program.
Part 2 not only applies to part 2 programs, but it also extends to anyone who receives part 2 records in conjunction with a notice identifying the records as subject to part 2.
While the HIPAA statute provides HHS with broad discretion to create privacy standards, part 2’s authorizing statute, now found at 42 U.S.C. § 290dd-2, is far more restrictive. It historically has required a patient’s consent for the disclosure of part 2 records, with the only exceptions being:
(1) To medical personnel to the extent necessary to meet a bona fide medical emergency;
(2) To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise disclose patient identities in any manner; or
(3) If authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause, including the need to avert a substantial risk of death or serious bodily harm.
As a result of the statute’s limited exceptions, part 2 has always been substantially more stringent than the HIPAA Privacy Rule. For example, part 2 does not permit uses and disclosures for treatment, payment, or healthcare operations (TPO) without a patient’s consent, other than disclosures to medical personnel for bona fide medical emergencies.
The result has been very strong safeguards for patients, but substantial operational challenges for part 2 programs and lawful holders. For example, electronic health record (EHR) systems have often made it difficult if not impossible for healthcare providers to prevent the disclosure of SUD information in problem lists and medication lists as part of routine treatment disclosures. Additionally, part 2 historically has included very stringent consent requirements, generally requiring that a consent specifically name each recipient (rather than merely identifying a class of recipients). This has potentially led to “consent fatigue,” where a part 2 program must obtain a new consent from a patient for virtually every TPO disclosure.
Part 2’s operational challenges have led to industry calls for Congress and HHS to more closely align the rule with the HIPAA Privacy Rule. HHS could not make such changes absent changes to the statute, since the statute sets forth the limited circumstances in which a part 2 program may disclose part 2 records without a patient’s consent. As the opioid crisis hit epidemic proportions, Congress struggled with whether easing part 2 restrictions were necessary to better integrate SUD services with other healthcare, or whether relaxing confidentiality requirements could have an adverse effect on patients seeking treatment. After numerous failed legislative efforts to reform part 2, Congress finally amended 42 U.S.C. § 290dd-2 in 2020 as part of the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act).
The CARES Act revised 42 U.S.C. § 290dd-2 in the following manner:
In response to the CARES Act’s requirements, OCR, in conjunction with the HHS Substance Abuse and Mental Health Services Administration (SAMHSA), published a final rule amending part 2 on February 16, 2024. The fact that OCR took the lead in the rulemaking is itself noteworthy, as OCR has not previously promulgated part 2 regulations. OCR’s involvement reflects that the amendments are focused on more closely aligning part 2 with HIPAA.
One of the final rule’s most helpful changes is amending part 2’s consent requirements, more closely aligning them with HIPAA. For example, a consent now may describe a “class of persons” as recipients, providing significantly more flexibility. For the required description of the purpose of the use or disclosure, part 2 explicitly permits a description of “for treatment, payment, and health care operations.” Consistent with the CARES Act, while part 2 generally requires an expiration date or expiration event, none is needed if the purpose of the consent is for TPO. A consent for treatment, payment, or healthcare operations, however, also must specify: (1) the potential for the records used or disclosed pursuant to the consent to be subject to redisclosure by the recipient and no longer protected by part 2; and (2) the consequences to the patient of a refusal to sign the consent (e.g., whether the consent is a requirement to receive treatment). The reason the “or” is emphasized in the consent language about TPO is because it is unclear whether recipients generally no longer need to comply with part 2 requirements if a consent permits treatment, payment, or healthcare operations, but not all three (discussed further below).
The final rule also amends the language that must accompany a disclosure made with a patient’s consent. Part 2 has always required disclosures made with a patient’s consent to include a notice informing the recipient that the records are subject to part 2. The revised language now includes certain exceptions, providing:
[T]he Federal rules prohibit you from making any other use or disclosure of this record unless at least one of the following applies:
(i) Further use or disclosure is expressly permitted by the written consent of the individual whose information is being disclosed in this record or as otherwise permitted by 42 CFR part 2.
(ii) You are a covered entity or business associate and have received the record for treatment, payment, or healthcare operations, or
(iii) You have received the record from a covered entity or business associate as permitted by 45 CFR part 164, subparts A and E.
The amendments also revise the requirements applicable to recipients of part 2 records. If a patient provides a written consent for a use or disclosure of part 2 records, then, “[w]hen disclosed for treatment, payment, and health care operations activities to a covered entity or business associate, such recipient may further disclose those records in accordance with the HIPAA regulations, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.” (Emphasis added.) At a minimum, the new language means that if a patient’s consent includes treatment, payment, and healthcare operations and the recipient is a HIPAA covered entity or business associate (a HIPAA Regulated Entity), then the recipient may treat the part 2 records as any other protected health information (PHI) under HIPAA (except for the limitation on use and disclosure for proceedings against the patient). As referenced above, however, a consent must inform the patient that the part 2 records potentially lose part 2 status if disclosed for treatment, payment, or healthcare operations. Likewise, a notice accompanying a consent indicates that a HIPAA Regulated Entity is not restricted from further use or disclosure if receiving the records for treatment, payment, or healthcare operations. This leaves the question of whether a HIPAA Regulated Entity generally may treat part 2 records the same as any other PHI under HIPAA if they receive records pursuant to a limited consent that only permits, treatment, payment, or healthcare operations. Or must the HIPAA Regulated Entity confirm that the consent permits all three activities: treatment, payment, and healthcare operations?
For example, if a patient only consents to disclosure to a specific health plan for payment purposes, then it is not clear whether the health plan may treat the information as PHI under HIPAA (with the only limitation beyond HIPAA being that the health plan may not use or disclose the part 2 records for proceedings against the patient), or whether the health plan must segregate the records as part 2 records subject to substantially more restrictions than HIPAA. Because of the substantial operational challenges involved in maintaining stringent part 2 restrictions, the answer to this question has large compliance implications.
It can be argued that the language permitting HIPAA Regulated Entities to generally treat part 2 records as PHI under HIPAA is intended to apply to all records received for TPO purposes, even if the consent did not specify all three activities. There is a risk, however, that HHS could take a narrower interpretation, instead applying the broad HIPAA permission only when the patient consents to all three TPO activities. For example, in a fact sheet explaining the new rule, OCR stated that a patient may provide a “a single consent for all future uses and disclosures for treatment, payment, and health care operations” and that HIPAA Regulated Entities that receive records “under this consent” may disclose them in accordance with HIPAA regulations (suggesting that a more limited TPO consent that does not authorize all three activities would not permit broad redisclosure under HIPAA).
The 2024 amendments also include:
The final rule includes some other, smaller amendments not addressed in this article.
The amendments became effective April 16, 2024, with a compliance deadline of February 16, 2026. This means that part 2 programs and “lawful holders” of part 2 records may take advantage of beneficial change now, but need not come into compliance with more onerous obligations until 2026.
Many in the healthcare sector have been advocating for part 2 amendments to better align part 2 with HIPAA for some time. They generally have welcomed the 2024 amendments. The amendments, however, may be a wolf in sheep’s clothing.
While the revisions to the consent form are especially helpful, the overall risk under part 2 may be increasing after the compliance deadline of February 16, 2026. This is for two reasons: (1) increased visibility into part 2 breaches and (2) increased availability of penalties.
Historically, there has not been any obligation for a part 2 program or lawful holder to act if it learns of a part 2 violation. After the compliance deadline, however, a part 2 program or lawful holder will need to provide breach notification to affected individuals, HHS, and potentially the media if it learns of a part 2 violation and determines that the incident qualifies as a “breach.” This new level of transparency about noncompliance is likely to lead to an increased risk of regulatory scrutiny and enforcement.
Second, in the nearly 50 years that part 2 has been in place, there does not seem to have been a single enforcement action. This is because the primary means of enforcement was criminal penalties that only the Department of Justice could bring. With limited resources, likely a limited understanding of the complex rule, and recent statutory ambiguities surrounding the appropriate fine for a violation, it is not surprising that—to our knowledge—the Department of Justice has never brought an enforcement action under part 2. Under the amendments, however, HHS may bring civil penalties pursuant to HIPAA and criminal penalties are now clear (the same as for HIPAA). It is not yet known which HHS agency will enforce part 2—potentially OCR—but it seems likely that such an agency will be more inclined to bring civil penalties using known HIPAA mechanisms than the Department of Justice has been to bring criminal penalties in the past. Accordingly, the risk of penalties under part 2 is likely to substantially increase.
Historically, one of the biggest challenges with part 2 has been operationalizing its stringent requirements. EHR vendors seemingly do not design their systems around keeping part 2 records completely compartmentalized. As a result, part 2 programs historically have been unable to ensure full compliance with part 2 unless they maintain paper records or a separate electronic record system. In the past, this compliance challenge posed limited risk due to a lack of part 2 enforcement. Going forward, however, the risk of enforcement is likely higher. Accordingly, over the next year it is imperative that part 2 programs work with their EHR vendors to identify solutions for properly locking down part 2 records in accordance with part 2.
What is less clear at this time is the impact on HIPAA Regulated Entities that are not part 2 programs. Compliance with part 2 restrictions is even more difficult for these entities, because they are less likely to have systems that are designed to further limit the use and disclosure of part 2 records that they receive. If the 2024 amendments are interpreted to mean that HIPAA Regulated Entities that receive part 2 records for treatment, payment, or healthcare operations may redisclose those records as permitted by HIPAA (other than uses and disclosures for Proceedings against the patient), then the 2024 amendments’ impact will be lesser compliance obligations and significantly reduced risk. In contrast, if the permission for HIPAA redisclosure only applies to the extent that patients consent to all three activities (treatment, payment, and healthcare operations), then HIPAA Regulated Entities will need to fully comply with part 2 for records received based on more limited consents and likely will face a heightened enforcement risk under the amendments. Until we receive further clarity on this question, the true impact of the 2024 amendments will remain uncertain.
