HHS Releases Final Rule on 42 CFR Part 2

On February 8, 2024, the U.S. Department of Health and Human Services (HHS) released the final rule modifying the Confidentiality of Substance Use Disorder (SUD) regulations under 42 CFR Part 2. The rule implements Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, requiring HHS to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). 

The primary aim of the CARES Act was to ease restrictions on the use and disclosure of protected SUD information. The final rule fulfills this purpose with the following changes to Part 2.

1. Consent on Use and Disclosure: The rule allows a patient to provide single consent for all future uses and disclosures of SUD records, except for SUD counseling notes, for treatment, payment, and health care operations. Each disclosure of SUD records with patient consent must be accompanied by a copy of the patient consent form or a clear explanation of the scope of the patient consent for the use or disclosure. 

The rule defines SUD counseling notes as clinician notes that analyze conversations in SUD counseling sessions which the clinician voluntarily maintains separate from the rest of the SUD records. Use and disclosure of SUD counseling notes require specific consent from a patient and cannot be used or disclosed under a broader patient consent in alignment with the use and disclosure provisions in HIPAA for psychotherapy notes.

HIPAA covered entities and business associates who obtain SUD records with patient consent for treatment, payment, or health care operations may redisclose the records according to standard HIPAA regulations. However, the records still may not be used in legal proceedings without the patient’s specific consent or court order. Patient consent for the use and disclosure of records for civil, criminal, administrative, or legal proceedings may not be combined with patient consent for other uses or disclosure, including those for treatment, payment, and health care operations.

Additionally, SUD records may be disclosed without patient consent to public health authorities, provided that the records are disclosed and de-identified according to HIPAA privacy rules.

2. Complaints: The rule gives patients a right to file a complaint directly with HHS for alleged violations of Part 2.

3. Penalties and Safe Harbor: The rule updates the penalties for wrongful use and disclosure of SUD records to align with the civil and criminal penalties of HIPAA. Civil penalties under the new rule range from a fine of $25,000 to $1,500,000 during a calendar year. Criminal penalties range from fines between $50,000 to $250,000 and/or imprisonment between one and 10 years.

The rule sets a limit on civil or criminal liability for investigative agencies acting with reasonable diligence to determine whether a provider is subject to Part 2 before demanding records during an investigation. To receive the safe harbor, investigative agencies are required to search for the facility in the Substance Abuse and Mental Health Services Administration (SAMHSA) database and check the provider’s Notice of Privacy Practices before requesting records to determine whether the provider is subject to Part 2.

4. Notice of Privacy Practices and Breach Notification: The rule requires SUD programs to adopt Notice of Privacy Practices that align with the Notice of Privacy Practices under HIPAA. Additionally, the rule requires SUD programs to follow the breach notification requirements of HIPAA in the event of a breach of SUD records.

5. Segregation of SUD Records: The new rule expressly provides that segregation of SUD records is no longer required.

6. Fundraising: The rule also creates a right for patients to opt out of receiving fundraising communications from Part 2 programs.

The final rule is expected to be published on February 16, 2024. Programs subject to Part 2 and HIPAA covered entities should review and update their related policies and procedures on the use and disclosure of SUD records. Furthermore, Part 2 covered entities should update all patient consent forms and notices of privacy practices to align with the new rule. If an entity has not done so, it should adopt and implement a breach notification policy and procedure that aligns with the requirements of HIPAA.

This blog was drafted by Kristen Petry, an attorney in the Spencer Fane Houston office. For more information, visit spencerfane.com.