The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

Posted By on Nov 29, 2022

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address the uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist