For anyone who has tried to navigate the outdated and cumbersome regulations governing the use and disclosure of substance use disorder (SUD) treatment records, a major overhaul to these regulations may provide a clearer path to improve care coordination, eliminate barriers to access, and reduce the stigma that has historically accompanied SUD diagnosis and treatment. In a Final Rule published on February 16, 2024, the U.S. Department of Health and Human Services (HHS), through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the HHS Office for Civil Rights (OCR), implemented comprehensive revisions to the existing Confidentiality of Substance Use Disorder Patient Records regulations contained in 42 C.F.R. Part 2 (Part 2). The Part 2 Final Rule implements provisions of the 2020 Coronavirus Aid, Relief, and Economic Security Act (CARES Act) and includes modifications proposed in the November 2022 Proposed Rulemaking. As required by changes to the underlying SUD confidentiality statute that the CARES Act made, the Final Rule aligns a variety of key aspects of Part 2 with corresponding HIPAA regulations, and attempts to reduce the administrative burden on both patients and providers by easing certain restrictions on the use and disclosure of protected SUD information. However, continuing differences between Part 2 protections and HIPAA requirements mean that regulated entities must continue to analyze compliance separately under each distinct regulatory framework. They will need separate, specialized strategies to ensure their use and disclosure of SUD treatment records comply with the updated Part 2 requirements.
Summary of key changes
From a compliance perspective, perhaps the most essential aspect of the amended Part 2 regulations is what the Final Rule did not change. Most notably, Part 2 programs must obtain written patient consent before sharing SUD treatment records protected under Part 2 for most purposes, including treatment, payment, and healthcare operations (TPO). This stands in contrast to HIPAA’s treatment of protected health information (PHI), which is not a Part 2 record that can be shared for TPO purposes without needing patient authorization or consent. Note that most records that meet the Part 2 definition for patient identifying information (PII), as incorporated into the definition of Part 2 “record,” will also meet the HIPAA definition for PHI. However, because the definitions for Part 2 records and PHI are not identical, regulated entities should separately analyze whether a given record qualifies as a Part 2 record and/or PHI pursuant to these separate definitions. The requirement to obtain patient consent to share Part 2 records remains embedded in federal statute at 42 U.S.C. § 290dd–2. These statutory protections for SUD treatment information date back to a series of laws that were passed in the 1970s, starting with the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, which were intended to encourage people with alcohol and drug addictions to participate in treatment without fear that their treatment records would be used against them in criminal or civil proceedings. According to amendments to 42 U.S.C. § 290dd-2 under the CARES Act, HHS has taken several necessary steps to better align the Part 2 regulations with many corresponding regulatory requirements under HIPAA. However, the foundational consent requirement and related statutory protections for Part 2 information mean that SUD treatment records will continue to need to be treated differently from other PHI for as long as the underlying statutes continue to differ.
Despite these fundamental differences in how HIPAA and 42 C.F.R. Part 2 protect patient records, the latest Final Rule implements several changes to the Part 2 regulations that significantly enhance the alignment with HIPAA. This comprehensive revision of the Part 2 regulations also includes a wide variety of minor and technical edits. Some of the most significant changes to the Part 2 requirements include:
Updated terms and definitions
The Final Rule introduces or amends several key terms and definitions that expressly mirror corresponding terms under the HIPAA regulations, including “business associate” (BA), “covered entity,” “use,” “breach,” “treatment,” “payment,” and “health care operations.”
Many of these definitional changes have critical substantive implications. For example, the Final Rule amends the definition of a “qualified service organization” (QSO)—a service provider that contracts with a Part 2 provider and can receive Part 2 records without patient consent—to include BAs as defined under HIPAA. Two caveats apply: first, a BA can only be a QSO for a Part 2 provider that is also a covered entity under HIPAA, and second, the definition only applies to sharing Part 2 records that are also PHI. Examples of BAs include administrative service organizations and third-party administrators that process service claims on behalf of a health plan; pharmacy benefits managers and related delegated benefits management organizations; vendors to a provider that offer services including legal, accounting, and utilization management; and healthcare clearinghouses that translate claims from nonstandard formats into standard transactions on behalf of a healthcare provider and forwards the processed transactions to a payer. According to the updated definition for a QSO under Part 2, any entity that qualifies as a BA under HIPAA can now also receive Part 2 records under a QSO agreement without needing specific patient consent. However, it is vital to consider several limits on the use and disclosure of Part 2 records shared with a QSO. First, the QSO’s ability to use and disclose Part 2 information is limited to the terms of the QSO Agreement. Second, the QSO can only redisclose Part 2 information to its contract agents to provide the services described in the QSO Agreement. Third, a contract agent of the QSO cannot further redisclose Part 2 information. This final restriction may be quite limiting in the context of complex business arrangements.
The Final Rule also excludes BAs and covered entities from the Part 2 definition of “intermediary.” Because Part 2 includes a variety of specific requirements for intermediaries, this definitional change significantly reduces the scope of application of these nuances. In particular, for example, a health information exchange that is also a BA and a QSO for a Part 2 provider would not be subject to the intermediary requirements.
Another significant change is that Part 2 now defines the terms of TPO: “treatment,” “payment,” and “healthcare operations” to have the same meaning as they do under HIPAA. This is significant because under the amended Part 2 rules, where patients consent to the sharing of their Part 2 records for TPO purposes, most of the limits on use and redisclosure of those records under Part 2 now mirror the HIPAA protections for PHI that have been shared for TPO purposes.
Requirement to share the patient consent form along with the Part 2 records
Perhaps the most consequential requirement added by the Final Rule that was not proposed in the Notice of Proposed Rulemaking (NPRM) is a new obligation for a copy of the patient’s written consent to accompany each disclosure of a Part 2 record. HHS determined that this was necessary to ensure that recipients are aware of any limitation on use or redisclosure that the patient may have included in completing the consent form. The Final Rule does not address the fact that the consent form itself would constitute Part 2 information or the fact that, as a practical matter, significant updates will be needed to current electronic health records platforms and regulations governing standard transactions of such records to enable these consent forms to be attached to Part 2 records.
Patient consent to share counseling notes
Another new requirement under the Final Rule that the NPRM did not propose requires separate consent for using or disclosing SUD counseling notes. This requirement parallels the limits on sharing psychotherapy notes under HIPAA. Consent to share counseling notes cannot be combined with consent to share other Part 2 records for any other purpose.
Patient consent to share for TPO
For sharing Part 2 records with entities that are not QSOs and, therefore, require consent, the Final Rule permits sharing Part 2 records with single patient consent for “all TPO purposes.” Where the patient grants blanket consent to share Part 2 records for TPO purposes, a recipient that is a BA or covered entity can use and redisclose the Part 2 records to the same extent as permitted by HIPAA (except where otherwise prohibited by Part 2, Subpart E, with regard to civil and criminal proceedings). Use and disclosure by other recipients would be governed by the consent form (again, except where otherwise prohibited by Part 2, Subpart E). This aligns Part 2 more closely with information-sharing practices under HIPAA and is intended to facilitate and enhance integrating a patient’s SUD treatment with their physical and mental health treatment.
New language added by the Final Rule also expressly states that covered entities and BAs are not required to segregate records or segment Part 2 data received from a Part 2 program based on a TPO consent. Nonetheless, it does remain necessary for recipients to continue to be able to identify records as Part 2 information due to the ongoing need to comply with the prohibition on the use and disclosure of the records in investigations or proceedings against the patient to ensure that the consent form is redisclosed along with any redisclosure of the Part 2 record, and to be able to operationalize any revocation of such consent.
Accounting of disclosures
The Final Rule creates a new right for Part 2 patients to obtain an accounting of all disclosures made with consent for up to three years. Where a patient has provided blanket consent to share records for TPO purposes, the accounting must only identify disclosures made through an electronic health record in alignment with regulatory requirements under HIPAA that have been proposed but not finalized. The Final Rule signals that the compliance date for this Part 2 requirement will be tolled until the HIPAA Accounting of Disclosures provision is finalized.
Breach Notification obligations
The Final Rule incorporates HIPAA’s Breach Notification requirements for breaches of Part 2 records. This section also aligns data de-identification requirements with HIPAA.
Restrictions on use and disclosure for legal proceedings
To better protect patients from the unauthorized use of Part 2 records against them in civil, criminal, administrative, and legislative proceedings, the Final Rule significantly expands the restrictions on the use and disclosure of Part 2 records in such proceedings without patient consent. The Final Rule also creates a new limitation on liability for government agencies that investigate and prosecute Part 2 programs and unknowingly receive records subject to Part 2.